poullight | c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7v20210410
submitted
11-05-2021 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
Size

3.7MB
MD5

1b39000de7307538e113323053d118f7
SHA1

40bb1733dd3ad35521fee0675698370dfa1aae6e
SHA256

c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd
SHA512

76a66c908a6501652ce0bd3a893e8aa2db8f73f1c80e487c56e8d67b69a452aa3e0ea6de7ba3a546dd9939bbe619abef9128b29745598c4af189b64397b51a34

Score

10^/10

poullight persistence spyware stealer trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer Payload 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	family_poullight
\Users\Admin\AppData\Local\Temp\._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	family_poullight
\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight

Executes dropped EXE 4 IoCs

Processes:

._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exeSynaptics.exebuild.exeHB.exe

pid process

1980 ._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
1352 Synaptics.exe
1724 build.exe
316 HB.exe

pid	process
1980	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
1352	Synaptics.exe
1724	build.exe
316	HB.exe

Loads dropped DLL 7 IoCs

Processes:

c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe

pid	process
1096	c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
1096	c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
1096	c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
1980	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
1980	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
1096	c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
1980	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SS CRACK RETRIX = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327548717"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f0000000002000000000010660000000100002000000017b632bc334e46b93b473ff0a520bb82f5befe9434920d946f0c6eeeb795abdc000000000e8000000002000020000000e34a11d5299182bd372a765c0b6d9b7d925a96fd29f77782a2602af8ea5c7288200000001841ff16f48d8215e5d65cf2c0b2e6fa3617a5ffcacb3c988c65a45781ee78a1400000000d3647c9185ee8cadd5454ffc79010223b800cb66c5a5ed94d39a2af71e165579b530b20f4a3597fb78d386c96e8287c30fd5ae5f8ae3e7480d4a26b53fbdcbc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f00000000020000000000106600000001000020000000f736ef12d243a337281bbcf724abeec3a225a67b12fa1d03097104bd0c80d892000000000e8000000002000020000000d6d567ac887fb5c2cfdf2c3c491b8f4b0d7f61f4e79b7b03017aff5a7e580bd990000000878cde215e1625e609ecb96da3b88182c15d01d09adc9ee2c33a07d9025a1d364b9842ea3a9fada4ecc54874b4d2853d1ddfcfb266019ec79ee3de19b45d5972dfa3b0a9582f085679c0599fd26c3a97532c0f2ea59d5481fc4ca455e7c421e3c10a55480cc73309ef6c21842f51517ee5edaacd34230b7506a3442dc7a5cec7d8d3ad68e4192fac4800a199e3e0a324400000001dc7fb5967ec74d2c791294ae0fd2f5f3b86ea126559944ade92f8651878ee02406e5a5d2c9390494586d2093c1cb4131d2634889877556c32576f97a8cfd7d1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50074726d046d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4BB152D1-B2C3-11EB-8EA8-5EDBF02B0D68} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Synaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

build.exe

pid process

1724 build.exe
1724 build.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

build.exe

description pid process

Token: SeDebugPrivilege 1724 build.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1556 iexplore.exe
Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

HB.exeiexplore.exeIEXPLORE.EXE

pid process

316 HB.exe
316 HB.exe
1556 iexplore.exe
1556 iexplore.exe
544 IEXPLORE.EXE
544 IEXPLORE.EXE
316 HB.exe
316 HB.exe
544 IEXPLORE.EXE
544 IEXPLORE.EXE

pid	process
1724	build.exe
1724	build.exe

description	pid	process
Token: SeDebugPrivilege	1724	build.exe

pid	process
1556	iexplore.exe

pid	process
316	HB.exe
316	HB.exe
1556	iexplore.exe
1556	iexplore.exe
544	IEXPLORE.EXE
544	IEXPLORE.EXE
316	HB.exe
316	HB.exe
544	IEXPLORE.EXE
544	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exeHB.exeiexplore.exe

description	pid	process	target process
PID 1096 wrote to memory of 1980	1096	c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
PID 1096 wrote to memory of 1980	1096	c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
PID 1096 wrote to memory of 1980	1096	c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
PID 1096 wrote to memory of 1980	1096	c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
PID 1980 wrote to memory of 1724	1980	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	build.exe
PID 1980 wrote to memory of 1724	1980	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	build.exe
PID 1980 wrote to memory of 1724	1980	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	build.exe
PID 1980 wrote to memory of 1724	1980	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	build.exe
PID 1096 wrote to memory of 1352	1096	c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	Synaptics.exe
PID 1096 wrote to memory of 1352	1096	c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	Synaptics.exe
PID 1096 wrote to memory of 1352	1096	c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	Synaptics.exe
PID 1096 wrote to memory of 1352	1096	c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	Synaptics.exe
PID 1980 wrote to memory of 316	1980	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	HB.exe
PID 1980 wrote to memory of 316	1980	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	HB.exe
PID 1980 wrote to memory of 316	1980	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	HB.exe
PID 1980 wrote to memory of 316	1980	._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe	HB.exe
PID 316 wrote to memory of 1556	316	HB.exe	iexplore.exe
PID 316 wrote to memory of 1556	316	HB.exe	iexplore.exe
PID 316 wrote to memory of 1556	316	HB.exe	iexplore.exe
PID 316 wrote to memory of 1556	316	HB.exe	iexplore.exe
PID 1556 wrote to memory of 544	1556	iexplore.exe	IEXPLORE.EXE
PID 1556 wrote to memory of 544	1556	iexplore.exe	IEXPLORE.EXE
PID 1556 wrote to memory of 544	1556	iexplore.exe	IEXPLORE.EXE
PID 1556 wrote to memory of 544	1556	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
"C:\Users\Admin\AppData\Local\Temp\c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Users\Admin\AppData\Local\Temp\HB.exe
"C:\Users\Admin\AppData\Local\Temp\HB.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://jq.qq.com/?_wv=1027&k=57Cts1S
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1556 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:544

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
f65d4cf706c2add18897c640b67c8b84

SHA1
dd63c38d5fd4a2d466a36dc35e8c082237de24f8

SHA256
f1a5a873cc3987b2a2a756aec8bacfb6d2c922892ce07a0ffb820a332fe82655

SHA512
b0e5c1a9d5dd2aff80485b2b237e6350fbd14d67323fd6a85fbc221e45a2bc0b48a2d46bb371d5498f9246943c8015bacce15d20c4c453bb772690534babf2e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
15775d95513782f99cdfb17e65dfceb1

SHA1
6c11f8bee799b093f9ff4841e31041b081b23388

SHA256
477a9559194edf48848fce59e05105168745a46bdc0871ea742a2588ca9fbe00

SHA512
ac09ce01122d7a837bd70277badd58ff71d8c5335f8fc599d5e3ed42c8fee2108dd043bce562c82ba12a81b9b08bd24b961c0961bf8fd3a0b8341c87483cd1e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
8fa052d5bbcf95d756775aa33d3229e2

SHA1
4805e48f6921fdbd365e192651be925fe3320f68

SHA256
fda6188df96634aa9b07137ba6301bcb3020799be057b780952406ec98839282

SHA512
6f33855777d54083378c73bf773adcd39f8396488dbbe14c711a8f72d0da8b73bca9cdb4bcfeceb9b70e421fb149214781d5167330ac28e053bd69701cd098d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
375f78b648550b12bcb8962e5f895bde

SHA1
3f251cc544120cf1e1666ea6440618ffef75ba1b

SHA256
e50cbb3604e1bdd60a74cf05ccc27d041b0be77e1193f96987c43b4c371f76b0

SHA512
54be0b1e51fa67efdee2c95323afe8c0d6904148de8a40c34b5935d833a6eaa299a57d7201451403b406cef33266322494e4d03b6408971e499583df81b81bec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
MD5
c551b2745cf9cc9e5abb0fe12eb0000a

SHA1
d1d8d274a2f25a7cd232f536a6bb87ded7c99fa7

SHA256
23c29e8ad66ec56e616766be4ca7a1c0fa8fa7b8b6058bde5a2a44204587b663

SHA512
cea6e7b2a73919a02df3fd26a89951cab3c0a83c94e745a3890751fec4d5e2da0db52e2673954febd35b9bcd764b55224f371ce7bf4f5aa3e146298dc6316df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
MD5
4e1ae916a283ff087b4daf71f73540cf

SHA1
c9f8cb325b0dc69638984060c100604bf61cf0fd

SHA256
927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd

SHA512
87abe3370506db994bf456ff008905690f6fd7cbb10440a8fba17a1fbec13ed14a91f2466b8e2bec4ac36b8397655866871646ffdcf1ff30f973b8288c8abbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HB.exe
MD5
3f9dd912d6f833970e34e99ac80ae8f0

SHA1
38cbef846a4d67728c1e90ae91ffb7eb6d4d9442

SHA256
9595db47c8f460cdd27b9a4c1b1ac68acdda489ccf867d9495883519950d3ef6

SHA512
cfdf38bdaacaf396f6e76792f956305da1d5a48b50ae7d4f1113a72ab957e61b320360dbde208613e651ad5f1ea900b6a3140440a6a59e7f11117647954ba938

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
MD5
129bbd25c68f6dfd3cd3ea812314e848

SHA1
5230aad2e3839fbd196d2ac4f7ff2201c38a5d7a

SHA256
f844fbb742d6fbc2081c7c3e32f4bae2e6b4bdb6224bbe8a34908a111f86542e

SHA512
f01b1ba6b925a6945a9f7d0437afaf31b713474ad70257f9415a83753e92d93ac61832e7b52ff6876c1969402b8601fde0cc5f428efe28ea53155f171e2d4973

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
MD5
129bbd25c68f6dfd3cd3ea812314e848

SHA1
5230aad2e3839fbd196d2ac4f7ff2201c38a5d7a

SHA256
f844fbb742d6fbc2081c7c3e32f4bae2e6b4bdb6224bbe8a34908a111f86542e

SHA512
f01b1ba6b925a6945a9f7d0437afaf31b713474ad70257f9415a83753e92d93ac61832e7b52ff6876c1969402b8601fde0cc5f428efe28ea53155f171e2d4973

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\27483VIS.txt
MD5
03652aab61c64a6466ca4b8bf502bd1b

SHA1
34b6df8f4c7927d90754b64edbf7ad5c3643281f

SHA256
c7f34905ddea573d3b92424e2608d3413df02db770848e2eae819d73601d713d

SHA512
e29878cf27a09735e10514bddbc4089d718e7cc3ae4ed861be269cefe98700c343200453a2a51887f82c8339801ae7ebfd4448d650afb381066be050a5c17643

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
f65d4cf706c2add18897c640b67c8b84

SHA1
dd63c38d5fd4a2d466a36dc35e8c082237de24f8

SHA256
f1a5a873cc3987b2a2a756aec8bacfb6d2c922892ce07a0ffb820a332fe82655

SHA512
b0e5c1a9d5dd2aff80485b2b237e6350fbd14d67323fd6a85fbc221e45a2bc0b48a2d46bb371d5498f9246943c8015bacce15d20c4c453bb772690534babf2e6

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
f65d4cf706c2add18897c640b67c8b84

SHA1
dd63c38d5fd4a2d466a36dc35e8c082237de24f8

SHA256
f1a5a873cc3987b2a2a756aec8bacfb6d2c922892ce07a0ffb820a332fe82655

SHA512
b0e5c1a9d5dd2aff80485b2b237e6350fbd14d67323fd6a85fbc221e45a2bc0b48a2d46bb371d5498f9246943c8015bacce15d20c4c453bb772690534babf2e6

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
MD5
4e1ae916a283ff087b4daf71f73540cf

SHA1
c9f8cb325b0dc69638984060c100604bf61cf0fd

SHA256
927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd

SHA512
87abe3370506db994bf456ff008905690f6fd7cbb10440a8fba17a1fbec13ed14a91f2466b8e2bec4ac36b8397655866871646ffdcf1ff30f973b8288c8abbf6

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
MD5
4e1ae916a283ff087b4daf71f73540cf

SHA1
c9f8cb325b0dc69638984060c100604bf61cf0fd

SHA256
927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd

SHA512
87abe3370506db994bf456ff008905690f6fd7cbb10440a8fba17a1fbec13ed14a91f2466b8e2bec4ac36b8397655866871646ffdcf1ff30f973b8288c8abbf6

Download Submit
\Users\Admin\AppData\Local\Temp\HB.exe
MD5
3f9dd912d6f833970e34e99ac80ae8f0

SHA1
38cbef846a4d67728c1e90ae91ffb7eb6d4d9442

SHA256
9595db47c8f460cdd27b9a4c1b1ac68acdda489ccf867d9495883519950d3ef6

SHA512
cfdf38bdaacaf396f6e76792f956305da1d5a48b50ae7d4f1113a72ab957e61b320360dbde208613e651ad5f1ea900b6a3140440a6a59e7f11117647954ba938

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
MD5
129bbd25c68f6dfd3cd3ea812314e848

SHA1
5230aad2e3839fbd196d2ac4f7ff2201c38a5d7a

SHA256
f844fbb742d6fbc2081c7c3e32f4bae2e6b4bdb6224bbe8a34908a111f86542e

SHA512
f01b1ba6b925a6945a9f7d0437afaf31b713474ad70257f9415a83753e92d93ac61832e7b52ff6876c1969402b8601fde0cc5f428efe28ea53155f171e2d4973

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
MD5
129bbd25c68f6dfd3cd3ea812314e848

SHA1
5230aad2e3839fbd196d2ac4f7ff2201c38a5d7a

SHA256
f844fbb742d6fbc2081c7c3e32f4bae2e6b4bdb6224bbe8a34908a111f86542e

SHA512
f01b1ba6b925a6945a9f7d0437afaf31b713474ad70257f9415a83753e92d93ac61832e7b52ff6876c1969402b8601fde0cc5f428efe28ea53155f171e2d4973

Download Submit
memory/316-84-0x00000000021B0000-0x00000000022BD000-memory.dmp

Filesize
1.1MB

Download
memory/316-80-0x0000000000000000-mapping.dmp

Download
memory/544-88-0x0000000000000000-mapping.dmp

Download
memory/1096-60-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1096-62-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1352-83-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1352-72-0x0000000000000000-mapping.dmp

Download
memory/1556-86-0x0000000000000000-mapping.dmp

Download
memory/1556-87-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp

Filesize
8KB

Download
memory/1724-85-0x000000001ABF0000-0x000000001ABF2000-memory.dmp

Filesize
8KB

Download
memory/1724-70-0x0000000000000000-mapping.dmp

Download
memory/1724-77-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1980-64-0x0000000000000000-mapping.dmp

Download