Overview

overview

10

Static

static

10

c150b55e27...dd.exe

windows7_x64

10

c150b55e27...dd.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    11-05-2021 16:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe

  • Size

    3.7MB

  • MD5

    1b39000de7307538e113323053d118f7

  • SHA1

    40bb1733dd3ad35521fee0675698370dfa1aae6e

  • SHA256

    c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd

  • SHA512

    76a66c908a6501652ce0bd3a893e8aa2db8f73f1c80e487c56e8d67b69a452aa3e0ea6de7ba3a546dd9939bbe619abef9128b29745598c4af189b64397b51a34

Score
10/10
poullightmacropersistencespywarestealertrojan

Malware Config

Signatures

  • Poullight

    Poullight is an information stealer first seen in March 2020.

    trojanstealerpoullight
  • Poullight Stealer Payload 4 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

    macro
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
    "C:\Users\Admin\AppData\Local\Temp\c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Local\Temp\._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Users\Admin\AppData\Local\Temp\build.exe
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1912
      • C:\Users\Admin\AppData\Local\Temp\HB.exe
        "C:\Users\Admin\AppData\Local\Temp\HB.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetWindowsHookEx
        PID:2344
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      PID:2456
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3856
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3936
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:1740
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4172
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    MD5

    f65d4cf706c2add18897c640b67c8b84

    SHA1

    dd63c38d5fd4a2d466a36dc35e8c082237de24f8

    SHA256

    f1a5a873cc3987b2a2a756aec8bacfb6d2c922892ce07a0ffb820a332fe82655

    SHA512

    b0e5c1a9d5dd2aff80485b2b237e6350fbd14d67323fd6a85fbc221e45a2bc0b48a2d46bb371d5498f9246943c8015bacce15d20c4c453bb772690534babf2e6

    Download Submit
  • C:\ProgramData\Synaptics\Synaptics.exe
    MD5

    f65d4cf706c2add18897c640b67c8b84

    SHA1

    dd63c38d5fd4a2d466a36dc35e8c082237de24f8

    SHA256

    f1a5a873cc3987b2a2a756aec8bacfb6d2c922892ce07a0ffb820a332fe82655

    SHA512

    b0e5c1a9d5dd2aff80485b2b237e6350fbd14d67323fd6a85fbc221e45a2bc0b48a2d46bb371d5498f9246943c8015bacce15d20c4c453bb772690534babf2e6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
    MD5

    4e1ae916a283ff087b4daf71f73540cf

    SHA1

    c9f8cb325b0dc69638984060c100604bf61cf0fd

    SHA256

    927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd

    SHA512

    87abe3370506db994bf456ff008905690f6fd7cbb10440a8fba17a1fbec13ed14a91f2466b8e2bec4ac36b8397655866871646ffdcf1ff30f973b8288c8abbf6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\._cache_c150b55e27fbf69be95207029c30c00576b11dfba3fecb74094659fb2c24f7dd.exe
    MD5

    4e1ae916a283ff087b4daf71f73540cf

    SHA1

    c9f8cb325b0dc69638984060c100604bf61cf0fd

    SHA256

    927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd

    SHA512

    87abe3370506db994bf456ff008905690f6fd7cbb10440a8fba17a1fbec13ed14a91f2466b8e2bec4ac36b8397655866871646ffdcf1ff30f973b8288c8abbf6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\HB.exe
    MD5

    3f9dd912d6f833970e34e99ac80ae8f0

    SHA1

    38cbef846a4d67728c1e90ae91ffb7eb6d4d9442

    SHA256

    9595db47c8f460cdd27b9a4c1b1ac68acdda489ccf867d9495883519950d3ef6

    SHA512

    cfdf38bdaacaf396f6e76792f956305da1d5a48b50ae7d4f1113a72ab957e61b320360dbde208613e651ad5f1ea900b6a3140440a6a59e7f11117647954ba938

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\HB.exe
    MD5

    3f9dd912d6f833970e34e99ac80ae8f0

    SHA1

    38cbef846a4d67728c1e90ae91ffb7eb6d4d9442

    SHA256

    9595db47c8f460cdd27b9a4c1b1ac68acdda489ccf867d9495883519950d3ef6

    SHA512

    cfdf38bdaacaf396f6e76792f956305da1d5a48b50ae7d4f1113a72ab957e61b320360dbde208613e651ad5f1ea900b6a3140440a6a59e7f11117647954ba938

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\build.exe
    MD5

    129bbd25c68f6dfd3cd3ea812314e848

    SHA1

    5230aad2e3839fbd196d2ac4f7ff2201c38a5d7a

    SHA256

    f844fbb742d6fbc2081c7c3e32f4bae2e6b4bdb6224bbe8a34908a111f86542e

    SHA512

    f01b1ba6b925a6945a9f7d0437afaf31b713474ad70257f9415a83753e92d93ac61832e7b52ff6876c1969402b8601fde0cc5f428efe28ea53155f171e2d4973

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\build.exe
    MD5

    129bbd25c68f6dfd3cd3ea812314e848

    SHA1

    5230aad2e3839fbd196d2ac4f7ff2201c38a5d7a

    SHA256

    f844fbb742d6fbc2081c7c3e32f4bae2e6b4bdb6224bbe8a34908a111f86542e

    SHA512

    f01b1ba6b925a6945a9f7d0437afaf31b713474ad70257f9415a83753e92d93ac61832e7b52ff6876c1969402b8601fde0cc5f428efe28ea53155f171e2d4973

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\hrDuZiVG.xlsm
    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit
  • memory/1284-114-0x0000000000000000-mapping.dmp
    Download
  • memory/1808-117-0x0000000002600000-0x0000000002601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1912-133-0x000001F8E61C0000-0x000001F8E61C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1912-121-0x000001F8E5D10000-0x000001F8E5D11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1912-118-0x0000000000000000-mapping.dmp
    Download
  • memory/1912-129-0x000001F8FFED0000-0x000001F8FFED2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2344-130-0x0000000002340000-0x000000000244D000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2344-122-0x0000000000000000-mapping.dmp
    Download
  • memory/2456-131-0x00000000004D0000-0x000000000061A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2456-123-0x0000000000000000-mapping.dmp
    Download
  • memory/3856-132-0x00007FF6EAE70000-0x00007FF6EE426000-memory.dmp
    Filesize

    53.7MB

    Download
  • memory/3856-134-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3856-135-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3856-136-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3856-137-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3856-141-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3856-140-0x00007FF9674E0000-0x00007FF9685CE000-memory.dmp
    Filesize

    16.9MB

    Download
  • memory/3856-142-0x00007FF9655E0000-0x00007FF9674D5000-memory.dmp
    Filesize

    31.0MB

    Download