Overview

overview

10

Static

static

CODWCheats.exe

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    132s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    28-07-2021 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CODWCheats.exe

  • Size

    9.4MB

  • MD5

    2c7c0b89e187bac9cea3c0c285591852

  • SHA1

    5999c0c5086ecd7f71de61b565068d12f3291ef7

  • SHA256

    33314a958e790feedb53ae8cc727e2b8c737084f5ea5d66138924ae94aa571d4

  • SHA512

    56b03915330e59347a6c2b81dcb99cb988a859787563d8bf2582d7823f642d532e5fa2f93606bf0e25bc47024ff2ee2c4a4248c31e8096d8f32080dd38c4e454

Score
10/10
poullightspywarestealersuricatatrojan

Malware Config

Signatures

  • Poullight

    Poullight is an information stealer first seen in March 2020.

    trojanstealerpoullight
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
    suricata
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CODWCheats.exe
    "C:\Users\Admin\AppData\Local\Temp\CODWCheats.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Users\Admin\Desktop\build_protected.sfx.exe
      "C:\Users\Admin\Desktop\build_protected.sfx.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Users\Admin\AppData\Local\Temp\build_protected.exe
        "C:\Users\Admin\AppData\Local\Temp\build_protected.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3900
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1452
          4⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2520
  • C:\Users\Admin\Desktop\build_protected.sfx.exe
    "C:\Users\Admin\Desktop\build_protected.sfx.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Users\Admin\AppData\Local\Temp\build_protected.exe
      "C:\Users\Admin\AppData\Local\Temp\build_protected.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2324
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 2252
        3⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\build_protected.exe
    MD5

    d410f0078f4b4bb237a032ddb999236c

    SHA1

    83e6d1f3f77896c3e6569c1aefdb7c0f31d95d19

    SHA256

    f891e70d5cc6ef34db84686341fac366c340614b580aa38cb2dd850d1de4a12d

    SHA512

    f1a7c8035cf7a483c8909d6139a9db85cff4a28cfd6b393feb4438986003bce175199cfe08f149ebdda8333a7355d8d6043fd212b169c334dd635ab58b1f6558

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\build_protected.exe
    MD5

    d410f0078f4b4bb237a032ddb999236c

    SHA1

    83e6d1f3f77896c3e6569c1aefdb7c0f31d95d19

    SHA256

    f891e70d5cc6ef34db84686341fac366c340614b580aa38cb2dd850d1de4a12d

    SHA512

    f1a7c8035cf7a483c8909d6139a9db85cff4a28cfd6b393feb4438986003bce175199cfe08f149ebdda8333a7355d8d6043fd212b169c334dd635ab58b1f6558

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\build_protected.exe
    MD5

    d410f0078f4b4bb237a032ddb999236c

    SHA1

    83e6d1f3f77896c3e6569c1aefdb7c0f31d95d19

    SHA256

    f891e70d5cc6ef34db84686341fac366c340614b580aa38cb2dd850d1de4a12d

    SHA512

    f1a7c8035cf7a483c8909d6139a9db85cff4a28cfd6b393feb4438986003bce175199cfe08f149ebdda8333a7355d8d6043fd212b169c334dd635ab58b1f6558

    Download Submit
  • C:\Users\Admin\AppData\Local\vni1in7g\Clipboard.txt
    MD5

    809b24c010f6102183f6461cab36eb06

    SHA1

    485c85d91a481083e5491a7773d5cf7fc40d9d89

    SHA256

    b2df1a1b12de37c3b1159c28aa1fe7c7230666f70ad6d5f7b6c474307db26b10

    SHA512

    0cc9c181aaef4f50b05f95607726a3e376518be6d538e12f39cd0ffa4be6c7e650fb64cdbe6e64428b879cf89ad70578abb092abd331a09fa5c095433153ace3

    Download Submit
  • C:\Users\Admin\AppData\Local\vni1in7g\PC-Information.txt
    MD5

    adf67656256c219d74e8cdc62f1f3c70

    SHA1

    3a61bfb05e8974f3a9cf55f1ee11c5cd0d9cc130

    SHA256

    df0660fb4e811746bf87e98360849925ef5d3eb8a556087d02bcf7f2acfbdc6f

    SHA512

    db7c1e3a9a332ba16f20d049dd7ba8e5d25ced80937f0663418607815646e6da271eb33f998a491ec7b716f15dd31a6ae25fead876412e0f5b7b907a5c3b458b

    Download Submit
  • C:\Users\Admin\AppData\Local\vni1in7g\ProcessList.txt
    MD5

    7207721d7dc793182b14f1c94c3812a3

    SHA1

    9dece2c35112c669bb1e307a1015989840a62b1f

    SHA256

    bf81cc849fd2cd60f641a6bdf27598e810c8df9802b4cafbfef7e1f593dc1c5c

    SHA512

    13542bd3be1443e78b3954ee636b6c522a1fbc786e789a1e4f8b578a0218cf2c4c233d0ca6d8bdddf7a01b17d489b5c7b1fd4244099e95a86fc89e4874be6f80

    Download Submit
  • C:\Users\Admin\Desktop\build_protected.sfx.exe
    MD5

    dcc5951f425b50188ada18222e646e0b

    SHA1

    c01d710cece23698ce28b306f7fbf5cfc0648166

    SHA256

    424b489aa9b6dab205472918e10bf07ec2388ac23a00e534b36e90994ee6e33b

    SHA512

    757b543a5f7b74064f158922c931dc1e63c1cf22964a819f4ba5599876245fcfdcc017458c61b39384c8ec0310fabeb72ad6b73b35b58f831de64e704dbb9a16

    Download Submit
  • C:\Users\Admin\Desktop\build_protected.sfx.exe
    MD5

    dcc5951f425b50188ada18222e646e0b

    SHA1

    c01d710cece23698ce28b306f7fbf5cfc0648166

    SHA256

    424b489aa9b6dab205472918e10bf07ec2388ac23a00e534b36e90994ee6e33b

    SHA512

    757b543a5f7b74064f158922c931dc1e63c1cf22964a819f4ba5599876245fcfdcc017458c61b39384c8ec0310fabeb72ad6b73b35b58f831de64e704dbb9a16

    Download Submit
  • C:\Users\Admin\Desktop\build_protected.sfx.exe
    MD5

    dcc5951f425b50188ada18222e646e0b

    SHA1

    c01d710cece23698ce28b306f7fbf5cfc0648166

    SHA256

    424b489aa9b6dab205472918e10bf07ec2388ac23a00e534b36e90994ee6e33b

    SHA512

    757b543a5f7b74064f158922c931dc1e63c1cf22964a819f4ba5599876245fcfdcc017458c61b39384c8ec0310fabeb72ad6b73b35b58f831de64e704dbb9a16

    Download Submit
  • memory/2144-116-0x0000000000000000-mapping.dmp
    Download
  • memory/2324-148-0x0000000007140000-0x0000000007141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2324-143-0x0000000005710000-0x0000000005711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2324-133-0x0000000000000000-mapping.dmp
    Download
  • memory/2324-140-0x00000000054B0000-0x00000000059AE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3900-129-0x0000000003150000-0x0000000003151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3900-141-0x0000000005990000-0x0000000005991000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3900-144-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3900-128-0x0000000005880000-0x0000000005D7E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3900-127-0x0000000005880000-0x0000000005881000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3900-126-0x0000000005D80000-0x0000000005D81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3900-124-0x00000000001A0000-0x00000000001A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3900-121-0x0000000000000000-mapping.dmp
    Download