Analysis

  • max time kernel
    4294208s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    28-03-2022 17:22

General

  • Target

    83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382.exe

  • Size

    515KB

  • MD5

    f2d7ffe4f989d68b3a862072d5cc7149

  • SHA1

    eb63becb7cc2bd74e785d65e7dedec2308e310a2

  • SHA256

    83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382

  • SHA512

    2967e2cfc4b759980a8a40ddd02eea0b815649f223fbdf15959b18b11adbfe0893afcdd391e83e807f9b378f15802738c3ab3223eef828253b47719f471b999f

Malware Config

Signatures

  • Poullight

    Poullight is an information stealer first seen in March 2020.

  • Poullight Stealer Payload 8 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382.exe
    "C:\Users\Admin\AppData\Local\Temp\83b4d1800d8d91536cfef0e1859bba535511d8f33937acb12d2065b5a246c382.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bat.bat
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:872
        • C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe
          DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe -pDgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe -dC:\Users\Admin\AppData\Local\Temp
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1400
          • C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe
            "C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe
    Filesize

    97KB

    MD5

    2995b91e9b88499e68ec3c861fe3b1b2

    SHA1

    81e1dd982bd944959f885abb60fbb7dd4ad32211

    SHA256

    9bbe54eb278a7a8478a6ecc8697f91ad043a08fd2f57e2c6a7ccc953ed10ea89

    SHA512

    174043125f88fe0fca588017e043b3c633ae721ba571fbacf3dceeef3646fe1ebbe66c2c84130029071d63621b8635381eb0e81cb8ee980f34c872e4a49cd904

  • C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe
    Filesize

    97KB

    MD5

    2995b91e9b88499e68ec3c861fe3b1b2

    SHA1

    81e1dd982bd944959f885abb60fbb7dd4ad32211

    SHA256

    9bbe54eb278a7a8478a6ecc8697f91ad043a08fd2f57e2c6a7ccc953ed10ea89

    SHA512

    174043125f88fe0fca588017e043b3c633ae721ba571fbacf3dceeef3646fe1ebbe66c2c84130029071d63621b8635381eb0e81cb8ee980f34c872e4a49cd904

  • C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe
    Filesize

    352KB

    MD5

    2d38acd7d80c3e914486f1da2ce52e7a

    SHA1

    cd78ff37776c98281f3c56a378076549b8bd1af0

    SHA256

    6e64814d39519a16009148bd5caad74a78bb39f0ea1c970891855831becc80c8

    SHA512

    b7b3af351694bca77a8be4590bd453677409e41341e491e88e9835024fd8e895ca2e9984d73ce1d31f66fb85f2ff06e5ee04678f7e16734487fdddb37aab9384

  • C:\Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe
    Filesize

    352KB

    MD5

    2d38acd7d80c3e914486f1da2ce52e7a

    SHA1

    cd78ff37776c98281f3c56a378076549b8bd1af0

    SHA256

    6e64814d39519a16009148bd5caad74a78bb39f0ea1c970891855831becc80c8

    SHA512

    b7b3af351694bca77a8be4590bd453677409e41341e491e88e9835024fd8e895ca2e9984d73ce1d31f66fb85f2ff06e5ee04678f7e16734487fdddb37aab9384

  • C:\Users\Admin\AppData\Local\Temp\bat.bat
    Filesize

    117B

    MD5

    97a035592222ff797781b0c589e2bb29

    SHA1

    21017a378b177dfbee1c64a1bf68fbff4439efb8

    SHA256

    c5e074a63a9fb0872e4ed9b810a4d772c3ccd092dc9b8416dfcaf316a54161b2

    SHA512

    4fdae6bf743f8a7eac08f3cd09ff1cecae834aa13fe3faa446006d5cad4784e9a2ee386abb577b8f79a9fdac9b1debfb8a4fa5465032a043a7fafffdda59c0bb

  • C:\Users\Admin\AppData\Local\Temp\vbs.vbs
    Filesize

    89B

    MD5

    dc06d3c7415f4f6b05272426a63e9fd1

    SHA1

    2a148ec726cde2a19222c03ebf2cf48e8a5c171f

    SHA256

    101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

    SHA512

    d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

  • \Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe
    Filesize

    97KB

    MD5

    2995b91e9b88499e68ec3c861fe3b1b2

    SHA1

    81e1dd982bd944959f885abb60fbb7dd4ad32211

    SHA256

    9bbe54eb278a7a8478a6ecc8697f91ad043a08fd2f57e2c6a7ccc953ed10ea89

    SHA512

    174043125f88fe0fca588017e043b3c633ae721ba571fbacf3dceeef3646fe1ebbe66c2c84130029071d63621b8635381eb0e81cb8ee980f34c872e4a49cd904

  • \Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe
    Filesize

    97KB

    MD5

    2995b91e9b88499e68ec3c861fe3b1b2

    SHA1

    81e1dd982bd944959f885abb60fbb7dd4ad32211

    SHA256

    9bbe54eb278a7a8478a6ecc8697f91ad043a08fd2f57e2c6a7ccc953ed10ea89

    SHA512

    174043125f88fe0fca588017e043b3c633ae721ba571fbacf3dceeef3646fe1ebbe66c2c84130029071d63621b8635381eb0e81cb8ee980f34c872e4a49cd904

  • \Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe
    Filesize

    97KB

    MD5

    2995b91e9b88499e68ec3c861fe3b1b2

    SHA1

    81e1dd982bd944959f885abb60fbb7dd4ad32211

    SHA256

    9bbe54eb278a7a8478a6ecc8697f91ad043a08fd2f57e2c6a7ccc953ed10ea89

    SHA512

    174043125f88fe0fca588017e043b3c633ae721ba571fbacf3dceeef3646fe1ebbe66c2c84130029071d63621b8635381eb0e81cb8ee980f34c872e4a49cd904

  • \Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe
    Filesize

    97KB

    MD5

    2995b91e9b88499e68ec3c861fe3b1b2

    SHA1

    81e1dd982bd944959f885abb60fbb7dd4ad32211

    SHA256

    9bbe54eb278a7a8478a6ecc8697f91ad043a08fd2f57e2c6a7ccc953ed10ea89

    SHA512

    174043125f88fe0fca588017e043b3c633ae721ba571fbacf3dceeef3646fe1ebbe66c2c84130029071d63621b8635381eb0e81cb8ee980f34c872e4a49cd904

  • \Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.exe
    Filesize

    97KB

    MD5

    2995b91e9b88499e68ec3c861fe3b1b2

    SHA1

    81e1dd982bd944959f885abb60fbb7dd4ad32211

    SHA256

    9bbe54eb278a7a8478a6ecc8697f91ad043a08fd2f57e2c6a7ccc953ed10ea89

    SHA512

    174043125f88fe0fca588017e043b3c633ae721ba571fbacf3dceeef3646fe1ebbe66c2c84130029071d63621b8635381eb0e81cb8ee980f34c872e4a49cd904

  • \Users\Admin\AppData\Local\Temp\DgfeGEgrRWERffeEReweQsaDvwEhfsddSsFfsHSGh.sfx.exe
    Filesize

    352KB

    MD5

    2d38acd7d80c3e914486f1da2ce52e7a

    SHA1

    cd78ff37776c98281f3c56a378076549b8bd1af0

    SHA256

    6e64814d39519a16009148bd5caad74a78bb39f0ea1c970891855831becc80c8

    SHA512

    b7b3af351694bca77a8be4590bd453677409e41341e491e88e9835024fd8e895ca2e9984d73ce1d31f66fb85f2ff06e5ee04678f7e16734487fdddb37aab9384

  • memory/768-55-0x0000000000000000-mapping.dmp
  • memory/872-58-0x0000000000000000-mapping.dmp
  • memory/1280-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
    Filesize

    8KB

  • memory/1400-62-0x0000000000000000-mapping.dmp
  • memory/1560-70-0x0000000000000000-mapping.dmp
  • memory/1560-73-0x0000000000F30000-0x0000000000F4E000-memory.dmp
    Filesize

    120KB

  • memory/1560-74-0x000000001B280000-0x000000001B282000-memory.dmp
    Filesize

    8KB