Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-05-2022 23:55
Static task
static1
Behavioral task
behavioral1
Sample
9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe
Resource
win10v2004-20220414-en
General
-
Target
9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe
-
Size
232KB
-
MD5
c6c11a98c55d75f11ed88c4df931fd39
-
SHA1
8180a64e5bb006b8485991aef1fd8cf7e105a3c6
-
SHA256
9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9
-
SHA512
ce8a46d4e355e6a5b3e3d25de076fee1e5997e4dea3d16f729731999694039682a85ae3924713a69e435d3b39989cc5c222c62b4a4a4f4aa1ee516bd6ffaded4
Malware Config
Signatures
-
Poullight Stealer Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1612-57-0x0000000002000000-0x0000000002020000-memory.dmp family_poullight \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe family_poullight \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe family_poullight C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe family_poullight C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe family_poullight behavioral1/memory/1736-63-0x0000000000AF0000-0x0000000000B0E000-memory.dmp family_poullight -
Executes dropped EXE 1 IoCs
Processes:
hack.exepid process 1736 hack.exe -
Loads dropped DLL 2 IoCs
Processes:
9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exepid process 1612 9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe 1612 9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
hack.exepid process 1736 hack.exe 1736 hack.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hack.exedescription pid process Token: SeDebugPrivilege 1736 hack.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exedescription pid process target process PID 1612 wrote to memory of 1736 1612 9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe hack.exe PID 1612 wrote to memory of 1736 1612 9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe hack.exe PID 1612 wrote to memory of 1736 1612 9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe hack.exe PID 1612 wrote to memory of 1736 1612 9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe hack.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe"C:\Users\Admin\AppData\Local\Temp\9094516c6e0cea0e64b8a79c2f30c1408bebf705aaed7587e417445fbabd65b9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exeFilesize
97KB
MD5027bab0544eb91583e54a27cf967b167
SHA1b108f8c6cbfb7c2b8b44d4b2263ceb97b1414044
SHA2568f7ec48b5c3e52f3e09b3dc35f180a82c2b0dac269a84e7cd1f8127b8fad7ec4
SHA51234d324375180ca81dd9710b60cd39c201fb22df54bd886310875d21c8b59f89ef0dfeea24f1233ff868848c0b9b481ab96734022d3398b4b89be863a2cbeee84
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exeFilesize
97KB
MD5027bab0544eb91583e54a27cf967b167
SHA1b108f8c6cbfb7c2b8b44d4b2263ceb97b1414044
SHA2568f7ec48b5c3e52f3e09b3dc35f180a82c2b0dac269a84e7cd1f8127b8fad7ec4
SHA51234d324375180ca81dd9710b60cd39c201fb22df54bd886310875d21c8b59f89ef0dfeea24f1233ff868848c0b9b481ab96734022d3398b4b89be863a2cbeee84
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exeFilesize
97KB
MD5027bab0544eb91583e54a27cf967b167
SHA1b108f8c6cbfb7c2b8b44d4b2263ceb97b1414044
SHA2568f7ec48b5c3e52f3e09b3dc35f180a82c2b0dac269a84e7cd1f8127b8fad7ec4
SHA51234d324375180ca81dd9710b60cd39c201fb22df54bd886310875d21c8b59f89ef0dfeea24f1233ff868848c0b9b481ab96734022d3398b4b89be863a2cbeee84
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\hack.exeFilesize
97KB
MD5027bab0544eb91583e54a27cf967b167
SHA1b108f8c6cbfb7c2b8b44d4b2263ceb97b1414044
SHA2568f7ec48b5c3e52f3e09b3dc35f180a82c2b0dac269a84e7cd1f8127b8fad7ec4
SHA51234d324375180ca81dd9710b60cd39c201fb22df54bd886310875d21c8b59f89ef0dfeea24f1233ff868848c0b9b481ab96734022d3398b4b89be863a2cbeee84
-
memory/1612-54-0x00000000002D0000-0x00000000002F6000-memory.dmpFilesize
152KB
-
memory/1612-55-0x0000000000550000-0x0000000000576000-memory.dmpFilesize
152KB
-
memory/1612-56-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/1612-57-0x0000000002000000-0x0000000002020000-memory.dmpFilesize
128KB
-
memory/1736-60-0x0000000000000000-mapping.dmp
-
memory/1736-63-0x0000000000AF0000-0x0000000000B0E000-memory.dmpFilesize
120KB