Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-05-2022 15:05
Static task
static1
Behavioral task
behavioral1
Sample
1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exe
Resource
win7-20220414-en
General
-
Target
1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exe
-
Size
515KB
-
MD5
22fc7ac275911cacec082e0bf88b8cfc
-
SHA1
48dbcfac99b8441dd44514506191ef8e116cd69f
-
SHA256
1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb
-
SHA512
882d847c0e1549ba9c36aed7972116d4930839742e3da62e6e93a237934ddd7cb7b612b9ff8c83cba647e01cabe0e4d7746002940408f4fc36448ed4a391e34e
Malware Config
Signatures
-
Poullight Stealer Payload 8 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\gratenbersboor.exe family_poullight \Users\Admin\AppData\Local\Temp\gratenbersboor.exe family_poullight \Users\Admin\AppData\Local\Temp\gratenbersboor.exe family_poullight \Users\Admin\AppData\Local\Temp\gratenbersboor.exe family_poullight \Users\Admin\AppData\Local\Temp\gratenbersboor.exe family_poullight C:\Users\Admin\AppData\Local\Temp\gratenbersboor.exe family_poullight C:\Users\Admin\AppData\Local\Temp\gratenbersboor.exe family_poullight behavioral1/memory/660-73-0x00000000003C0000-0x00000000003DE000-memory.dmp family_poullight -
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata: ET MALWARE Win32/X-Files Stealer Activity
-
Executes dropped EXE 2 IoCs
Processes:
gratenbersboor.sfx.exegratenbersboor.exepid process 1700 gratenbersboor.sfx.exe 660 gratenbersboor.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exegratenbersboor.sfx.exepid process 1752 cmd.exe 1700 gratenbersboor.sfx.exe 1700 gratenbersboor.sfx.exe 1700 gratenbersboor.sfx.exe 1700 gratenbersboor.sfx.exe 1700 gratenbersboor.sfx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
gratenbersboor.exepid process 660 gratenbersboor.exe 660 gratenbersboor.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gratenbersboor.exedescription pid process Token: SeDebugPrivilege 660 gratenbersboor.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exeWScript.execmd.exegratenbersboor.sfx.exedescription pid process target process PID 1860 wrote to memory of 1244 1860 1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exe WScript.exe PID 1860 wrote to memory of 1244 1860 1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exe WScript.exe PID 1860 wrote to memory of 1244 1860 1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exe WScript.exe PID 1860 wrote to memory of 1244 1860 1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exe WScript.exe PID 1244 wrote to memory of 1752 1244 WScript.exe cmd.exe PID 1244 wrote to memory of 1752 1244 WScript.exe cmd.exe PID 1244 wrote to memory of 1752 1244 WScript.exe cmd.exe PID 1244 wrote to memory of 1752 1244 WScript.exe cmd.exe PID 1752 wrote to memory of 1700 1752 cmd.exe gratenbersboor.sfx.exe PID 1752 wrote to memory of 1700 1752 cmd.exe gratenbersboor.sfx.exe PID 1752 wrote to memory of 1700 1752 cmd.exe gratenbersboor.sfx.exe PID 1752 wrote to memory of 1700 1752 cmd.exe gratenbersboor.sfx.exe PID 1700 wrote to memory of 660 1700 gratenbersboor.sfx.exe gratenbersboor.exe PID 1700 wrote to memory of 660 1700 gratenbersboor.sfx.exe gratenbersboor.exe PID 1700 wrote to memory of 660 1700 gratenbersboor.sfx.exe gratenbersboor.exe PID 1700 wrote to memory of 660 1700 gratenbersboor.sfx.exe gratenbersboor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exe"C:\Users\Admin\AppData\Local\Temp\1f0bd4d06afe14ac132041dd2a00bc8a1e9e365da51e95abd48c2dc5187f2adb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bat.bat3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\gratenbersboor.sfx.exegratenbersboor.sfx.exe -pgratenbersboor.exe -dC:\Users\Admin\AppData\Local\Temp4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\gratenbersboor.exe"C:\Users\Admin\AppData\Local\Temp\gratenbersboor.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bat.batFilesize
63B
MD5832e052a8b74b20e7f992814e0a78614
SHA17e6f04abfbe3393dbf47d562b4ebed63b3fa8a94
SHA256de1b472fb7f93bdb6e72cd4203ddf6683febb443fc332cf1d939d743cc714215
SHA51216ba2ff63f334dc6f38ff54272db2e40f30c83345016e7fbdddd0be0d10b30a1df23ad98d32a4b70147f52665a8966943b791cbfdddf1ea4f009e0942897557e
-
C:\Users\Admin\AppData\Local\Temp\gratenbersboor.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
C:\Users\Admin\AppData\Local\Temp\gratenbersboor.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
C:\Users\Admin\AppData\Local\Temp\gratenbersboor.sfx.exeFilesize
352KB
MD5ca78826a9fc3413b20f7e0fc940ed16c
SHA10b21722dc501392445a8b0c70c95f764e8fdaa4f
SHA256619b870a8099f724332f5ed2f539752691e32adc036b4a79f4e4cc7de9e41e71
SHA5124db4aa050739030c82c94ce5e0e6a3d3cbed13a88013412b01e7002314470409f3d37833dc03472abe0e3dce2626983cfb40358779b65d9f9f62629f805d6ce4
-
C:\Users\Admin\AppData\Local\Temp\gratenbersboor.sfx.exeFilesize
352KB
MD5ca78826a9fc3413b20f7e0fc940ed16c
SHA10b21722dc501392445a8b0c70c95f764e8fdaa4f
SHA256619b870a8099f724332f5ed2f539752691e32adc036b4a79f4e4cc7de9e41e71
SHA5124db4aa050739030c82c94ce5e0e6a3d3cbed13a88013412b01e7002314470409f3d37833dc03472abe0e3dce2626983cfb40358779b65d9f9f62629f805d6ce4
-
C:\Users\Admin\AppData\Local\Temp\vbs.vbsFilesize
89B
MD5dc06d3c7415f4f6b05272426a63e9fd1
SHA12a148ec726cde2a19222c03ebf2cf48e8a5c171f
SHA256101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093
SHA512d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a
-
\Users\Admin\AppData\Local\Temp\gratenbersboor.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
\Users\Admin\AppData\Local\Temp\gratenbersboor.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
\Users\Admin\AppData\Local\Temp\gratenbersboor.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
\Users\Admin\AppData\Local\Temp\gratenbersboor.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
\Users\Admin\AppData\Local\Temp\gratenbersboor.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
\Users\Admin\AppData\Local\Temp\gratenbersboor.sfx.exeFilesize
352KB
MD5ca78826a9fc3413b20f7e0fc940ed16c
SHA10b21722dc501392445a8b0c70c95f764e8fdaa4f
SHA256619b870a8099f724332f5ed2f539752691e32adc036b4a79f4e4cc7de9e41e71
SHA5124db4aa050739030c82c94ce5e0e6a3d3cbed13a88013412b01e7002314470409f3d37833dc03472abe0e3dce2626983cfb40358779b65d9f9f62629f805d6ce4
-
memory/660-70-0x0000000000000000-mapping.dmp
-
memory/660-73-0x00000000003C0000-0x00000000003DE000-memory.dmpFilesize
120KB
-
memory/1244-55-0x0000000000000000-mapping.dmp
-
memory/1700-62-0x0000000000000000-mapping.dmp
-
memory/1752-58-0x0000000000000000-mapping.dmp
-
memory/1860-54-0x0000000075E41000-0x0000000075E43000-memory.dmpFilesize
8KB