Analysis
-
max time kernel
191s -
max time network
252s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-05-2022 23:29
General
-
Target
d42645562bb1cdc522100a017353eeb57b75be15e35ed9d1c225452469e72b0e.exe
-
Size
515KB
-
MD5
1ed9caa53a1c162c5c1d3d54ad8dfcd2
-
SHA1
9933ba50d7fa299a2e1b7b0db71767ead0ff19a0
-
SHA256
d42645562bb1cdc522100a017353eeb57b75be15e35ed9d1c225452469e72b0e
-
SHA512
c6fd52990d0653f5483a2e59cfcaee66159d171afb0a3b4ab33246726331b28a2f712ee93a1228d94e36a908a7e2c7ab9f7170a9ccf7934e3f441b045228c839
Malware Config
Signatures
-
Poullight
Poullight is an information stealer first seen in March 2020.
-
Poullight Stealer Payload 3 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d42645562bb1cdc522100a017353eeb57b75be15e35ed9d1c225452469e72b0e.exe"C:\Users\Admin\AppData\Local\Temp\d42645562bb1cdc522100a017353eeb57b75be15e35ed9d1c225452469e72b0e.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bat.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OutBestAutsMens.sfx.exeOutBestAutsMens.sfx.exe -pOutBestAutsMens.exe -dC:\Users\Admin\AppData\Local\Temp4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OutBestAutsMens.exe"C:\Users\Admin\AppData\Local\Temp\OutBestAutsMens.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
Filesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
Filesize
352KB
MD538fc93be2d479d4bc35094362633bbdb
SHA158863aa2983d3fa3f3184f39215be8bcf9d365e6
SHA256f0e889f12c5b97c0b8cba96af2bf4bac7e6ca31711b3002f424ffb3a25b4e334
SHA5123a9449feeec5c80c895a4e8f6f1256b3985d28351dc607f1cac24f5017ab05f68382da4eca4948546a3f72a941520181158fa116478d749d45d28afadc5db8af
-
Filesize
352KB
MD538fc93be2d479d4bc35094362633bbdb
SHA158863aa2983d3fa3f3184f39215be8bcf9d365e6
SHA256f0e889f12c5b97c0b8cba96af2bf4bac7e6ca31711b3002f424ffb3a25b4e334
SHA5123a9449feeec5c80c895a4e8f6f1256b3985d28351dc607f1cac24f5017ab05f68382da4eca4948546a3f72a941520181158fa116478d749d45d28afadc5db8af
-
Filesize
65B
MD5a6c7b342f993b191ca6b10ee4f722881
SHA17a52671f7c9dbf6be80f0817cd9823c267363a32
SHA256651eac6db66e4e61863b4fea2e282f5a99007fa32d9a70ff9f3775358882fb4f
SHA5126e5d7d3325474df17ceca4c922e0efdc814e8aed7dd9803aa777c75e0475b0fc592520ded811a250f01ca62300407d0477776137abbe7e31b05ef1136f4271fe
-
Filesize
89B
MD5dc06d3c7415f4f6b05272426a63e9fd1
SHA12a148ec726cde2a19222c03ebf2cf48e8a5c171f
SHA256101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093
SHA512d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a
-
Filesize
120KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
72KB