Analysis
-
max time kernel
137s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 04:10
Static task
static1
Behavioral task
behavioral1
Sample
59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe
Resource
win7-20220414-en
General
-
Target
59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe
-
Size
515KB
-
MD5
418b9e449094989ce2d8018f2b249028
-
SHA1
d88ffaa50902882aa2678c8720ad0edb41af39bf
-
SHA256
59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1
-
SHA512
77ec4f9a3e842a015af0d14e043d67ea28d112222572a4569dd6020a4da8a19fe1040d9678c85492c109f6c9b931ac05a0c7dc9b1d87ca62aa3c1e1ddb3c3588
Malware Config
Signatures
-
Poullight Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4784-140-0x0000029961900000-0x000002996191E000-memory.dmp family_poullight C:\Users\Admin\AppData\Local\Temp\luudersmoon.exe family_poullight C:\Users\Admin\AppData\Local\Temp\luudersmoon.exe family_poullight -
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata: ET MALWARE Win32/X-Files Stealer Activity
-
Executes dropped EXE 2 IoCs
Processes:
luudersmoon.sfx.exeluudersmoon.exepid process 2076 luudersmoon.sfx.exe 4784 luudersmoon.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exeWScript.exeluudersmoon.sfx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation luudersmoon.sfx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings 59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
luudersmoon.exepid process 4784 luudersmoon.exe 4784 luudersmoon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
luudersmoon.exedescription pid process Token: SeDebugPrivilege 4784 luudersmoon.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exeWScript.execmd.exeluudersmoon.sfx.exedescription pid process target process PID 5108 wrote to memory of 2612 5108 59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe WScript.exe PID 5108 wrote to memory of 2612 5108 59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe WScript.exe PID 5108 wrote to memory of 2612 5108 59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe WScript.exe PID 2612 wrote to memory of 4376 2612 WScript.exe cmd.exe PID 2612 wrote to memory of 4376 2612 WScript.exe cmd.exe PID 2612 wrote to memory of 4376 2612 WScript.exe cmd.exe PID 4376 wrote to memory of 2076 4376 cmd.exe luudersmoon.sfx.exe PID 4376 wrote to memory of 2076 4376 cmd.exe luudersmoon.sfx.exe PID 4376 wrote to memory of 2076 4376 cmd.exe luudersmoon.sfx.exe PID 2076 wrote to memory of 4784 2076 luudersmoon.sfx.exe luudersmoon.exe PID 2076 wrote to memory of 4784 2076 luudersmoon.sfx.exe luudersmoon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe"C:\Users\Admin\AppData\Local\Temp\59cbea1c28d04adeb9e7e80f00700c64d042685d0f10a7a32cd092e5703a38a1.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bat.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\luudersmoon.sfx.exeluudersmoon.sfx.exe -pluudersmoon.exe -dC:\Users\Admin\AppData\Local\Temp4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\luudersmoon.exe"C:\Users\Admin\AppData\Local\Temp\luudersmoon.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bat.batFilesize
57B
MD596e65dca579e84d0d730ec42dfa538e3
SHA17f4116aabf5991b6059a64becbb9d4bb8596df5b
SHA256790c7e75d2d9a88e44d9b75809c715397ef0a9758f277827eaeaa5c148a789de
SHA51244cf6b4b523ceafb158eb7e275436b207a0ae9cfd08ae48c5ec6968f21c23e52c269693384076663ed375fa517863d7955bb20cb366560d4d9c2444456c2610c
-
C:\Users\Admin\AppData\Local\Temp\luudersmoon.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
C:\Users\Admin\AppData\Local\Temp\luudersmoon.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
C:\Users\Admin\AppData\Local\Temp\luudersmoon.sfx.exeFilesize
352KB
MD516f950dcf3c99bab3e990ff3541944d9
SHA1eaf4da6b50b2cbcae4bc01d26e304cc78b2d4f01
SHA25654f0daf2f7c0e4121249af597fab8071f54061438c14914cffc79846da97acc2
SHA51295edd9aab9f15c910f594a1b181e4192cd34e87991f1bfcb14e290bd31f807f1ba63691528e03d29c2f65059231f9f8967eddadd510722db2bd1b1f30a28bd89
-
C:\Users\Admin\AppData\Local\Temp\luudersmoon.sfx.exeFilesize
352KB
MD516f950dcf3c99bab3e990ff3541944d9
SHA1eaf4da6b50b2cbcae4bc01d26e304cc78b2d4f01
SHA25654f0daf2f7c0e4121249af597fab8071f54061438c14914cffc79846da97acc2
SHA51295edd9aab9f15c910f594a1b181e4192cd34e87991f1bfcb14e290bd31f807f1ba63691528e03d29c2f65059231f9f8967eddadd510722db2bd1b1f30a28bd89
-
C:\Users\Admin\AppData\Local\Temp\vbs.vbsFilesize
89B
MD5dc06d3c7415f4f6b05272426a63e9fd1
SHA12a148ec726cde2a19222c03ebf2cf48e8a5c171f
SHA256101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093
SHA512d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a
-
memory/2076-134-0x0000000000000000-mapping.dmp
-
memory/2612-130-0x0000000000000000-mapping.dmp
-
memory/4376-132-0x0000000000000000-mapping.dmp
-
memory/4784-140-0x0000029961900000-0x000002996191E000-memory.dmpFilesize
120KB
-
memory/4784-137-0x0000000000000000-mapping.dmp
-
memory/4784-141-0x00007FFABAD20000-0x00007FFABB7E1000-memory.dmpFilesize
10.8MB
-
memory/4784-142-0x00000299636B0000-0x00000299636BA000-memory.dmpFilesize
40KB
-
memory/4784-143-0x000002997E500000-0x000002997E6C2000-memory.dmpFilesize
1.8MB
-
memory/4784-144-0x000002997EC00000-0x000002997F128000-memory.dmpFilesize
5.2MB
-
memory/4784-145-0x000002997D5D0000-0x000002997D5E2000-memory.dmpFilesize
72KB