Analysis
-
max time kernel
128s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 19:13
Static task
static1
Behavioral task
behavioral1
Sample
cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe
Resource
win7-20220414-en
General
-
Target
cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe
-
Size
515KB
-
MD5
8d5f2486b1079ca616a5777ee1780c42
-
SHA1
726e086076e11f277df3d24fb5830b658458d42f
-
SHA256
cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f
-
SHA512
40157e363ceea085713dbd3a6a7ce0923f1f48923f7cc475c05f1d4f442314d0cc84b48b5684b188e3eac81d8c58eaece77dddefe48f5c6e73dce6ef6ed4f43f
Malware Config
Signatures
-
Poullight Stealer Payload 8 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe family_poullight \Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe family_poullight C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe family_poullight C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe family_poullight \Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe family_poullight \Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe family_poullight behavioral1/memory/1888-73-0x0000000000B00000-0x0000000000B1E000-memory.dmp family_poullight \Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe family_poullight -
Executes dropped EXE 2 IoCs
Processes:
GangsterKirillEeE.sfx.exeGangsterKirillEeE.exepid process 940 GangsterKirillEeE.sfx.exe 1888 GangsterKirillEeE.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exeGangsterKirillEeE.sfx.exepid process 1688 cmd.exe 940 GangsterKirillEeE.sfx.exe 940 GangsterKirillEeE.sfx.exe 940 GangsterKirillEeE.sfx.exe 940 GangsterKirillEeE.sfx.exe 940 GangsterKirillEeE.sfx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
GangsterKirillEeE.exepid process 1888 GangsterKirillEeE.exe 1888 GangsterKirillEeE.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
GangsterKirillEeE.exedescription pid process Token: SeDebugPrivilege 1888 GangsterKirillEeE.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exeWScript.execmd.exeGangsterKirillEeE.sfx.exedescription pid process target process PID 1948 wrote to memory of 1348 1948 cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe WScript.exe PID 1948 wrote to memory of 1348 1948 cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe WScript.exe PID 1948 wrote to memory of 1348 1948 cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe WScript.exe PID 1948 wrote to memory of 1348 1948 cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe WScript.exe PID 1348 wrote to memory of 1688 1348 WScript.exe cmd.exe PID 1348 wrote to memory of 1688 1348 WScript.exe cmd.exe PID 1348 wrote to memory of 1688 1348 WScript.exe cmd.exe PID 1348 wrote to memory of 1688 1348 WScript.exe cmd.exe PID 1688 wrote to memory of 940 1688 cmd.exe GangsterKirillEeE.sfx.exe PID 1688 wrote to memory of 940 1688 cmd.exe GangsterKirillEeE.sfx.exe PID 1688 wrote to memory of 940 1688 cmd.exe GangsterKirillEeE.sfx.exe PID 1688 wrote to memory of 940 1688 cmd.exe GangsterKirillEeE.sfx.exe PID 940 wrote to memory of 1888 940 GangsterKirillEeE.sfx.exe GangsterKirillEeE.exe PID 940 wrote to memory of 1888 940 GangsterKirillEeE.sfx.exe GangsterKirillEeE.exe PID 940 wrote to memory of 1888 940 GangsterKirillEeE.sfx.exe GangsterKirillEeE.exe PID 940 wrote to memory of 1888 940 GangsterKirillEeE.sfx.exe GangsterKirillEeE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe"C:\Users\Admin\AppData\Local\Temp\cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bat.bat3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688
-
C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.sfx.exeGangsterKirillEeE.sfx.exe -pGangsterKirillEeE.exe -dC:\Users\Admin\AppData\Local\Temp1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe"C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.sfx.exeFilesize
352KB
MD57aae2bddc3ed0dadccb79baf02ff7320
SHA18c9752b1553fba86f069e09952cd0a64d7762666
SHA256813461c1f05c9ef1fa6422c79b3cfdc4cfcbe85a94fd9f82e851aaf645cec7dd
SHA5126cdec4e6b37d172d82c107e6992e25e4d23c456af533cdeede5b1d40db747ecbc7f355ee74e9345063ac5ee8264d98041e1c8f1f7ce4778af71d7ad3369da5a2
-
C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.sfx.exeFilesize
352KB
MD57aae2bddc3ed0dadccb79baf02ff7320
SHA18c9752b1553fba86f069e09952cd0a64d7762666
SHA256813461c1f05c9ef1fa6422c79b3cfdc4cfcbe85a94fd9f82e851aaf645cec7dd
SHA5126cdec4e6b37d172d82c107e6992e25e4d23c456af533cdeede5b1d40db747ecbc7f355ee74e9345063ac5ee8264d98041e1c8f1f7ce4778af71d7ad3369da5a2
-
C:\Users\Admin\AppData\Local\Temp\bat.batFilesize
69B
MD5efa934163bc0e44bf9f8451517e98e83
SHA1c21532d9a4c1cbf698e9578621a17930bdeee2e5
SHA2563821d3bd5f0b59495a717afcabcd0ee162d391c1ab1a922b671fd88444f5e5b1
SHA512a5ba040da972ea41ab7a430d676732e0ea0d16dbf8f6565dfb636827aa1887a1da2eed2e5fac04d1e189d6c1cb43e855d749cc3be5d93318037d7a609f1aef9e
-
C:\Users\Admin\AppData\Local\Temp\vbs.vbsFilesize
89B
MD5dc06d3c7415f4f6b05272426a63e9fd1
SHA12a148ec726cde2a19222c03ebf2cf48e8a5c171f
SHA256101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093
SHA512d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a
-
\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.sfx.exeFilesize
352KB
MD57aae2bddc3ed0dadccb79baf02ff7320
SHA18c9752b1553fba86f069e09952cd0a64d7762666
SHA256813461c1f05c9ef1fa6422c79b3cfdc4cfcbe85a94fd9f82e851aaf645cec7dd
SHA5126cdec4e6b37d172d82c107e6992e25e4d23c456af533cdeede5b1d40db747ecbc7f355ee74e9345063ac5ee8264d98041e1c8f1f7ce4778af71d7ad3369da5a2
-
memory/940-62-0x0000000000000000-mapping.dmp
-
memory/1348-55-0x0000000000000000-mapping.dmp
-
memory/1688-58-0x0000000000000000-mapping.dmp
-
memory/1888-70-0x0000000000000000-mapping.dmp
-
memory/1888-73-0x0000000000B00000-0x0000000000B1E000-memory.dmpFilesize
120KB
-
memory/1948-54-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB