Analysis
-
max time kernel
157s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 19:13
Static task
static1
Behavioral task
behavioral1
Sample
cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe
Resource
win7-20220414-en
General
-
Target
cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe
-
Size
515KB
-
MD5
8d5f2486b1079ca616a5777ee1780c42
-
SHA1
726e086076e11f277df3d24fb5830b658458d42f
-
SHA256
cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f
-
SHA512
40157e363ceea085713dbd3a6a7ce0923f1f48923f7cc475c05f1d4f442314d0cc84b48b5684b188e3eac81d8c58eaece77dddefe48f5c6e73dce6ef6ed4f43f
Malware Config
Signatures
-
Poullight Stealer Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe family_poullight C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe family_poullight behavioral2/memory/1284-140-0x00000287BB5D0000-0x00000287BB5EE000-memory.dmp family_poullight -
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata: ET MALWARE Win32/X-Files Stealer Activity
-
Executes dropped EXE 2 IoCs
Processes:
GangsterKirillEeE.sfx.exeGangsterKirillEeE.exepid process 2280 GangsterKirillEeE.sfx.exe 1284 GangsterKirillEeE.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeGangsterKirillEeE.sfx.execfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation GangsterKirillEeE.sfx.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
GangsterKirillEeE.exepid process 1284 GangsterKirillEeE.exe 1284 GangsterKirillEeE.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
GangsterKirillEeE.exedescription pid process Token: SeDebugPrivilege 1284 GangsterKirillEeE.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exeWScript.execmd.exeGangsterKirillEeE.sfx.exedescription pid process target process PID 2336 wrote to memory of 8 2336 cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe WScript.exe PID 2336 wrote to memory of 8 2336 cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe WScript.exe PID 2336 wrote to memory of 8 2336 cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe WScript.exe PID 8 wrote to memory of 3172 8 WScript.exe cmd.exe PID 8 wrote to memory of 3172 8 WScript.exe cmd.exe PID 8 wrote to memory of 3172 8 WScript.exe cmd.exe PID 3172 wrote to memory of 2280 3172 cmd.exe GangsterKirillEeE.sfx.exe PID 3172 wrote to memory of 2280 3172 cmd.exe GangsterKirillEeE.sfx.exe PID 3172 wrote to memory of 2280 3172 cmd.exe GangsterKirillEeE.sfx.exe PID 2280 wrote to memory of 1284 2280 GangsterKirillEeE.sfx.exe GangsterKirillEeE.exe PID 2280 wrote to memory of 1284 2280 GangsterKirillEeE.sfx.exe GangsterKirillEeE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe"C:\Users\Admin\AppData\Local\Temp\cfe1c6bcb447ae13896a876e473912703a96c52b0db8d7362aa026ca31bd535f.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bat.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.sfx.exeGangsterKirillEeE.sfx.exe -pGangsterKirillEeE.exe -dC:\Users\Admin\AppData\Local\Temp1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe"C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.exeFilesize
97KB
MD558be8f739eb5b24eedce748dfc19d481
SHA1531521c7605101969c3128cbd9be285971ede508
SHA2563876d69d383cd4e2a04d497e58d1d77bc85892584186ddf0c14fe1fb83e18550
SHA512c897cbff855df56cf3aab305bbe4f5c1dcc2c0657b8cf25f0d36ae1275110452df8bb3e21b613e2db01a7b533ffcefa39c12f65cc5a283e6a0830fdb95d37715
-
C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.sfx.exeFilesize
352KB
MD57aae2bddc3ed0dadccb79baf02ff7320
SHA18c9752b1553fba86f069e09952cd0a64d7762666
SHA256813461c1f05c9ef1fa6422c79b3cfdc4cfcbe85a94fd9f82e851aaf645cec7dd
SHA5126cdec4e6b37d172d82c107e6992e25e4d23c456af533cdeede5b1d40db747ecbc7f355ee74e9345063ac5ee8264d98041e1c8f1f7ce4778af71d7ad3369da5a2
-
C:\Users\Admin\AppData\Local\Temp\GangsterKirillEeE.sfx.exeFilesize
352KB
MD57aae2bddc3ed0dadccb79baf02ff7320
SHA18c9752b1553fba86f069e09952cd0a64d7762666
SHA256813461c1f05c9ef1fa6422c79b3cfdc4cfcbe85a94fd9f82e851aaf645cec7dd
SHA5126cdec4e6b37d172d82c107e6992e25e4d23c456af533cdeede5b1d40db747ecbc7f355ee74e9345063ac5ee8264d98041e1c8f1f7ce4778af71d7ad3369da5a2
-
C:\Users\Admin\AppData\Local\Temp\bat.batFilesize
69B
MD5efa934163bc0e44bf9f8451517e98e83
SHA1c21532d9a4c1cbf698e9578621a17930bdeee2e5
SHA2563821d3bd5f0b59495a717afcabcd0ee162d391c1ab1a922b671fd88444f5e5b1
SHA512a5ba040da972ea41ab7a430d676732e0ea0d16dbf8f6565dfb636827aa1887a1da2eed2e5fac04d1e189d6c1cb43e855d749cc3be5d93318037d7a609f1aef9e
-
C:\Users\Admin\AppData\Local\Temp\vbs.vbsFilesize
89B
MD5dc06d3c7415f4f6b05272426a63e9fd1
SHA12a148ec726cde2a19222c03ebf2cf48e8a5c171f
SHA256101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093
SHA512d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a
-
memory/8-130-0x0000000000000000-mapping.dmp
-
memory/1284-142-0x00000287BB9C0000-0x00000287BB9CA000-memory.dmpFilesize
40KB
-
memory/1284-137-0x0000000000000000-mapping.dmp
-
memory/1284-140-0x00000287BB5D0000-0x00000287BB5EE000-memory.dmpFilesize
120KB
-
memory/1284-141-0x00007FFF9B1E0000-0x00007FFF9BCA1000-memory.dmpFilesize
10.8MB
-
memory/1284-143-0x00000287D7CC0000-0x00000287D7E82000-memory.dmpFilesize
1.8MB
-
memory/1284-144-0x00000287D83C0000-0x00000287D88E8000-memory.dmpFilesize
5.2MB
-
memory/1284-145-0x00000287D6D30000-0x00000287D6D42000-memory.dmpFilesize
72KB
-
memory/2280-134-0x0000000000000000-mapping.dmp
-
memory/3172-132-0x0000000000000000-mapping.dmp