Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:42
Static task
static1
Behavioral task
behavioral1
Sample
a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exe
Resource
win7-20220414-en
General
-
Target
a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exe
-
Size
1.3MB
-
MD5
7f3c87f33433b322b440b546e3a638ab
-
SHA1
149592f8b46d4f7210e0a260b89ab55a0eb73a73
-
SHA256
a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b
-
SHA512
3346b6217af345efec567bf3aea88001fe1830f13c274ffde4e87a949f05b0eaea5ab4dea08ddde01dde31ccaf2cf2c89ca6012a25a277983d064e181a437641
Malware Config
Signatures
-
Poullight Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2024-56-0x0000000001260000-0x00000000015D6000-memory.dmp family_poullight behavioral1/memory/2024-57-0x0000000001260000-0x00000000015D6000-memory.dmp family_poullight -
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata: ET MALWARE Win32/X-Files Stealer Activity
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Wine a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exepid process 2024 a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exepid process 2024 a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exe 2024 a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exe 2024 a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exedescription pid process Token: SeDebugPrivilege 2024 a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exe"C:\Users\Admin\AppData\Local\Temp\a3ddb7439f1d6e996ed7dc74a257b32a4dc0d5c0567b9752b658177de0084b0b.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2024-54-0x0000000075381000-0x0000000075383000-memory.dmpFilesize
8KB
-
memory/2024-55-0x0000000077660000-0x00000000777E0000-memory.dmpFilesize
1.5MB
-
memory/2024-56-0x0000000001260000-0x00000000015D6000-memory.dmpFilesize
3.5MB
-
memory/2024-57-0x0000000001260000-0x00000000015D6000-memory.dmpFilesize
3.5MB