poullight | 3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43

General

Target

3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe
Size

6.8MB
MD5

92290d3c06e414319fb42fc0f7d981d0
SHA1

6396501c4acd9e06a44f75f136528535e8003dce
SHA256

3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43
SHA512

2d59d0121b48e442ba2d2af2639afe928664238ef51e819a634c7c71aebfbaf87f3e8a033285111046d2f50c9a286b611143aac5c227a000ec5d4be65e5bc294

Score

10^/10

poullight persistence spyware stealer suricata trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
behavioral2/memory/4124-133-0x00000270A6020000-0x00000270A6040000-memory.dmp	family_poullight

suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
Executes dropped EXE 3 IoCs

Processes:

build.exesakl.exeasx0.dll

pid process

4124 build.exe
1448 sakl.exe
4232 asx0.dll

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

Processes:

asx0.dll

pid	process
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll
4232	asx0.dll

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d37aeb4a-2ec6-4134-bfec-cc4abf10e2a2.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220520075622.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

832 4232 WerFault.exe asx0.dll

pid	pid_target	process	target process
832	4232	WerFault.exe	asx0.dll

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeasx0.dll

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	asx0.dll
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	asx0.dll
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

build.exesakl.exe

pid	process
4124	build.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe
1448	sakl.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

1336 msedge.exe
1336 msedge.exe
1336 msedge.exe
1336 msedge.exe
1336 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

build.exe

description pid process

Token: SeDebugPrivilege 4124 build.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

1336 msedge.exe
1336 msedge.exe
1336 msedge.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

sakl.exeasx0.dll

pid process

1448 sakl.exe
1448 sakl.exe
4232 asx0.dll
4232 asx0.dll

pid	process
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe

description	pid	process
Token: SeDebugPrivilege	4124	build.exe

pid	process
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe

pid	process
1448	sakl.exe
1448	sakl.exe
4232	asx0.dll
4232	asx0.dll

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exesakl.exemsedge.exe

description	pid	process	target process
PID 4692 wrote to memory of 4124	4692	3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe	build.exe
PID 4692 wrote to memory of 4124	4692	3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe	build.exe
PID 4692 wrote to memory of 1448	4692	3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe	sakl.exe
PID 4692 wrote to memory of 1448	4692	3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe	sakl.exe
PID 4692 wrote to memory of 1448	4692	3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe	sakl.exe
PID 1448 wrote to memory of 1336	1448	sakl.exe	msedge.exe
PID 1448 wrote to memory of 1336	1448	sakl.exe	msedge.exe
PID 1336 wrote to memory of 1668	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 1668	1336	msedge.exe	msedge.exe
PID 1448 wrote to memory of 4232	1448	sakl.exe	asx0.dll
PID 1448 wrote to memory of 4232	1448	sakl.exe	asx0.dll
PID 1448 wrote to memory of 4232	1448	sakl.exe	asx0.dll
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 2496	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 3328	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 3328	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 60	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 60	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 60	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 60	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 60	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 60	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 60	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 60	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 60	1336	msedge.exe	msedge.exe
PID 1336 wrote to memory of 60	1336	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe
"C:\Users\Admin\AppData\Local\Temp\3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Users\Admin\AppData\Local\Temp\sakl.exe
"C:\Users\Admin\AppData\Local\Temp\sakl.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://jq.qq.com/?_wv=1027&k=57Cts1S
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1a5646f8,0x7ffe1a564708,0x7ffe1a564718
4⤵
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
4⤵
PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2592 /prefetch:3
4⤵
PID:3328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3144 /prefetch:8
4⤵
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
4⤵
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
4⤵
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5256 /prefetch:8
4⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5564 /prefetch:8
4⤵
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
4⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
4⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
4⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:8
4⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff72e335460,0x7ff72e335470,0x7ff72e335480
5⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:8
4⤵
PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
4⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\asx0.dll
"C:\Users\Admin\AppData\Local\Temp\asx0.dll"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 704
4⤵
- Program crash
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4232 -ip 4232
1⤵
PID:1476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asx0.dll
Filesize
5.9MB

MD5
8d7cfce5a4716b167952e569a04ad5dc

SHA1
def4fa116d274403626ba33edc2604137689842f

SHA256
87979231d7f6bc01754071903035f784ffcb0a246a926b1d0b1e10493241907e

SHA512
d27123dacedca9933b484fcb432a411bb66ae5073fc6b3e2e178a5f554b69d84cf069bdddf35b83921670506bc2c0764e60310c6ca64adc89dd68e9fa90be26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\asx0.dll
Filesize
5.9MB

MD5
8d7cfce5a4716b167952e569a04ad5dc

SHA1
def4fa116d274403626ba33edc2604137689842f

SHA256
87979231d7f6bc01754071903035f784ffcb0a246a926b1d0b1e10493241907e

SHA512
d27123dacedca9933b484fcb432a411bb66ae5073fc6b3e2e178a5f554b69d84cf069bdddf35b83921670506bc2c0764e60310c6ca64adc89dd68e9fa90be26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
100KB

MD5
446afe801f9738ee2bfcb6791bdcf801

SHA1
fc43f35cd105e8954d77d8f7a48234e2576fe98e

SHA256
ba098b19bb32b3224c759d7853f4e0ebd5751f8cf5615bcdca3d52440fa07ccc

SHA512
f7748de18d35523aab05879944c1bfdda9a78c0b49e9b82c96b78f2e9dc8902848706857771c29cd769288d6ab98fb4b2398a92c240eca09e8dd27f297ebe92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
100KB

MD5
446afe801f9738ee2bfcb6791bdcf801

SHA1
fc43f35cd105e8954d77d8f7a48234e2576fe98e

SHA256
ba098b19bb32b3224c759d7853f4e0ebd5751f8cf5615bcdca3d52440fa07ccc

SHA512
f7748de18d35523aab05879944c1bfdda9a78c0b49e9b82c96b78f2e9dc8902848706857771c29cd769288d6ab98fb4b2398a92c240eca09e8dd27f297ebe92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sakl.exe
Filesize
6.7MB

MD5
06dcffb60e21650a7853af9a88b9a04e

SHA1
0021f7ae05f12f54ba5edfb2fb0c957f12fb5f4f

SHA256
f60632e252f6fae33c0f9b4cbff4a646d35d1504d1ed0c32cb03884bd900befe

SHA512
2b9e599c5e6fd498d7120e5c17cf70f79b7d15c27f820305ea0a17b1612a6aee72a07d7a85a8ec35c8a9f9eeedc3e829cea6d6d7c9dcb86f58aa76137a4a17c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sakl.exe
Filesize
6.7MB

MD5
06dcffb60e21650a7853af9a88b9a04e

SHA1
0021f7ae05f12f54ba5edfb2fb0c957f12fb5f4f

SHA256
f60632e252f6fae33c0f9b4cbff4a646d35d1504d1ed0c32cb03884bd900befe

SHA512
2b9e599c5e6fd498d7120e5c17cf70f79b7d15c27f820305ea0a17b1612a6aee72a07d7a85a8ec35c8a9f9eeedc3e829cea6d6d7c9dcb86f58aa76137a4a17c6

Download Submit
\??\pipe\LOCAL\crashpad_1336_XQZAYZBDSFBMFJSG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-1506-0x0000000000000000-mapping.dmp

Download
memory/1072-1520-0x0000000000000000-mapping.dmp

Download
memory/1336-139-0x0000000000000000-mapping.dmp

Download
memory/1448-134-0x0000000000000000-mapping.dmp

Download
memory/1448-138-0x0000000002670000-0x000000000277D000-memory.dmp

Filesize
1.1MB

Download
memory/1668-140-0x0000000000000000-mapping.dmp

Download
memory/2448-1512-0x0000000000000000-mapping.dmp

Download
memory/2496-1502-0x0000000000000000-mapping.dmp

Download
memory/2520-1525-0x0000000000000000-mapping.dmp

Download
memory/3016-1508-0x0000000000000000-mapping.dmp

Download
memory/3328-1503-0x0000000000000000-mapping.dmp

Download
memory/3584-1516-0x0000000000000000-mapping.dmp

Download
memory/3608-1514-0x0000000000000000-mapping.dmp

Download
memory/3612-1523-0x0000000000000000-mapping.dmp

Download
memory/4124-1500-0x00000270C1350000-0x00000270C1362000-memory.dmp

Filesize
72KB

Download
memory/4124-130-0x0000000000000000-mapping.dmp

Download
memory/4124-141-0x00000270A7D30000-0x00000270A7D3A000-memory.dmp

Filesize
40KB

Download
memory/4124-133-0x00000270A6020000-0x00000270A6040000-memory.dmp

Filesize
128KB

Download
memory/4124-1498-0x00000270C2280000-0x00000270C2442000-memory.dmp

Filesize
1.8MB

Download
memory/4124-1499-0x00000270C2980000-0x00000270C2EA8000-memory.dmp

Filesize
5.2MB

Download
memory/4124-137-0x00007FFE1F580000-0x00007FFE20041000-memory.dmp

Filesize
10.8MB

Download
memory/4232-1491-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download
memory/4232-148-0x0000000075DE0000-0x0000000075F80000-memory.dmp

Filesize
1.6MB

Download
memory/4232-1493-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download
memory/4232-142-0x0000000000000000-mapping.dmp

Download
memory/4232-1494-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download
memory/4232-1496-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download
memory/4232-149-0x0000000076790000-0x000000007680A000-memory.dmp

Filesize
488KB

Download
memory/4232-1492-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download
memory/4232-146-0x0000000075F90000-0x00000000761A5000-memory.dmp

Filesize
2.1MB

Download
memory/4232-145-0x00000000773C0000-0x0000000077563000-memory.dmp

Filesize
1.6MB

Download
memory/4232-1497-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download
memory/4604-1522-0x0000000000000000-mapping.dmp

Download
memory/4700-1518-0x0000000000000000-mapping.dmp

Download
memory/4808-1510-0x0000000000000000-mapping.dmp

Download
memory/4992-1521-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads