poullight | 927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd

General

Target

927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe
Size

3.0MB
MD5

4e1ae916a283ff087b4daf71f73540cf
SHA1

c9f8cb325b0dc69638984060c100604bf61cf0fd
SHA256

927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd
SHA512

87abe3370506db994bf456ff008905690f6fd7cbb10440a8fba17a1fbec13ed14a91f2466b8e2bec4ac36b8397655866871646ffdcf1ff30f973b8288c8abbf6

Score

10^/10

poullight stealer suricata trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight
behavioral2/memory/2696-133-0x000002011FAC0000-0x000002011FAE0000-memory.dmp	family_poullight
C:\Users\Admin\AppData\Local\Temp\build.exe	family_poullight

suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
Executes dropped EXE 2 IoCs

Processes:

build.exeHB.exe

pid process

2696 build.exe
3472 HB.exe

pid	process
2696	build.exe
3472	HB.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

build.exe

pid process

2696 build.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

build.exe

description pid process

Token: SeDebugPrivilege 2696 build.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

HB.exe

pid process

3472 HB.exe
3472 HB.exe
3472 HB.exe
3472 HB.exe

pid	process
2696	build.exe

description	pid	process
Token: SeDebugPrivilege	2696	build.exe

pid	process
3472	HB.exe
3472	HB.exe
3472	HB.exe
3472	HB.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exeHB.exemsedge.exe

description	pid	process	target process
PID 1856 wrote to memory of 2696	1856	927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe	build.exe
PID 1856 wrote to memory of 2696	1856	927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe	build.exe
PID 1856 wrote to memory of 3472	1856	927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe	HB.exe
PID 1856 wrote to memory of 3472	1856	927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe	HB.exe
PID 1856 wrote to memory of 3472	1856	927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe	HB.exe
PID 3472 wrote to memory of 2388	3472	HB.exe	msedge.exe
PID 3472 wrote to memory of 2388	3472	HB.exe	msedge.exe
PID 2388 wrote to memory of 4156	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4156	2388	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe
"C:\Users\Admin\AppData\Local\Temp\927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\HB.exe
"C:\Users\Admin\AppData\Local\Temp\HB.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://jq.qq.com/?_wv=1027&k=57Cts1S
3⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd4,0x114,0x7ff895f446f8,0x7ff895f44708,0x7ff895f44718
4⤵
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2488 /prefetch:8
4⤵
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
4⤵
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
4⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
4⤵
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
4⤵
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5424 /prefetch:8
4⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
4⤵
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
4⤵
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5828 /prefetch:8
4⤵
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
4⤵
PID:908

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
4⤵
PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:8
4⤵
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5252 /prefetch:8
4⤵
PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2568 /prefetch:2
4⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1200

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6ffb25460,0x7ff6ffb25470,0x7ff6ffb25480
1⤵
PID:3972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HB.exe
Filesize
2.8MB

MD5
3f9dd912d6f833970e34e99ac80ae8f0

SHA1
38cbef846a4d67728c1e90ae91ffb7eb6d4d9442

SHA256
9595db47c8f460cdd27b9a4c1b1ac68acdda489ccf867d9495883519950d3ef6

SHA512
cfdf38bdaacaf396f6e76792f956305da1d5a48b50ae7d4f1113a72ab957e61b320360dbde208613e651ad5f1ea900b6a3140440a6a59e7f11117647954ba938

Download Submit
C:\Users\Admin\AppData\Local\Temp\HB.exe
Filesize
2.8MB

MD5
3f9dd912d6f833970e34e99ac80ae8f0

SHA1
38cbef846a4d67728c1e90ae91ffb7eb6d4d9442

SHA256
9595db47c8f460cdd27b9a4c1b1ac68acdda489ccf867d9495883519950d3ef6

SHA512
cfdf38bdaacaf396f6e76792f956305da1d5a48b50ae7d4f1113a72ab957e61b320360dbde208613e651ad5f1ea900b6a3140440a6a59e7f11117647954ba938

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
100KB

MD5
129bbd25c68f6dfd3cd3ea812314e848

SHA1
5230aad2e3839fbd196d2ac4f7ff2201c38a5d7a

SHA256
f844fbb742d6fbc2081c7c3e32f4bae2e6b4bdb6224bbe8a34908a111f86542e

SHA512
f01b1ba6b925a6945a9f7d0437afaf31b713474ad70257f9415a83753e92d93ac61832e7b52ff6876c1969402b8601fde0cc5f428efe28ea53155f171e2d4973

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
100KB

MD5
129bbd25c68f6dfd3cd3ea812314e848

SHA1
5230aad2e3839fbd196d2ac4f7ff2201c38a5d7a

SHA256
f844fbb742d6fbc2081c7c3e32f4bae2e6b4bdb6224bbe8a34908a111f86542e

SHA512
f01b1ba6b925a6945a9f7d0437afaf31b713474ad70257f9415a83753e92d93ac61832e7b52ff6876c1969402b8601fde0cc5f428efe28ea53155f171e2d4973

Download Submit
\??\pipe\LOCAL\crashpad_2388_CNOYEIQKFWCTEZGZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/404-165-0x0000000000000000-mapping.dmp

Download
memory/636-167-0x0000000000000000-mapping.dmp

Download
memory/908-164-0x0000000000000000-mapping.dmp

Download
memory/1564-160-0x0000000000000000-mapping.dmp

Download
memory/1656-149-0x0000000000000000-mapping.dmp

Download
memory/1924-169-0x0000000000000000-mapping.dmp

Download
memory/2308-146-0x0000000000000000-mapping.dmp

Download
memory/2388-139-0x0000000000000000-mapping.dmp

Download
memory/2696-137-0x00007FF89A910000-0x00007FF89B3D1000-memory.dmp

Filesize
10.8MB

Download
memory/2696-130-0x0000000000000000-mapping.dmp

Download
memory/2696-141-0x000002013AF70000-0x000002013AF7A000-memory.dmp

Filesize
40KB

Download
memory/2696-154-0x000002013BD30000-0x000002013BEF2000-memory.dmp

Filesize
1.8MB

Download
memory/2696-133-0x000002011FAC0000-0x000002011FAE0000-memory.dmp

Filesize
128KB

Download
memory/2696-161-0x000002013C430000-0x000002013C958000-memory.dmp

Filesize
5.2MB

Download
memory/2696-162-0x000002013BB60000-0x000002013BB72000-memory.dmp

Filesize
72KB

Download
memory/2972-151-0x0000000000000000-mapping.dmp

Download
memory/3472-134-0x0000000000000000-mapping.dmp

Download
memory/3472-138-0x00000000024B0000-0x00000000025BD000-memory.dmp

Filesize
1.1MB

Download
memory/3972-166-0x0000000000000000-mapping.dmp

Download
memory/4068-144-0x0000000000000000-mapping.dmp

Download
memory/4156-140-0x0000000000000000-mapping.dmp

Download
memory/4268-170-0x0000000000000000-mapping.dmp

Download
memory/4524-143-0x0000000000000000-mapping.dmp

Download
memory/4764-158-0x0000000000000000-mapping.dmp

Download
memory/4860-153-0x0000000000000000-mapping.dmp

Download
memory/4960-156-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads