Analysis
-
max time kernel
12s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 22:30
Static task
static1
Behavioral task
behavioral1
Sample
927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe
Resource
win7-20220414-en
General
-
Target
927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe
-
Size
3.0MB
-
MD5
4e1ae916a283ff087b4daf71f73540cf
-
SHA1
c9f8cb325b0dc69638984060c100604bf61cf0fd
-
SHA256
927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd
-
SHA512
87abe3370506db994bf456ff008905690f6fd7cbb10440a8fba17a1fbec13ed14a91f2466b8e2bec4ac36b8397655866871646ffdcf1ff30f973b8288c8abbf6
Malware Config
Signatures
-
Poullight Stealer Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\build.exe family_poullight behavioral2/memory/2696-133-0x000002011FAC0000-0x000002011FAE0000-memory.dmp family_poullight C:\Users\Admin\AppData\Local\Temp\build.exe family_poullight -
suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
Executes dropped EXE 2 IoCs
Processes:
build.exeHB.exepid process 2696 build.exe 3472 HB.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
build.exepid process 2696 build.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
build.exedescription pid process Token: SeDebugPrivilege 2696 build.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
HB.exepid process 3472 HB.exe 3472 HB.exe 3472 HB.exe 3472 HB.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exeHB.exemsedge.exedescription pid process target process PID 1856 wrote to memory of 2696 1856 927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe build.exe PID 1856 wrote to memory of 2696 1856 927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe build.exe PID 1856 wrote to memory of 3472 1856 927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe HB.exe PID 1856 wrote to memory of 3472 1856 927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe HB.exe PID 1856 wrote to memory of 3472 1856 927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe HB.exe PID 3472 wrote to memory of 2388 3472 HB.exe msedge.exe PID 3472 wrote to memory of 2388 3472 HB.exe msedge.exe PID 2388 wrote to memory of 4156 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 4156 2388 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe"C:\Users\Admin\AppData\Local\Temp\927571741d81bafe08ebd1c074c810d9ccf55c624133c9ebc3d285d0d804c0fd.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\HB.exe"C:\Users\Admin\AppData\Local\Temp\HB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://jq.qq.com/?_wv=1027&k=57Cts1S3⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd4,0x114,0x7ff895f446f8,0x7ff895f44708,0x7ff895f447184⤵PID:4156
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2488 /prefetch:84⤵PID:2308
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:34⤵PID:4068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:24⤵PID:4524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:14⤵PID:1656
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:14⤵PID:2972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5424 /prefetch:84⤵PID:4860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:14⤵PID:4764
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:14⤵PID:4960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5828 /prefetch:84⤵PID:1564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:14⤵PID:908
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:84⤵PID:3656
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵PID:404
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 /prefetch:84⤵PID:636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5252 /prefetch:84⤵PID:1924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15731132221300918199,57167659707345021,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2568 /prefetch:24⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1200
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6ffb25460,0x7ff6ffb25470,0x7ff6ffb254801⤵PID:3972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:2544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HB.exeFilesize
2.8MB
MD53f9dd912d6f833970e34e99ac80ae8f0
SHA138cbef846a4d67728c1e90ae91ffb7eb6d4d9442
SHA2569595db47c8f460cdd27b9a4c1b1ac68acdda489ccf867d9495883519950d3ef6
SHA512cfdf38bdaacaf396f6e76792f956305da1d5a48b50ae7d4f1113a72ab957e61b320360dbde208613e651ad5f1ea900b6a3140440a6a59e7f11117647954ba938
-
C:\Users\Admin\AppData\Local\Temp\HB.exeFilesize
2.8MB
MD53f9dd912d6f833970e34e99ac80ae8f0
SHA138cbef846a4d67728c1e90ae91ffb7eb6d4d9442
SHA2569595db47c8f460cdd27b9a4c1b1ac68acdda489ccf867d9495883519950d3ef6
SHA512cfdf38bdaacaf396f6e76792f956305da1d5a48b50ae7d4f1113a72ab957e61b320360dbde208613e651ad5f1ea900b6a3140440a6a59e7f11117647954ba938
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
100KB
MD5129bbd25c68f6dfd3cd3ea812314e848
SHA15230aad2e3839fbd196d2ac4f7ff2201c38a5d7a
SHA256f844fbb742d6fbc2081c7c3e32f4bae2e6b4bdb6224bbe8a34908a111f86542e
SHA512f01b1ba6b925a6945a9f7d0437afaf31b713474ad70257f9415a83753e92d93ac61832e7b52ff6876c1969402b8601fde0cc5f428efe28ea53155f171e2d4973
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
100KB
MD5129bbd25c68f6dfd3cd3ea812314e848
SHA15230aad2e3839fbd196d2ac4f7ff2201c38a5d7a
SHA256f844fbb742d6fbc2081c7c3e32f4bae2e6b4bdb6224bbe8a34908a111f86542e
SHA512f01b1ba6b925a6945a9f7d0437afaf31b713474ad70257f9415a83753e92d93ac61832e7b52ff6876c1969402b8601fde0cc5f428efe28ea53155f171e2d4973
-
\??\pipe\LOCAL\crashpad_2388_CNOYEIQKFWCTEZGZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/404-165-0x0000000000000000-mapping.dmp
-
memory/636-167-0x0000000000000000-mapping.dmp
-
memory/908-164-0x0000000000000000-mapping.dmp
-
memory/1564-160-0x0000000000000000-mapping.dmp
-
memory/1656-149-0x0000000000000000-mapping.dmp
-
memory/1924-169-0x0000000000000000-mapping.dmp
-
memory/2308-146-0x0000000000000000-mapping.dmp
-
memory/2388-139-0x0000000000000000-mapping.dmp
-
memory/2696-137-0x00007FF89A910000-0x00007FF89B3D1000-memory.dmpFilesize
10.8MB
-
memory/2696-130-0x0000000000000000-mapping.dmp
-
memory/2696-141-0x000002013AF70000-0x000002013AF7A000-memory.dmpFilesize
40KB
-
memory/2696-154-0x000002013BD30000-0x000002013BEF2000-memory.dmpFilesize
1.8MB
-
memory/2696-133-0x000002011FAC0000-0x000002011FAE0000-memory.dmpFilesize
128KB
-
memory/2696-161-0x000002013C430000-0x000002013C958000-memory.dmpFilesize
5.2MB
-
memory/2696-162-0x000002013BB60000-0x000002013BB72000-memory.dmpFilesize
72KB
-
memory/2972-151-0x0000000000000000-mapping.dmp
-
memory/3472-134-0x0000000000000000-mapping.dmp
-
memory/3472-138-0x00000000024B0000-0x00000000025BD000-memory.dmpFilesize
1.1MB
-
memory/3972-166-0x0000000000000000-mapping.dmp
-
memory/4068-144-0x0000000000000000-mapping.dmp
-
memory/4156-140-0x0000000000000000-mapping.dmp
-
memory/4268-170-0x0000000000000000-mapping.dmp
-
memory/4524-143-0x0000000000000000-mapping.dmp
-
memory/4764-158-0x0000000000000000-mapping.dmp
-
memory/4860-153-0x0000000000000000-mapping.dmp
-
memory/4960-156-0x0000000000000000-mapping.dmp