Analysis
-
max time kernel
36s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 14:40
Static task
static1
Behavioral task
behavioral1
Sample
d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe
Resource
win10v2004-20220414-en
General
-
Target
d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe
-
Size
1.1MB
-
MD5
ac3c74a419d6c61c9f18aec6da2e7000
-
SHA1
2a3f031f0922cd78d3796b680f3112e36ac7da6c
-
SHA256
d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db
-
SHA512
54b7cac2bfbef5a6f7ba01e7d9b3754d8adcc1a3ff99a121e5848ebcab7601863c0f7e2f5b97d1493f0808c576ebcab205ae8dd1539acb98c43e2e0d3c04a08e
Malware Config
Signatures
-
Poullight Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1004-55-0x0000000000A30000-0x0000000000DB4000-memory.dmp family_poullight -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exepid process 1004 d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe 1004 d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe 1004 d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 684 1004 WerFault.exe d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exepid process 1004 d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe 1004 d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exedescription pid process Token: SeDebugPrivilege 1004 d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exepid process 1004 d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exedescription pid process target process PID 1004 wrote to memory of 684 1004 d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe WerFault.exe PID 1004 wrote to memory of 684 1004 d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe WerFault.exe PID 1004 wrote to memory of 684 1004 d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe WerFault.exe PID 1004 wrote to memory of 684 1004 d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe"C:\Users\Admin\AppData\Local\Temp\d67160c55ef2a362bb4d2d6a4b625ba9e70faba676b2f0e8c6fb67bf3c69c8db.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 14842⤵
- Program crash
PID:684