Analysis
-
max time kernel
59s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 00:25
Static task
static1
Behavioral task
behavioral1
Sample
ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe
Resource
win7-20220414-en
General
-
Target
ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe
-
Size
5.2MB
-
MD5
9f67824dedc0e11e50cddb66e307895e
-
SHA1
dd25ef4977585f1eea01a26604bd92c3fc82a49d
-
SHA256
ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479
-
SHA512
6631e0b9cfb5f8f4f1f191462c80eb78b32ac897ec228dcf37ded2d7364aca4f54e6f891bf9c9e1a6d1a1f5fc8fdf64853ead5dd8222f141e436b95063062857
Malware Config
Signatures
-
Poullight Stealer Payload 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\build.exe family_poullight C:\Users\Admin\AppData\Local\Temp\build.exe family_poullight C:\Users\Admin\AppData\Local\Temp\build.exe family_poullight \Users\Admin\AppData\Local\Temp\build.exe family_poullight behavioral1/memory/1116-65-0x0000000000B10000-0x0000000000B2E000-memory.dmp family_poullight -
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata: ET MALWARE Win32/X-Files Stealer Activity
-
Executes dropped EXE 2 IoCs
Processes:
LITEJY_v0.8.0_3.exebuild.exepid process 1768 LITEJY_v0.8.0_3.exe 1116 build.exe -
Loads dropped DLL 4 IoCs
Processes:
ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exepid process 1356 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe 1356 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe 1356 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe 1356 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
LITEJY_v0.8.0_3.exepid process 1768 LITEJY_v0.8.0_3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
LITEJY_v0.8.0_3.exebuild.exepid process 1768 LITEJY_v0.8.0_3.exe 1116 build.exe 1116 build.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
build.exedescription pid process Token: SeDebugPrivilege 1116 build.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
LITEJY_v0.8.0_3.exepid process 1768 LITEJY_v0.8.0_3.exe 1768 LITEJY_v0.8.0_3.exe 1768 LITEJY_v0.8.0_3.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
LITEJY_v0.8.0_3.exepid process 1768 LITEJY_v0.8.0_3.exe 1768 LITEJY_v0.8.0_3.exe 1768 LITEJY_v0.8.0_3.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
LITEJY_v0.8.0_3.exepid process 1768 LITEJY_v0.8.0_3.exe 1768 LITEJY_v0.8.0_3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exeLITEJY_v0.8.0_3.exedescription pid process target process PID 1356 wrote to memory of 1768 1356 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe LITEJY_v0.8.0_3.exe PID 1356 wrote to memory of 1768 1356 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe LITEJY_v0.8.0_3.exe PID 1356 wrote to memory of 1768 1356 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe LITEJY_v0.8.0_3.exe PID 1356 wrote to memory of 1768 1356 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe LITEJY_v0.8.0_3.exe PID 1356 wrote to memory of 1116 1356 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe build.exe PID 1356 wrote to memory of 1116 1356 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe build.exe PID 1356 wrote to memory of 1116 1356 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe build.exe PID 1356 wrote to memory of 1116 1356 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe build.exe PID 1768 wrote to memory of 820 1768 LITEJY_v0.8.0_3.exe cacls.exe PID 1768 wrote to memory of 820 1768 LITEJY_v0.8.0_3.exe cacls.exe PID 1768 wrote to memory of 820 1768 LITEJY_v0.8.0_3.exe cacls.exe PID 1768 wrote to memory of 820 1768 LITEJY_v0.8.0_3.exe cacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe"C:\Users\Admin\AppData\Local\Temp\ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exe"C:\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Prefetch /e /t /p everyone:N3⤵PID:820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exeFilesize
4.4MB
MD5e8ac146573780159921b1d49912c5f92
SHA10c4dff8234382f36fb9369a91d8496dc73bb42a0
SHA256b0120d63f54451b62e90c9dc75c9f97ad047c66ccc2e139e82f7be952afc01bb
SHA51288014e5ef37e89e87b2bf1bb762d15b4de67d4f8ff992cda18f0d5fd7ee6ee6ea681eec56aa9ba7ac8fb8eb1b7a688bb35e5fcc716f7cae687db9204100c76b1
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
97KB
MD5a92fca033f40c9bc9c1ec15947b4913a
SHA15cd773bf1ec3889ff4f20788557e9cf924c2206b
SHA2567dae0337f42016a1c762e61f734a67b720022ecbccd261a532bc5728559a9a59
SHA5122cdb5df5c14f1669f3181ec23b497a7bdad57bbe129842c962d9a504a37bfac453f18c277e2a4a2cc4d7ecbb36af8c105666afae6323a0e173b975065c506d7d
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
97KB
MD5a92fca033f40c9bc9c1ec15947b4913a
SHA15cd773bf1ec3889ff4f20788557e9cf924c2206b
SHA2567dae0337f42016a1c762e61f734a67b720022ecbccd261a532bc5728559a9a59
SHA5122cdb5df5c14f1669f3181ec23b497a7bdad57bbe129842c962d9a504a37bfac453f18c277e2a4a2cc4d7ecbb36af8c105666afae6323a0e173b975065c506d7d
-
\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exeFilesize
5.1MB
MD53fce64777b22faba14eb427c11e10ec7
SHA1d775de9ed48e15e26ec5e39f3d8adddc47c0aeb3
SHA256f35de13d972c6a06c91e0a3241d539e94e7399b8307cfe11a50686a7616ac422
SHA51296a03a076fa5b689586e7160c1bb6a82a649d060526610b01be172f0b21388d120f3ae0bdd09e2ab61cc0adb8bcb9fc43d6aa6c15307607eb9945ebaa0a153cc
-
\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exeFilesize
5.1MB
MD53fce64777b22faba14eb427c11e10ec7
SHA1d775de9ed48e15e26ec5e39f3d8adddc47c0aeb3
SHA256f35de13d972c6a06c91e0a3241d539e94e7399b8307cfe11a50686a7616ac422
SHA51296a03a076fa5b689586e7160c1bb6a82a649d060526610b01be172f0b21388d120f3ae0bdd09e2ab61cc0adb8bcb9fc43d6aa6c15307607eb9945ebaa0a153cc
-
\Users\Admin\AppData\Local\Temp\build.exeFilesize
97KB
MD5a92fca033f40c9bc9c1ec15947b4913a
SHA15cd773bf1ec3889ff4f20788557e9cf924c2206b
SHA2567dae0337f42016a1c762e61f734a67b720022ecbccd261a532bc5728559a9a59
SHA5122cdb5df5c14f1669f3181ec23b497a7bdad57bbe129842c962d9a504a37bfac453f18c277e2a4a2cc4d7ecbb36af8c105666afae6323a0e173b975065c506d7d
-
\Users\Admin\AppData\Local\Temp\build.exeFilesize
97KB
MD5a92fca033f40c9bc9c1ec15947b4913a
SHA15cd773bf1ec3889ff4f20788557e9cf924c2206b
SHA2567dae0337f42016a1c762e61f734a67b720022ecbccd261a532bc5728559a9a59
SHA5122cdb5df5c14f1669f3181ec23b497a7bdad57bbe129842c962d9a504a37bfac453f18c277e2a4a2cc4d7ecbb36af8c105666afae6323a0e173b975065c506d7d
-
memory/820-70-0x0000000000000000-mapping.dmp
-
memory/1116-62-0x0000000000000000-mapping.dmp
-
memory/1116-65-0x0000000000B10000-0x0000000000B2E000-memory.dmpFilesize
120KB
-
memory/1356-54-0x0000000075361000-0x0000000075363000-memory.dmpFilesize
8KB
-
memory/1768-57-0x0000000000000000-mapping.dmp
-
memory/1768-66-0x0000000000400000-0x0000000000F9F000-memory.dmpFilesize
11.6MB
-
memory/1768-69-0x0000000000400000-0x0000000000F9F000-memory.dmpFilesize
11.6MB