Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 00:25
Static task
static1
Behavioral task
behavioral1
Sample
ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe
Resource
win7-20220414-en
General
-
Target
ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe
-
Size
5.2MB
-
MD5
9f67824dedc0e11e50cddb66e307895e
-
SHA1
dd25ef4977585f1eea01a26604bd92c3fc82a49d
-
SHA256
ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479
-
SHA512
6631e0b9cfb5f8f4f1f191462c80eb78b32ac897ec228dcf37ded2d7364aca4f54e6f891bf9c9e1a6d1a1f5fc8fdf64853ead5dd8222f141e436b95063062857
Malware Config
Signatures
-
Poullight Stealer Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\build.exe family_poullight C:\Users\Admin\AppData\Local\Temp\build.exe family_poullight behavioral2/memory/4652-136-0x000002B5BC170000-0x000002B5BC18E000-memory.dmp family_poullight -
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata: ET MALWARE Win32/X-Files Stealer Activity
-
Executes dropped EXE 2 IoCs
Processes:
LITEJY_v0.8.0_3.exebuild.exepid process 3176 LITEJY_v0.8.0_3.exe 4652 build.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
LITEJY_v0.8.0_3.exepid process 3176 LITEJY_v0.8.0_3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
LITEJY_v0.8.0_3.exebuild.exepid process 3176 LITEJY_v0.8.0_3.exe 3176 LITEJY_v0.8.0_3.exe 4652 build.exe 4652 build.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
build.exedescription pid process Token: SeDebugPrivilege 4652 build.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
LITEJY_v0.8.0_3.exepid process 3176 LITEJY_v0.8.0_3.exe 3176 LITEJY_v0.8.0_3.exe 3176 LITEJY_v0.8.0_3.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
LITEJY_v0.8.0_3.exepid process 3176 LITEJY_v0.8.0_3.exe 3176 LITEJY_v0.8.0_3.exe 3176 LITEJY_v0.8.0_3.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
LITEJY_v0.8.0_3.exepid process 3176 LITEJY_v0.8.0_3.exe 3176 LITEJY_v0.8.0_3.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exeLITEJY_v0.8.0_3.exedescription pid process target process PID 4632 wrote to memory of 3176 4632 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe LITEJY_v0.8.0_3.exe PID 4632 wrote to memory of 3176 4632 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe LITEJY_v0.8.0_3.exe PID 4632 wrote to memory of 3176 4632 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe LITEJY_v0.8.0_3.exe PID 4632 wrote to memory of 4652 4632 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe build.exe PID 4632 wrote to memory of 4652 4632 ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe build.exe PID 3176 wrote to memory of 4708 3176 LITEJY_v0.8.0_3.exe cacls.exe PID 3176 wrote to memory of 4708 3176 LITEJY_v0.8.0_3.exe cacls.exe PID 3176 wrote to memory of 4708 3176 LITEJY_v0.8.0_3.exe cacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe"C:\Users\Admin\AppData\Local\Temp\ec77d58c6a989738074bd03e0cdb714044579ba64543d55ef07adbc4da80f479.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exe"C:\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Prefetch /e /t /p everyone:N3⤵
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exeFilesize
5.1MB
MD53fce64777b22faba14eb427c11e10ec7
SHA1d775de9ed48e15e26ec5e39f3d8adddc47c0aeb3
SHA256f35de13d972c6a06c91e0a3241d539e94e7399b8307cfe11a50686a7616ac422
SHA51296a03a076fa5b689586e7160c1bb6a82a649d060526610b01be172f0b21388d120f3ae0bdd09e2ab61cc0adb8bcb9fc43d6aa6c15307607eb9945ebaa0a153cc
-
C:\Users\Admin\AppData\Local\Temp\LITEJY_v0.8.0_3.exeFilesize
5.1MB
MD53fce64777b22faba14eb427c11e10ec7
SHA1d775de9ed48e15e26ec5e39f3d8adddc47c0aeb3
SHA256f35de13d972c6a06c91e0a3241d539e94e7399b8307cfe11a50686a7616ac422
SHA51296a03a076fa5b689586e7160c1bb6a82a649d060526610b01be172f0b21388d120f3ae0bdd09e2ab61cc0adb8bcb9fc43d6aa6c15307607eb9945ebaa0a153cc
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
97KB
MD5a92fca033f40c9bc9c1ec15947b4913a
SHA15cd773bf1ec3889ff4f20788557e9cf924c2206b
SHA2567dae0337f42016a1c762e61f734a67b720022ecbccd261a532bc5728559a9a59
SHA5122cdb5df5c14f1669f3181ec23b497a7bdad57bbe129842c962d9a504a37bfac453f18c277e2a4a2cc4d7ecbb36af8c105666afae6323a0e173b975065c506d7d
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
97KB
MD5a92fca033f40c9bc9c1ec15947b4913a
SHA15cd773bf1ec3889ff4f20788557e9cf924c2206b
SHA2567dae0337f42016a1c762e61f734a67b720022ecbccd261a532bc5728559a9a59
SHA5122cdb5df5c14f1669f3181ec23b497a7bdad57bbe129842c962d9a504a37bfac453f18c277e2a4a2cc4d7ecbb36af8c105666afae6323a0e173b975065c506d7d
-
memory/3176-130-0x0000000000000000-mapping.dmp
-
memory/3176-137-0x0000000000400000-0x0000000000F9F000-memory.dmpFilesize
11.6MB
-
memory/4652-136-0x000002B5BC170000-0x000002B5BC18E000-memory.dmpFilesize
120KB
-
memory/4652-133-0x0000000000000000-mapping.dmp
-
memory/4652-138-0x00007FFD891E0000-0x00007FFD89CA1000-memory.dmpFilesize
10.8MB
-
memory/4652-142-0x000002B5BDCF0000-0x000002B5BDCFA000-memory.dmpFilesize
40KB
-
memory/4652-143-0x000002B5D8370000-0x000002B5D8532000-memory.dmpFilesize
1.8MB
-
memory/4652-144-0x000002B5D8A70000-0x000002B5D8F98000-memory.dmpFilesize
5.2MB
-
memory/4652-145-0x000002B5D75B0000-0x000002B5D75C2000-memory.dmpFilesize
72KB
-
memory/4708-141-0x0000000000000000-mapping.dmp