Overview

overview

10

Static

static

7eb413dad7...0a.exe

windows7_x64

10

7eb413dad7...0a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    161s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-06-2022 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe

  • Size

    1.7MB

  • MD5

    912bf8fffa55f914faf6e91d91ea2906

  • SHA1

    7339f849ad085281d3c9cb02880b3d20095818e4

  • SHA256

    7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a

  • SHA512

    1f869fb1230f0b1ed201e1fb923143418dc840372d1e298645042efd814acc3b19b21ec431438b5e51ccb7647cff6617f335bd77cbfbd66479ba518123d1d27c

Score
10/10
poullightevasionstealertrojanupx

Malware Config

Signatures

  • Poullight

    Poullight is an information stealer first seen in March 2020.

    trojanstealerpoullight
  • Poullight Stealer Payload 8 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 8 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe
    "C:\Users\Admin\AppData\Local\Temp\7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe
      "C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1948
    • C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\ezesp-18-03.exe
      "C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\ezesp-18-03.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c Color 2
        3⤵
          PID:1684
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://ezhack.ru/ezesp/hh.php
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:972

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      308336e7f515478969b24c13ded11ede

      SHA1

      8fb0cf42b77dbbef224a1e5fc38abc2486320775

      SHA256

      889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

      SHA512

      61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f0db34de24b80e51597a05e91045dc9d

      SHA1

      1f431c448b371ab9b4e7f7f2366e4e44be209323

      SHA256

      f19af89be19a4e24da6e23770a2402fd165edd38a3f28dfcbc38f7acba7fa294

      SHA512

      295f1ed8526ef0e035fe9c1deb40a1717cf27b6c5b4593dd4ca6731233e1d713a670397de6fd787ba7b70f0217564b9216d11d6b95e01a588aa1aadbfe74baa2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe
      Filesize

      93KB

      MD5

      06ee4201dd3a67cc0aeffc537becf178

      SHA1

      a8bc53e5d09c14434a2daf76196d890e745159f3

      SHA256

      5c74103d23555cf06f33a76ff28dfb75bcf9125eb87495d34ccd968e8a9e0f1d

      SHA512

      9c8ced2db82accf8bb6dbd72b1cfb06eb815281e92f90000f10ccd84fbe637e1af6ae5ef016fc760825ae7c1def3a04dc9b47a235aa2a66580c3a05d59611713

      Download Submit
    • C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe
      Filesize

      93KB

      MD5

      06ee4201dd3a67cc0aeffc537becf178

      SHA1

      a8bc53e5d09c14434a2daf76196d890e745159f3

      SHA256

      5c74103d23555cf06f33a76ff28dfb75bcf9125eb87495d34ccd968e8a9e0f1d

      SHA512

      9c8ced2db82accf8bb6dbd72b1cfb06eb815281e92f90000f10ccd84fbe637e1af6ae5ef016fc760825ae7c1def3a04dc9b47a235aa2a66580c3a05d59611713

      Download Submit
    • C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\ezesp-18-03.exe
      Filesize

      11KB

      MD5

      71dfbe5c5dfcf6bff76bbaec9e414290

      SHA1

      9f6feda83bb6c1844e13e2465314158929b9e84d

      SHA256

      fa15195943f163f4fb42f162c2896525c675f075d7053d079e47d2402e0d2eed

      SHA512

      b5d96ee90cf0eea57a93ab686b8f791213f2020b911a00e6b69e3549a969f4305a374a1051fddc929f2ba4bbdb1bfa669c53a5b305b01e7e7c3b5f4ec3745b34

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Z8JJM89S.txt
      Filesize

      602B

      MD5

      d19076cbff6d7e9e9a406c85618467e7

      SHA1

      27ea96834c8d60bad42446932fa904bebbfd9f7d

      SHA256

      e433344b3bb8f79cc1e5c37c6d86c29423145323a7dd82b8862b0a1bcd5f050e

      SHA512

      3c19a21abd7e1e4a939d5a81ac9c8421092f43d422275121de2e9f8a136d550ee9288f19a28209eab1eb1734327ed97450f9931c111cede084adbd4dae402c99

      Download Submit
    • \Users\Admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe
      Filesize

      93KB

      MD5

      06ee4201dd3a67cc0aeffc537becf178

      SHA1

      a8bc53e5d09c14434a2daf76196d890e745159f3

      SHA256

      5c74103d23555cf06f33a76ff28dfb75bcf9125eb87495d34ccd968e8a9e0f1d

      SHA512

      9c8ced2db82accf8bb6dbd72b1cfb06eb815281e92f90000f10ccd84fbe637e1af6ae5ef016fc760825ae7c1def3a04dc9b47a235aa2a66580c3a05d59611713

      Download Submit
    • \Users\Admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe
      Filesize

      93KB

      MD5

      06ee4201dd3a67cc0aeffc537becf178

      SHA1

      a8bc53e5d09c14434a2daf76196d890e745159f3

      SHA256

      5c74103d23555cf06f33a76ff28dfb75bcf9125eb87495d34ccd968e8a9e0f1d

      SHA512

      9c8ced2db82accf8bb6dbd72b1cfb06eb815281e92f90000f10ccd84fbe637e1af6ae5ef016fc760825ae7c1def3a04dc9b47a235aa2a66580c3a05d59611713

      Download Submit
    • \Users\Admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe
      Filesize

      93KB

      MD5

      06ee4201dd3a67cc0aeffc537becf178

      SHA1

      a8bc53e5d09c14434a2daf76196d890e745159f3

      SHA256

      5c74103d23555cf06f33a76ff28dfb75bcf9125eb87495d34ccd968e8a9e0f1d

      SHA512

      9c8ced2db82accf8bb6dbd72b1cfb06eb815281e92f90000f10ccd84fbe637e1af6ae5ef016fc760825ae7c1def3a04dc9b47a235aa2a66580c3a05d59611713

      Download Submit
    • \Users\Admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe
      Filesize

      93KB

      MD5

      06ee4201dd3a67cc0aeffc537becf178

      SHA1

      a8bc53e5d09c14434a2daf76196d890e745159f3

      SHA256

      5c74103d23555cf06f33a76ff28dfb75bcf9125eb87495d34ccd968e8a9e0f1d

      SHA512

      9c8ced2db82accf8bb6dbd72b1cfb06eb815281e92f90000f10ccd84fbe637e1af6ae5ef016fc760825ae7c1def3a04dc9b47a235aa2a66580c3a05d59611713

      Download Submit
    • \Users\Admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe
      Filesize

      93KB

      MD5

      06ee4201dd3a67cc0aeffc537becf178

      SHA1

      a8bc53e5d09c14434a2daf76196d890e745159f3

      SHA256

      5c74103d23555cf06f33a76ff28dfb75bcf9125eb87495d34ccd968e8a9e0f1d

      SHA512

      9c8ced2db82accf8bb6dbd72b1cfb06eb815281e92f90000f10ccd84fbe637e1af6ae5ef016fc760825ae7c1def3a04dc9b47a235aa2a66580c3a05d59611713

      Download Submit
    • \Users\Admin\AppData\Roaming\GMsbdXV5TyL\ezesp-18-03.exe
      Filesize

      11KB

      MD5

      71dfbe5c5dfcf6bff76bbaec9e414290

      SHA1

      9f6feda83bb6c1844e13e2465314158929b9e84d

      SHA256

      fa15195943f163f4fb42f162c2896525c675f075d7053d079e47d2402e0d2eed

      SHA512

      b5d96ee90cf0eea57a93ab686b8f791213f2020b911a00e6b69e3549a969f4305a374a1051fddc929f2ba4bbdb1bfa669c53a5b305b01e7e7c3b5f4ec3745b34

      Download Submit
    • \Users\Admin\AppData\Roaming\GMsbdXV5TyL\ezesp-18-03.exe
      Filesize

      11KB

      MD5

      71dfbe5c5dfcf6bff76bbaec9e414290

      SHA1

      9f6feda83bb6c1844e13e2465314158929b9e84d

      SHA256

      fa15195943f163f4fb42f162c2896525c675f075d7053d079e47d2402e0d2eed

      SHA512

      b5d96ee90cf0eea57a93ab686b8f791213f2020b911a00e6b69e3549a969f4305a374a1051fddc929f2ba4bbdb1bfa669c53a5b305b01e7e7c3b5f4ec3745b34

      Download Submit
    • \Users\Admin\AppData\Roaming\GMsbdXV5TyL\ezesp-18-03.exe
      Filesize

      11KB

      MD5

      71dfbe5c5dfcf6bff76bbaec9e414290

      SHA1

      9f6feda83bb6c1844e13e2465314158929b9e84d

      SHA256

      fa15195943f163f4fb42f162c2896525c675f075d7053d079e47d2402e0d2eed

      SHA512

      b5d96ee90cf0eea57a93ab686b8f791213f2020b911a00e6b69e3549a969f4305a374a1051fddc929f2ba4bbdb1bfa669c53a5b305b01e7e7c3b5f4ec3745b34

      Download Submit
    • memory/288-69-0x0000000000990000-0x0000000000DF9000-memory.dmp
      Filesize

      4.4MB

      Download
    • memory/288-70-0x0000000077910000-0x0000000077A90000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/288-54-0x0000000000990000-0x0000000000DF9000-memory.dmp
      Filesize

      4.4MB

      Download
    • memory/288-55-0x0000000075391000-0x0000000075393000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1660-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1660-73-0x00000000009F0000-0x00000000009FD000-memory.dmp
      Filesize

      52KB

      Download
    • memory/1684-72-0x0000000000000000-mapping.dmp
      Download
    • memory/1948-74-0x0000000000E30000-0x0000000000E4E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1948-61-0x0000000000000000-mapping.dmp
      Download