Analysis
-
max time kernel
149s -
max time network
182s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 15:59
Static task
static1
Behavioral task
behavioral1
Sample
68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe
Resource
win7-20221111-en
General
-
Target
68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe
-
Size
520KB
-
MD5
5ba7d69bea5783cb7b6161fe55edfb02
-
SHA1
c443a1c1d861b436c2542f60746e2ce9e673b7f0
-
SHA256
68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a
-
SHA512
a7a845353729ab178a2cbe52f980d14e4a00985225cc5de8f87a9efca17e89c86af63adb3764bb0089aa051e1b9e07ac31a69117c7a3d24e5eb1b2c121057652
-
SSDEEP
12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbmbxbNUO+X1Y/eBHCqiQWAEd:U2G/nvxW3Ww0tmbXUHXHiw
Malware Config
Signatures
-
Poullight Stealer payload 8 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe family_poullight \Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe family_poullight \Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe family_poullight \Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe family_poullight \Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe family_poullight C:\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe family_poullight C:\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe family_poullight behavioral1/memory/1920-70-0x0000000000CD0000-0x0000000000CF0000-memory.dmp family_poullight -
Executes dropped EXE 2 IoCs
Processes:
Stealer.sfx.exeStealer.exepid process 516 Stealer.sfx.exe 1920 Stealer.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exeStealer.sfx.exepid process 952 cmd.exe 516 Stealer.sfx.exe 516 Stealer.sfx.exe 516 Stealer.sfx.exe 516 Stealer.sfx.exe 516 Stealer.sfx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Stealer.exepid process 1920 Stealer.exe 1920 Stealer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Stealer.exedescription pid process Token: SeDebugPrivilege 1920 Stealer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.execmd.exeStealer.sfx.exedescription pid process target process PID 1712 wrote to memory of 952 1712 68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe cmd.exe PID 1712 wrote to memory of 952 1712 68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe cmd.exe PID 1712 wrote to memory of 952 1712 68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe cmd.exe PID 1712 wrote to memory of 952 1712 68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe cmd.exe PID 952 wrote to memory of 516 952 cmd.exe Stealer.sfx.exe PID 952 wrote to memory of 516 952 cmd.exe Stealer.sfx.exe PID 952 wrote to memory of 516 952 cmd.exe Stealer.sfx.exe PID 952 wrote to memory of 516 952 cmd.exe Stealer.sfx.exe PID 516 wrote to memory of 1920 516 Stealer.sfx.exe Stealer.exe PID 516 wrote to memory of 1920 516 Stealer.sfx.exe Stealer.exe PID 516 wrote to memory of 1920 516 Stealer.sfx.exe Stealer.exe PID 516 wrote to memory of 1920 516 Stealer.sfx.exe Stealer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe"C:\Users\Admin\AppData\Local\Temp\68e275d3c9a9ed2cb994b9e1600e50b0971c28f609f198bf7f2764cad0518e5a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Stealer.sfx.exeStealer.sfx.exe -p123 -dC:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Stealer.sfx.exeFilesize
353KB
MD5c95fb0b77377c86900271823d1ab5fb3
SHA194e8bb91a3556e475d0bcca83008f78bec04d16c
SHA2561517919c4b3eaf5c1f15a764239cebaf030dff6762a488e48cad89914554aa64
SHA5127290e825f91cafc82097d38a04dcee720a01851280a776cf8a6259f03d347692090f76f9fc81a67d099d897c2c4c19edf084c385321d0913d431114d956a895f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Stealer.sfx.exeFilesize
353KB
MD5c95fb0b77377c86900271823d1ab5fb3
SHA194e8bb91a3556e475d0bcca83008f78bec04d16c
SHA2561517919c4b3eaf5c1f15a764239cebaf030dff6762a488e48cad89914554aa64
SHA5127290e825f91cafc82097d38a04dcee720a01851280a776cf8a6259f03d347692090f76f9fc81a67d099d897c2c4c19edf084c385321d0913d431114d956a895f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.batFilesize
30B
MD5b63b38224c3907ee3df33fe2b5e6243a
SHA141a656aed88e0e659a12bd9fa2bc24ad3d8a617f
SHA256c7e9ae03a742323eb9aabef9ef86656106b479f3af10aa3ed1092044f5ffb6a2
SHA512ae8a0fe5496241e764d36b1e409f3c3432866b901f5d1e86e13e80ee279488d885702ae48066a4a2fc77f298f8e5cb43e1106dec33a77fd22b06e6c149bdba4f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exeFilesize
100KB
MD5bdc4abb8012df11d440f7864153c7f82
SHA1d1429a0bc97196edbac2a2beb40fc6c8270a0298
SHA2566865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03
SHA5127ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exeFilesize
100KB
MD5bdc4abb8012df11d440f7864153c7f82
SHA1d1429a0bc97196edbac2a2beb40fc6c8270a0298
SHA2566865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03
SHA5127ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889
-
\Users\Admin\AppData\Local\Temp\RarSFX0\Stealer.sfx.exeFilesize
353KB
MD5c95fb0b77377c86900271823d1ab5fb3
SHA194e8bb91a3556e475d0bcca83008f78bec04d16c
SHA2561517919c4b3eaf5c1f15a764239cebaf030dff6762a488e48cad89914554aa64
SHA5127290e825f91cafc82097d38a04dcee720a01851280a776cf8a6259f03d347692090f76f9fc81a67d099d897c2c4c19edf084c385321d0913d431114d956a895f
-
\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exeFilesize
100KB
MD5bdc4abb8012df11d440f7864153c7f82
SHA1d1429a0bc97196edbac2a2beb40fc6c8270a0298
SHA2566865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03
SHA5127ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889
-
\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exeFilesize
100KB
MD5bdc4abb8012df11d440f7864153c7f82
SHA1d1429a0bc97196edbac2a2beb40fc6c8270a0298
SHA2566865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03
SHA5127ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889
-
\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exeFilesize
100KB
MD5bdc4abb8012df11d440f7864153c7f82
SHA1d1429a0bc97196edbac2a2beb40fc6c8270a0298
SHA2566865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03
SHA5127ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889
-
\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exeFilesize
100KB
MD5bdc4abb8012df11d440f7864153c7f82
SHA1d1429a0bc97196edbac2a2beb40fc6c8270a0298
SHA2566865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03
SHA5127ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889
-
\Users\Admin\AppData\Local\Temp\RarSFX1\Stealer.exeFilesize
100KB
MD5bdc4abb8012df11d440f7864153c7f82
SHA1d1429a0bc97196edbac2a2beb40fc6c8270a0298
SHA2566865a25b4b98840bbc46fec0505348bb105a61f87bc203a04751490cc1109d03
SHA5127ce2255b0e9816b8fecba8bd120d8c9c870cb073473757845db9a254aca50c47223e3a11421b3d7b1435b7aa9c3bce8941c6a03a41210e19da32706e99aba889
-
memory/516-59-0x0000000000000000-mapping.dmp
-
memory/952-55-0x0000000000000000-mapping.dmp
-
memory/1712-54-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/1920-67-0x0000000000000000-mapping.dmp
-
memory/1920-70-0x0000000000CD0000-0x0000000000CF0000-memory.dmpFilesize
128KB