Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
05/01/2024, 10:44
Behavioral task
behavioral1
Sample
Loader/Loader.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Loader/Loader.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
Loader/etc/luIelD.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Loader/etc/luIelD.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Loader/php5ts.dll
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Loader/php5ts.dll
Resource
win10v2004-20231215-en
General
-
Target
Loader/Loader.exe
-
Size
3.1MB
-
MD5
101e969cb9e549d113836856f526d4b5
-
SHA1
9361431a7d69e92e20f163f10fc5a3b40c27bd0a
-
SHA256
8cf069c7b965893d12c9df25b24a60594693a158b8209d21f5d7213fc5ed41eb
-
SHA512
01f858a4c9b329f8696880fbff6b886cfae6e793afb448f79734cb7ea149baeaa3deaeec0bf62a34bfed5f634331ac4d6be7fee971588cba8921d7c41761ba00
-
SSDEEP
49152:XpFctP0vfTi05cfHQDVaztRT5hvEy87QS6J:XpFWPOCQQd2QSm
Malware Config
Signatures
-
Poullight Stealer payload 5 IoCs
resource yara_rule behavioral1/memory/2424-16-0x0000000000D70000-0x0000000000D90000-memory.dmp family_poullight behavioral1/memory/1680-15-0x0000000000400000-0x0000000000720000-memory.dmp family_poullight behavioral1/files/0x000b00000001224e-7.dat family_poullight behavioral1/files/0x000b00000001224e-3.dat family_poullight behavioral1/files/0x000b00000001224e-2.dat family_poullight -
Executes dropped EXE 1 IoCs
pid Process 2424 build.exe -
Loads dropped DLL 2 IoCs
pid Process 1680 Loader.exe 1680 Loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2424 1680 Loader.exe 16 PID 1680 wrote to memory of 2424 1680 Loader.exe 16 PID 1680 wrote to memory of 2424 1680 Loader.exe 16 PID 1680 wrote to memory of 2424 1680 Loader.exe 16
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
PID:2424
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD52b2cda144cda7dd36685a589ccd1b5df
SHA1fc775128f9285e8cd13af2edfc4fcf4f96e5b7bc
SHA25641e659e385de92f57df98c0740daeda0162e02414e3bfa82d0f3d3e31bdfe961
SHA512c362bc2e2d9f07c85c4901b07eb8fa133796708c3afe05fb0a984d95bed3cc283710c203a95360d04fd42cd82c7b4011102335337a6b25171e0d296d61c7df8a
-
Filesize
92KB
MD5c65fd5f725c22f5db8d78eb1e21998f4
SHA1285df78e9c88d3bdff80210500097083333b977d
SHA2560e748a7d0762418df2ba9d5344a9e79a4f812326c608921d2b0a0c0995c74a8b
SHA51233c1bf86133b18ccbbd829383fdcb0fadf9c277d8c5e29da352dd9b069305a419f72e03b0e6a1639df534759dffdac0b2b2d35080209fd23790b8bca27d51274