Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/09/2024, 06:22
Behavioral task
behavioral1
Sample
Trojan.MSIL.Poullight.PA.exe
Resource
win7-20240903-en
General
-
Target
Trojan.MSIL.Poullight.PA.exe
-
Size
3.1MB
-
MD5
3be8fa0b38501cdb368c5cf5a0615880
-
SHA1
52083abf2794b5f6f8a429ef5bf5fa552896832f
-
SHA256
1d0c2228e4f710999bd97385b1595cd48bc9b79a837a01eff63efb470a1f92ba
-
SHA512
4d60b1c7d41f9a03147cf1d81640d9b6cd09078c9a8e1634006f505c95cf81a3f0a2f3f31b6c925fd9c90be6c733cac7a54cadf19b0dd0b63ea2b2d8a78ea5bd
-
SSDEEP
49152:eFnAp4kyST0QX9i41ZmCq6M+s8KuqGaX0ToIBAUZLYRXcYz7NWu22wS3BNM8:eFw7ySwQX9iC4n0JBAUZLuMYz1BN
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral2/files/0x00070000000234c2-17.dat family_blackmoon behavioral2/memory/1824-23-0x0000000000400000-0x000000000072B000-memory.dmp family_blackmoon -
Poullight Stealer payload 3 IoCs
resource yara_rule behavioral2/files/0x000a0000000234a7-4.dat family_poullight behavioral2/memory/1256-12-0x0000025E61880000-0x0000025E618A0000-memory.dmp family_poullight behavioral2/memory/1824-23-0x0000000000400000-0x000000000072B000-memory.dmp family_poullight -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation Trojan.MSIL.Poullight.PA.exe -
Executes dropped EXE 2 IoCs
pid Process 1256 build.exe 1112 SALIK.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SALIK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.MSIL.Poullight.PA.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3800 msedge.exe 3800 msedge.exe 4224 msedge.exe 4224 msedge.exe 1256 build.exe 1256 build.exe 1256 build.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1256 build.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1112 SALIK.exe 1112 SALIK.exe 1112 SALIK.exe 1112 SALIK.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1824 wrote to memory of 1256 1824 Trojan.MSIL.Poullight.PA.exe 82 PID 1824 wrote to memory of 1256 1824 Trojan.MSIL.Poullight.PA.exe 82 PID 1824 wrote to memory of 1112 1824 Trojan.MSIL.Poullight.PA.exe 83 PID 1824 wrote to memory of 1112 1824 Trojan.MSIL.Poullight.PA.exe 83 PID 1824 wrote to memory of 1112 1824 Trojan.MSIL.Poullight.PA.exe 83 PID 1112 wrote to memory of 3800 1112 SALIK.exe 85 PID 1112 wrote to memory of 3800 1112 SALIK.exe 85 PID 3800 wrote to memory of 4324 3800 msedge.exe 86 PID 3800 wrote to memory of 4324 3800 msedge.exe 86 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 2680 3800 msedge.exe 87 PID 3800 wrote to memory of 4224 3800 msedge.exe 88 PID 3800 wrote to memory of 4224 3800 msedge.exe 88 PID 3800 wrote to memory of 3684 3800 msedge.exe 89 PID 3800 wrote to memory of 3684 3800 msedge.exe 89 PID 3800 wrote to memory of 3684 3800 msedge.exe 89 PID 3800 wrote to memory of 3684 3800 msedge.exe 89 PID 3800 wrote to memory of 3684 3800 msedge.exe 89 PID 3800 wrote to memory of 3684 3800 msedge.exe 89 PID 3800 wrote to memory of 3684 3800 msedge.exe 89 PID 3800 wrote to memory of 3684 3800 msedge.exe 89 PID 3800 wrote to memory of 3684 3800 msedge.exe 89 PID 3800 wrote to memory of 3684 3800 msedge.exe 89 PID 3800 wrote to memory of 3684 3800 msedge.exe 89 PID 3800 wrote to memory of 3684 3800 msedge.exe 89 PID 3800 wrote to memory of 3684 3800 msedge.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Poullight.PA.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Poullight.PA.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Users\Admin\AppData\Local\Temp\SALIK.exe"C:\Users\Admin\AppData\Local\Temp\SALIK.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://jq.qq.com/?_wv=1027&k=57Cts1S3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa458946f8,0x7ffa45894708,0x7ffa458947184⤵PID:4324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,11453865943558634247,4608636329143317184,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:24⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,11453865943558634247,4608636329143317184,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,11453865943558634247,4608636329143317184,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:84⤵PID:3684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11453865943558634247,4608636329143317184,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:14⤵PID:4188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11453865943558634247,4608636329143317184,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:14⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11453865943558634247,4608636329143317184,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:14⤵PID:2944
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2504
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4540
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD527304926d60324abe74d7a4b571c35ea
SHA178b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA2567039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd
-
Filesize
152B
MD59e3fc58a8fb86c93d19e1500b873ef6f
SHA1c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\702b6da3-d101-43f5-9cd5-8bb5d6cfe438.tmp
Filesize5KB
MD5aab8fe65774dd79b6cb2147c1a8acec4
SHA13b12a13ea6e4a7257bc8dc6bf5b04c6cb8f7e516
SHA256070c781869d0ccbdff0a5f7eac08ffdc25e6bd7544f459feeac307971124dcb7
SHA512b55f550c3b7cd91775e5caf9a10828e3e9a5e14b881b7ae0288018059dbc5f6666658c663107d48fc7fa4e6e1b0af0c6d260c77424a80afa09470ff74dbbb1e9
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
6KB
MD5943100534e708efea4923a0864b65b9c
SHA13de333ff9744379295217d17cf0ff367debaf90f
SHA256ef743622a7d8313edfc48884f7d937bff53da0f9c0f1cbee52ed816a03ba8d8e
SHA512a27ff1003fc174a5799405c0eb4d762ee0ebbf585d1efbd42b4c9044113fd9258be315d33d5cdd5d7dbe006594ced6aafc95f4d62767250052bfcf9c02ad4741
-
Filesize
10KB
MD5ff517d77cd3894651f3a2948df88aad7
SHA13a2bcada3c0c80bb0885868360d5e3fbc5967688
SHA2564d6de38e1f15f39dc8cdd181f5bf73eabce4e3daab34095cc23b1898374e8096
SHA51260f1fe0e23d2b15f7c5403b5b7dd4b87a63c955ee021ced5a997a670330c60f2ee12e71e4799822e2f47cfa54a681e4b26d71172563c3b430c6c24896a9f4e58
-
Filesize
3.0MB
MD5d0bb5ffd1587460bdc47b813edde4c45
SHA1f81429c4f3b3711be166a13c3736bd13a77e200a
SHA256297aafb2fee9ca3a270f8b6189699c71f60281c5ad3d4a217139d9b97aca22f4
SHA512e8c135e7cfec7d8eed4a10315edb65839914dbbdda660257565002fdf3bba39685a27418e11c3f77781e76b730ac60435b8381dd85d92de529305ac5a6053327
-
Filesize
100KB
MD57151a5a9e84c669ffcee99029e679cd3
SHA18d596f5f14dabb069242f04797f70f288657017e
SHA256d8712c18fd5c3d02d1f799c5b829050dbe8932187d0ce2ce7d1cfe9741fa8b60
SHA51283ca6940e55c2a84ab2597e9a8102b9ff5d6da3b4b07c164b3ae57780a85e2358dbb93f1abe02ef68defcd53eee637ed2e11168977d4d326f6535a33edc9a2a0