8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe
Size

6.4MB
MD5

5050f9bc5d4a4cec3d2c08ed24480a10
SHA1

c3edc7c64810ece5a5fd4b9bc082b1f4dac7bf7f
SHA256

8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f
SHA512

2f62f4cba6a76681a0ecbb9977120978369ccd8bd2089227d1c581e30c190441f50f5561307eea737a28f625092287c6a6a0eaa924421d8789a72197d83062e6
SSDEEP

98304:6qwBqwWpcCHgb9m429vfTbDJgAWdWikDIyx2yR1OcS/7yMimxwnpyYOF8:6qwBqw16I9evL9Zik0k20wGnOa

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

polaris.exepokafdw.exe

pid process

2844 polaris.exe
2688 pokafdw.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1388 cmd.exe

pid	process
2844	polaris.exe
2688	pokafdw.exe

pid	process
1388	cmd.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe	vmprotect
behavioral1/memory/2688-44-0x0000000000C80000-0x000000000158C000-memory.dmp	vmprotect
behavioral1/memory/2688-40-0x0000000000C80000-0x000000000158C000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

pokafdw.exe

pid process

2688 pokafdw.exe

pid	process
2688	pokafdw.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.execmd.exepolaris.exe

description	pid	process	target process
PID 3040 wrote to memory of 1388	3040	8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe	cmd.exe
PID 3040 wrote to memory of 1388	3040	8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe	cmd.exe
PID 3040 wrote to memory of 1388	3040	8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe	cmd.exe
PID 1388 wrote to memory of 2844	1388	cmd.exe	polaris.exe
PID 1388 wrote to memory of 2844	1388	cmd.exe	polaris.exe
PID 1388 wrote to memory of 2844	1388	cmd.exe	polaris.exe
PID 2844 wrote to memory of 2688	2844	polaris.exe	pokafdw.exe
PID 2844 wrote to memory of 2688	2844	polaris.exe	pokafdw.exe
PID 2844 wrote to memory of 2688	2844	polaris.exe	pokafdw.exe
PID 2844 wrote to memory of 2688	2844	polaris.exe	pokafdw.exe

C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe
"C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe
polaris.exe -priverdD
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2688

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
Filesize
38B

MD5
76ce3d5d5c3032cc9f78133af90b7ca7

SHA1
774907a1177135daf81ad950c2201510958cc52b

SHA256
7deb532bdc37e4ed59642407a94a479ad7b7c18b852c9237899bb1fa9e55febd

SHA512
fbc4c6fe065ed0000687130f6a173349ccd3fb68a6b5fa72c24cac90cbb53b82970961b60bee7bc1318682de70823aa054eff27010773b3c5b950ed084ba71de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe
Filesize
5.5MB

MD5
5fd19293fa5acf9323ebc45b5df49b06

SHA1
6f0c22c0f40a1a4ac7abf31c7e3ba977bd3a133a

SHA256
659ad4fec79f03ac2f1c9fc81371a426cefd6abaef8edad4403a71f29088a261

SHA512
595e552e6202d7b22615eff1fecb35ad0fdf7506dd70dd3b708b7342b119a3f885bbdb0709785401a991b5de55cd4043c6398baa2a9b6a45ca390687e99aa697

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe
Filesize
5.9MB

MD5
0f21f614bbd1768957b4ada1faf64885

SHA1
9e1fde36a3f615e783afec63be45a55453a14b89

SHA256
cda0db0d276a2a24745a5c9b23712e2c950f5dd5c103f1ab88b9f1bdbe5be501

SHA512
8df61c2aa68b1ffef973d60bfa46c1fb0566ddc64f84729e459bc5d587daeab2cdc0ab5a69db3bb57bad1b2067969db06a83d9066c71215a2bd7e1f416b7c0a7

Download Submit
memory/2688-35-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2688-37-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2688-44-0x0000000000C80000-0x000000000158C000-memory.dmp

Filesize
9.0MB

Download
memory/2688-43-0x0000000000CD3000-0x0000000001008000-memory.dmp

Filesize
3.2MB

Download
memory/2688-42-0x0000000000CD3000-0x0000000001008000-memory.dmp

Filesize
3.2MB

Download
memory/2688-40-0x0000000000C80000-0x000000000158C000-memory.dmp

Filesize
9.0MB

Download
memory/2688-39-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2688-45-0x0000000000C80000-0x000000000158C000-memory.dmp

Filesize
9.0MB

Download