Overview

overview

10

Static

static

polas.exe

windows7_x64

10

polas.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    07/05/2021, 08:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    polas.exe

  • Size

    7.4MB

  • MD5

    d15d3eb03c466f207dd401047da792bc

  • SHA1

    cca4dd46f38bfc164a1840907a608fb657d471b0

  • SHA256

    6d0083394a549c135820010343353dcfa2929aeaa83f72a50ec60a7263f4ec90

  • SHA512

    432ff858e048358a323ed9dbbb533a2aad3648b521ffbc0e0d4cf5c02b5c65bd5b6e9f350736d65375a389efd36b4130fc1795a50f7d368a48d87afc50e7fdb4

Score
10/10
orcuspandastealerredline@abigfinfostealerratspywarestealervmprotect

Malware Config

Extracted

Family

redline

Botnet

@aBigF

C2

ydmau.xyz:80

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus Main Payload 6 IoCs
  • Panda Stealer Payload 1 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Orcurs Rat Executable 6 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 12 IoCs
  • VMProtect packed file 14 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 10 IoCs
    installer
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\polas.exe
    "C:\Users\Admin\AppData\Local\Temp\polas.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:480
    • C:\Users\Admin\AppData\Local\Temp\WintWare.exe
      "C:\Users\Admin\AppData\Local\Temp\WintWare.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Users\Admin\AppData\Roaming\1.v1mp.exe
        C:\Users\Admin\AppData\Roaming\1.v1mp.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vda8jauk.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:632
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DB6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2DB5.tmp"
            5⤵
              PID:1828
          • C:\Windows\SysWOW64\WindowsInput.exe
            "C:\Windows\SysWOW64\WindowsInput.exe" --install
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            PID:1636
          • C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe
            "C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1148
            • C:\Users\Admin\AppData\Roaming\System32.exe
              "C:\Users\Admin\AppData\Roaming\System32.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe" 1148 /protectFile
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1732
              • C:\Users\Admin\AppData\Roaming\System32.exe
                "C:\Users\Admin\AppData\Roaming\System32.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe" 1148 "/protectFile"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1988
        • C:\Users\Admin\AppData\Roaming\build.vmp.sfx.exe
          C:\Users\Admin\AppData\Roaming\build.vmp.sfx.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1800
          • C:\Users\Admin\AppData\Local\Temp\build.vmp.exe
            "C:\Users\Admin\AppData\Local\Temp\build.vmp.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1352
        • C:\Users\Admin\AppData\Roaming\Hack.exe
          C:\Users\Admin\AppData\Roaming\Hack.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Modifies system certificate store
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            4⤵
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1384
            • C:\Users\Admin\AppData\Roaming\build2.exe
              "C:\Users\Admin\AppData\Roaming\build2.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1808
              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
                dw20.exe -x -s 968
                6⤵
                • Suspicious behavior: GetForegroundWindowSpam
                PID:2000
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe"
      1⤵
      • Executes dropped EXE
      PID:1932
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {F87E10A2-F37D-4B6A-8940-6AE1D42ACBA9} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe
        C:\Users\Admin\AppData\Roaming\Java\javaUpdate.exe
        2⤵
        • Executes dropped EXE
        PID:1572

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/480-59-0x00000000753E1000-0x00000000753E3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/632-113-0x0000000000700000-0x0000000000702000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1052-90-0x0000000002250000-0x0000000002252000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1052-99-0x000007FEF2B00000-0x000007FEF3B96000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1148-129-0x0000000000E90000-0x0000000000E91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1148-138-0x0000000000B60000-0x0000000000B6C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1148-155-0x000000001B818000-0x000000001B837000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1148-154-0x000000001B812000-0x000000001B814000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1148-136-0x0000000000390000-0x00000000003D8000-memory.dmp

      Filesize

      288KB

      Download

    • memory/1148-135-0x0000000000180000-0x0000000000190000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1148-137-0x0000000000B30000-0x0000000000B45000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1148-134-0x000000001B810000-0x000000001B812000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1148-133-0x0000000000140000-0x000000000014C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1148-132-0x0000000000AC0000-0x0000000000B1A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1352-96-0x0000000001340000-0x0000000001CE0000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1352-94-0x0000000000160000-0x0000000000161000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1384-107-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1384-114-0x0000000004D40000-0x0000000004D41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1384-103-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1572-159-0x0000000000370000-0x0000000000372000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1636-117-0x0000000001210000-0x0000000001211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1636-123-0x000000001A7D0000-0x000000001A7D2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1724-84-0x0000000000240000-0x0000000000242000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1724-81-0x0000000001250000-0x0000000001251000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1724-93-0x0000000004A30000-0x0000000004A31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1732-147-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1808-164-0x0000000000A90000-0x0000000000A92000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1932-124-0x0000000019860000-0x0000000019862000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2000-166-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2000-167-0x00000000003A0000-0x00000000003A1000-memory.dmp

      Filesize

      4KB

      Download