Overview
overview
3Static
static
1PokeStars-...47.dll
windows7-x64
3PokeStars-...47.dll
windows10-2004-x64
1PokeStars-...GL.dll
windows7-x64
1PokeStars-...GL.dll
windows10-2004-x64
1PokeStars-...v2.dll
windows7-x64
3PokeStars-...v2.dll
windows10-2004-x64
3PokeStars-....9.dll
windows7-x64
3PokeStars-....9.dll
windows10-2004-x64
3PokeStars-...on.dll
windows7-x64
3PokeStars-...on.dll
windows10-2004-x64
3PokeStars-...rs.dll
windows7-x64
1PokeStars-...rs.dll
windows10-2004-x64
1PokeStars-...on.exe
windows7-x64
1PokeStars-...on.exe
windows10-2004-x64
1PokeStars-...nw.exe
windows7-x64
1PokeStars-...nw.exe
windows10-2004-x64
1PokeStars-...ay.vbs
windows7-x64
1PokeStars-...ay.vbs
windows10-2004-x64
1PokeStars-...nc.exe
windows7-x64
1PokeStars-...nc.exe
windows10-2004-x64
1PokeStars-...ke.exe
windows7-x64
1PokeStars-...ke.exe
windows10-2004-x64
1PokeStars-...__.pyc
windows7-x64
3PokeStars-...__.pyc
windows10-2004-x64
3PokeStars-...le.pyc
windows7-x64
3PokeStars-...le.pyc
windows10-2004-x64
3PokeStars-...ss.pyc
windows7-x64
3PokeStars-...ss.pyc
windows10-2004-x64
3PokeStars-...bc.pyc
windows7-x64
3PokeStars-...bc.pyc
windows10-2004-x64
3PokeStars-...le.pyc
windows7-x64
3PokeStars-...le.pyc
windows10-2004-x64
3Analysis
-
max time kernel
191s -
max time network
80s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15/04/2023, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/d3dcompiler_47.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/d3dcompiler_47.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/libEGL.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral4
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/libEGL.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/libGLESv2.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral6
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/libGLESv2.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/libpython3.9.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral8
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/libpython3.9.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/librenpython.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral10
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/librenpython.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/nvdrs.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral12
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/nvdrs.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/python.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral14
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/python.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/pythonw.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral16
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/pythonw.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/say.vbs
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral18
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/say.vbs
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/zsync.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral20
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/zsync.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/zsyncmake.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral22
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/zsyncmake.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
PokeStars-0.0.1-pc/lib/python3.9/__future__.pyc
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral24
Sample
PokeStars-0.0.1-pc/lib/python3.9/__future__.pyc
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
PokeStars-0.0.1-pc/lib/python3.9/_bootlocale.pyc
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral26
Sample
PokeStars-0.0.1-pc/lib/python3.9/_bootlocale.pyc
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
PokeStars-0.0.1-pc/lib/python3.9/_bootsubprocess.pyc
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral28
Sample
PokeStars-0.0.1-pc/lib/python3.9/_bootsubprocess.pyc
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
PokeStars-0.0.1-pc/lib/python3.9/_collections_abc.pyc
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral30
Sample
PokeStars-0.0.1-pc/lib/python3.9/_collections_abc.pyc
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
PokeStars-0.0.1-pc/lib/python3.9/_compat_pickle.pyc
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral32
Sample
PokeStars-0.0.1-pc/lib/python3.9/_compat_pickle.pyc
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
PokeStars-0.0.1-pc/lib/python3.9/__future__.pyc
-
Size
4KB
-
MD5
7601462b5b8ac8253d3df7e376b70497
-
SHA1
2c4972450b267ecda76b715df90025b97fec656a
-
SHA256
503225472b86ea58bea49743fe2a9a9ca3996c44a6adf41866c0f86a2f859344
-
SHA512
2d3c8c05b8e54f25dc779249f031e2ca2ecd0137dd1f8aa444f4bc8bf43fff248ce50c316c91e81ac8bb88bc5c173083e0f059a914112ccaa0d87adf28f8bfc0
-
SSDEEP
96:hg1NzUuGd+P2sKNwWKD2j82xnCg8Q/Ks/qN+Bj0ui:k4BRdKD1YCM/KsSN+Bj0ui
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\pyc_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\pyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1748 AcroRd32.exe 1748 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1696 wrote to memory of 1520 1696 cmd.exe 29 PID 1696 wrote to memory of 1520 1696 cmd.exe 29 PID 1696 wrote to memory of 1520 1696 cmd.exe 29 PID 1520 wrote to memory of 1748 1520 rundll32.exe 31 PID 1520 wrote to memory of 1748 1520 rundll32.exe 31 PID 1520 wrote to memory of 1748 1520 rundll32.exe 31 PID 1520 wrote to memory of 1748 1520 rundll32.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\PokeStars-0.0.1-pc\lib\python3.9\__future__.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PokeStars-0.0.1-pc\lib\python3.9\__future__.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PokeStars-0.0.1-pc\lib\python3.9\__future__.pyc"3⤵
- Suspicious use of SetWindowsHookEx
PID:1748
-
-