Overview
overview
3Static
static
1PokeStars-...47.dll
windows7-x64
3PokeStars-...47.dll
windows10-2004-x64
1PokeStars-...GL.dll
windows7-x64
1PokeStars-...GL.dll
windows10-2004-x64
1PokeStars-...v2.dll
windows7-x64
3PokeStars-...v2.dll
windows10-2004-x64
3PokeStars-....9.dll
windows7-x64
3PokeStars-....9.dll
windows10-2004-x64
3PokeStars-...on.dll
windows7-x64
3PokeStars-...on.dll
windows10-2004-x64
3PokeStars-...rs.dll
windows7-x64
1PokeStars-...rs.dll
windows10-2004-x64
1PokeStars-...on.exe
windows7-x64
1PokeStars-...on.exe
windows10-2004-x64
1PokeStars-...nw.exe
windows7-x64
1PokeStars-...nw.exe
windows10-2004-x64
1PokeStars-...ay.vbs
windows7-x64
1PokeStars-...ay.vbs
windows10-2004-x64
1PokeStars-...nc.exe
windows7-x64
1PokeStars-...nc.exe
windows10-2004-x64
1PokeStars-...ke.exe
windows7-x64
1PokeStars-...ke.exe
windows10-2004-x64
1PokeStars-...__.pyc
windows7-x64
3PokeStars-...__.pyc
windows10-2004-x64
3PokeStars-...le.pyc
windows7-x64
3PokeStars-...le.pyc
windows10-2004-x64
3PokeStars-...ss.pyc
windows7-x64
3PokeStars-...ss.pyc
windows10-2004-x64
3PokeStars-...bc.pyc
windows7-x64
3PokeStars-...bc.pyc
windows10-2004-x64
3PokeStars-...le.pyc
windows7-x64
3PokeStars-...le.pyc
windows10-2004-x64
3Analysis
-
max time kernel
153s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15-04-2023 22:22
Static task
static1
Behavioral task
behavioral1
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/d3dcompiler_47.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/d3dcompiler_47.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/libEGL.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral4
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/libEGL.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/libGLESv2.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral6
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/libGLESv2.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/libpython3.9.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral8
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/libpython3.9.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/librenpython.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral10
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/librenpython.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/nvdrs.dll
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral12
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/nvdrs.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/python.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral14
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/python.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/pythonw.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral16
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/pythonw.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/say.vbs
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral18
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/say.vbs
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/zsync.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral20
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/zsync.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/zsyncmake.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral22
Sample
PokeStars-0.0.1-pc/lib/py3-windows-x86_64/zsyncmake.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
PokeStars-0.0.1-pc/lib/python3.9/__future__.pyc
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral24
Sample
PokeStars-0.0.1-pc/lib/python3.9/__future__.pyc
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
PokeStars-0.0.1-pc/lib/python3.9/_bootlocale.pyc
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral26
Sample
PokeStars-0.0.1-pc/lib/python3.9/_bootlocale.pyc
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
PokeStars-0.0.1-pc/lib/python3.9/_bootsubprocess.pyc
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral28
Sample
PokeStars-0.0.1-pc/lib/python3.9/_bootsubprocess.pyc
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
PokeStars-0.0.1-pc/lib/python3.9/_collections_abc.pyc
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral30
Sample
PokeStars-0.0.1-pc/lib/python3.9/_collections_abc.pyc
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
PokeStars-0.0.1-pc/lib/python3.9/_compat_pickle.pyc
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral32
Sample
PokeStars-0.0.1-pc/lib/python3.9/_compat_pickle.pyc
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
PokeStars-0.0.1-pc/lib/python3.9/_bootlocale.pyc
-
Size
1KB
-
MD5
25cd8310c27834d830e9d5e3bf331f10
-
SHA1
718b7e30a2009d554a628c1e9b3aa33ce5df73a4
-
SHA256
f44c741b071d68fbe32e8f27fec6e18a42541a7bbb1ccad03fcb5582a8ab987b
-
SHA512
0879d2297a145f58e00df1032c8c2f73f3cd6a441516b51d819de693fdcd61581d03dbba28d01f4b31b285df6d4f8bbc98390e321b1f67ac5540310b8ed685aa
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1824 AcroRd32.exe 1824 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1740 wrote to memory of 1380 1740 cmd.exe 29 PID 1740 wrote to memory of 1380 1740 cmd.exe 29 PID 1740 wrote to memory of 1380 1740 cmd.exe 29 PID 1380 wrote to memory of 1824 1380 rundll32.exe 30 PID 1380 wrote to memory of 1824 1380 rundll32.exe 30 PID 1380 wrote to memory of 1824 1380 rundll32.exe 30 PID 1380 wrote to memory of 1824 1380 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\PokeStars-0.0.1-pc\lib\python3.9\_bootlocale.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PokeStars-0.0.1-pc\lib\python3.9\_bootlocale.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PokeStars-0.0.1-pc\lib\python3.9\_bootlocale.pyc"3⤵
- Suspicious use of SetWindowsHookEx
PID:1824
-
-