Analysis
-
max time kernel
195s -
max time network
256s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
04-07-2024 22:41
Static task
static1
Behavioral task
behavioral1
Sample
8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe
Resource
win7-20240220-en
General
-
Target
8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe
-
Size
6.4MB
-
MD5
5050f9bc5d4a4cec3d2c08ed24480a10
-
SHA1
c3edc7c64810ece5a5fd4b9bc082b1f4dac7bf7f
-
SHA256
8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f
-
SHA512
2f62f4cba6a76681a0ecbb9977120978369ccd8bd2089227d1c581e30c190441f50f5561307eea737a28f625092287c6a6a0eaa924421d8789a72197d83062e6
-
SSDEEP
98304:6qwBqwWpcCHgb9m429vfTbDJgAWdWikDIyx2yR1OcS/7yMimxwnpyYOF8:6qwBqw16I9evL9Zik0k20wGnOa
Malware Config
Extracted
lumma
https://foodypannyjsud.shop/api
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
polaris.exepokafdw.exepid process 316 polaris.exe 1852 pokafdw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe vmprotect behavioral2/memory/1852-22-0x0000000000B10000-0x000000000141C000-memory.dmp vmprotect -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
pokafdw.exepid process 1852 pokafdw.exe 1852 pokafdw.exe 1852 pokafdw.exe 1852 pokafdw.exe 1852 pokafdw.exe 1852 pokafdw.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.execmd.exepolaris.exedescription pid process target process PID 1452 wrote to memory of 4944 1452 8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe cmd.exe PID 1452 wrote to memory of 4944 1452 8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe cmd.exe PID 4944 wrote to memory of 316 4944 cmd.exe polaris.exe PID 4944 wrote to memory of 316 4944 cmd.exe polaris.exe PID 316 wrote to memory of 1852 316 polaris.exe pokafdw.exe PID 316 wrote to memory of 1852 316 polaris.exe pokafdw.exe PID 316 wrote to memory of 1852 316 polaris.exe pokafdw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe"C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exepolaris.exe -priverdD3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38B
MD576ce3d5d5c3032cc9f78133af90b7ca7
SHA1774907a1177135daf81ad950c2201510958cc52b
SHA2567deb532bdc37e4ed59642407a94a479ad7b7c18b852c9237899bb1fa9e55febd
SHA512fbc4c6fe065ed0000687130f6a173349ccd3fb68a6b5fa72c24cac90cbb53b82970961b60bee7bc1318682de70823aa054eff27010773b3c5b950ed084ba71de
-
Filesize
5.9MB
MD50f21f614bbd1768957b4ada1faf64885
SHA19e1fde36a3f615e783afec63be45a55453a14b89
SHA256cda0db0d276a2a24745a5c9b23712e2c950f5dd5c103f1ab88b9f1bdbe5be501
SHA5128df61c2aa68b1ffef973d60bfa46c1fb0566ddc64f84729e459bc5d587daeab2cdc0ab5a69db3bb57bad1b2067969db06a83d9066c71215a2bd7e1f416b7c0a7
-
Filesize
5.5MB
MD55fd19293fa5acf9323ebc45b5df49b06
SHA16f0c22c0f40a1a4ac7abf31c7e3ba977bd3a133a
SHA256659ad4fec79f03ac2f1c9fc81371a426cefd6abaef8edad4403a71f29088a261
SHA512595e552e6202d7b22615eff1fecb35ad0fdf7506dd70dd3b708b7342b119a3f885bbdb0709785401a991b5de55cd4043c6398baa2a9b6a45ca390687e99aa697