Overview

overview

7

Static

static

3

pojgysef.exe

windows10-2004-x64

7

pojgysef.exe

windows11-21h2-x64

7

Resubmissions

29-06-2024 12:43

240629-px6z4a1app 7

22-05-2024 07:25

240522-h9f6wagc6y 10

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-06-2024 12:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pojgysef.exe

  • Size

    6.1MB

  • MD5

    d4f738f4e3787ef0b31891e446919aa8

  • SHA1

    fa22c2fe4da02adbb51c35402c8dc21ab4157c43

  • SHA256

    11fe45cccad95a86b7e7d29c9d92547dae0706d549485d37d482d3df5fe58ebb

  • SHA512

    19d3a88cc2367669d6df8d5e7f4f310e482699c365a72cc7d2ee384972e6a2441a4adfc2c348780658c2e88a3e6f8ad82ecae1b4637d8f7cabb447266e16d3c7

  • SSDEEP

    196608:a7m6/UXOd2L2Y4QE2i7fQzrVmbLm5g53D9I:eAOIL2Yfi7fymHmK5z9I

Score
7/10
vmprotect

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pojgysef.exe
    "C:\Users\Admin\AppData\Local\Temp\pojgysef.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
        work.exe -priverdD
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4236

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
    Filesize

    35B

    MD5

    ff59d999beb970447667695ce3273f75

    SHA1

    316fa09f467ba90ac34a054daf2e92e6e2854ff8

    SHA256

    065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

    SHA512

    d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    Filesize

    5.8MB

    MD5

    cfb293de9746b2e41887b20155c1ee61

    SHA1

    282f4eb7c72e0403b6176d9925c914878539458f

    SHA256

    aa3fd950bcaa5a3bcf630976d6f5b25577468c4dba51a6421673435583bf309d

    SHA512

    e57536d985e50f8ec649ea64c6faf4b2eb2c887d48a26eba8eadd3512a235a9cdaeed8aabea10f5cfed4a7bf597ca92b89c93ceb2ef552ad56a9813d79164b6e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe
    Filesize

    5.5MB

    MD5

    d09d8539c62597cd658a22b167acc4f9

    SHA1

    67309103226da380034dba8e6fe5a0a4e8183464

    SHA256

    15b67d1c9943ded17553939213a1c2d90541d05f59deee44e4ed2903d828ff16

    SHA512

    15a7afdb8567d4db79dbc6e4df187cc7cf447f1467970f0c6c3de617791f66d820aa9b8bb46a95775723abe4d1dcc8bd1ff67b3b3fa1822e9ca0f07578d67336

    Download Submit
  • memory/4236-19-0x0000000001360000-0x0000000001361000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4236-20-0x0000000000510000-0x0000000000E14000-memory.dmp
    Filesize

    9.0MB

    Download