Analysis
-
max time kernel
89s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-06-2024 12:43
Static task
static1
Behavioral task
behavioral1
Sample
pojgysef.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
pojgysef.exe
Resource
win11-20240419-en
General
-
Target
pojgysef.exe
-
Size
6.1MB
-
MD5
d4f738f4e3787ef0b31891e446919aa8
-
SHA1
fa22c2fe4da02adbb51c35402c8dc21ab4157c43
-
SHA256
11fe45cccad95a86b7e7d29c9d92547dae0706d549485d37d482d3df5fe58ebb
-
SHA512
19d3a88cc2367669d6df8d5e7f4f310e482699c365a72cc7d2ee384972e6a2441a4adfc2c348780658c2e88a3e6f8ad82ecae1b4637d8f7cabb447266e16d3c7
-
SSDEEP
196608:a7m6/UXOd2L2Y4QE2i7fQzrVmbLm5g53D9I:eAOIL2Yfi7fymHmK5z9I
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
work.exepgsthse.exepid process 832 work.exe 860 pgsthse.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe vmprotect behavioral2/memory/860-20-0x00000000006F0000-0x0000000000FF4000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pgsthse.exepid process 860 pgsthse.exe 860 pgsthse.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
pojgysef.execmd.exework.exedescription pid process target process PID 3572 wrote to memory of 4292 3572 pojgysef.exe cmd.exe PID 3572 wrote to memory of 4292 3572 pojgysef.exe cmd.exe PID 3572 wrote to memory of 4292 3572 pojgysef.exe cmd.exe PID 4292 wrote to memory of 832 4292 cmd.exe work.exe PID 4292 wrote to memory of 832 4292 cmd.exe work.exe PID 4292 wrote to memory of 832 4292 cmd.exe work.exe PID 832 wrote to memory of 860 832 work.exe pgsthse.exe PID 832 wrote to memory of 860 832 work.exe pgsthse.exe PID 832 wrote to memory of 860 832 work.exe pgsthse.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pojgysef.exe"C:\Users\Admin\AppData\Local\Temp\pojgysef.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exework.exe -priverdD3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.batFilesize
35B
MD5ff59d999beb970447667695ce3273f75
SHA1316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exeFilesize
5.8MB
MD5cfb293de9746b2e41887b20155c1ee61
SHA1282f4eb7c72e0403b6176d9925c914878539458f
SHA256aa3fd950bcaa5a3bcf630976d6f5b25577468c4dba51a6421673435583bf309d
SHA512e57536d985e50f8ec649ea64c6faf4b2eb2c887d48a26eba8eadd3512a235a9cdaeed8aabea10f5cfed4a7bf597ca92b89c93ceb2ef552ad56a9813d79164b6e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exeFilesize
5.5MB
MD5d09d8539c62597cd658a22b167acc4f9
SHA167309103226da380034dba8e6fe5a0a4e8183464
SHA25615b67d1c9943ded17553939213a1c2d90541d05f59deee44e4ed2903d828ff16
SHA51215a7afdb8567d4db79dbc6e4df187cc7cf447f1467970f0c6c3de617791f66d820aa9b8bb46a95775723abe4d1dcc8bd1ff67b3b3fa1822e9ca0f07578d67336
-
memory/860-19-0x0000000001530000-0x0000000001531000-memory.dmpFilesize
4KB
-
memory/860-20-0x00000000006F0000-0x0000000000FF4000-memory.dmpFilesize
9.0MB