8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2

General

Target

8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe
Size

1.1MB
MD5

4a5891330c78b6a09d6c2fa4746dc2b5
SHA1

f5183195a9a5dd28493b53e46a4cf2dba96bdd20
SHA256

8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2
SHA512

7621400db7ac6d0c00d96a6f327d6199579d3fe3a5d14ace2a1474509eb03c016b844c9ddf85b8ed65ddec440fe8632499a84c4006ae8e5d275ddeb246acf9d8
SSDEEP

24576:zm9ZM1+vNz6GwbBQ0tPSYvM/dyM9uT2S0vRxu7fe2wBt2l2yIYx:P2NOGwb7tPSYv6B9uv0vRxcfe2qMlGYx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1116	PocoDJxe-2.18.exe
520	jaSIdyv12uio3v6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1572	520	WerFault.exe	29

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
520	jaSIdyv12uio3v6.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
520	jaSIdyv12uio3v6.exe
1116	PocoDJxe-2.18.exe
1116	PocoDJxe-2.18.exe
1116	PocoDJxe-2.18.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1116	1476	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	28
PID 1476 wrote to memory of 1116	1476	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	28
PID 1476 wrote to memory of 1116	1476	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	28
PID 1476 wrote to memory of 1116	1476	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	28
PID 1476 wrote to memory of 1116	1476	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	28
PID 1476 wrote to memory of 1116	1476	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	28
PID 1476 wrote to memory of 1116	1476	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	28
PID 1476 wrote to memory of 520	1476	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	29
PID 1476 wrote to memory of 520	1476	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	29
PID 1476 wrote to memory of 520	1476	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	29
PID 1476 wrote to memory of 520	1476	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	29
PID 1476 wrote to memory of 520	1476	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	29
PID 1476 wrote to memory of 520	1476	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	29
PID 1476 wrote to memory of 520	1476	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	29
PID 520 wrote to memory of 1572	520	jaSIdyv12uio3v6.exe	31
PID 520 wrote to memory of 1572	520	jaSIdyv12uio3v6.exe	31
PID 520 wrote to memory of 1572	520	jaSIdyv12uio3v6.exe	31
PID 520 wrote to memory of 1572	520	jaSIdyv12uio3v6.exe	31
PID 520 wrote to memory of 1572	520	jaSIdyv12uio3v6.exe	31
PID 520 wrote to memory of 1572	520	jaSIdyv12uio3v6.exe	31
PID 520 wrote to memory of 1572	520	jaSIdyv12uio3v6.exe	31

C:\Users\Admin\AppData\Local\Temp\8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe
"C:\Users\Admin\AppData\Local\Temp\8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1476
- C:\PocoDJxe-2.18.exe
  "C:\PocoDJxe-2.18.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1116
- C:\jaSIdyv12uio3v6.exe
  "C:\jaSIdyv12uio3v6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 468
    3⤵
    - Program crash
    PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PocoDJxe-2.18.exe

Filesize
2.5MB

MD5
8a3ef74f54a457879d3edfe9d6ca9533

SHA1
ffc46152600efd7f248918e5b754e407799b4fe7

SHA256
1c8992edd998083d94f34fbf1dedb95e71de100446e0d333ac061d40a92228d4

SHA512
19255819731125dab1d7b0a6baf0852b563b02ddbd266f16cb72c3e853739c2cd189eb73956bfedd7be6bc7801a94100aa050e6863e66c48780adc534ee69de1

Download Submit
C:\PocoDJxe-2.18.exe

Filesize
2.5MB

MD5
8a3ef74f54a457879d3edfe9d6ca9533

SHA1
ffc46152600efd7f248918e5b754e407799b4fe7

SHA256
1c8992edd998083d94f34fbf1dedb95e71de100446e0d333ac061d40a92228d4

SHA512
19255819731125dab1d7b0a6baf0852b563b02ddbd266f16cb72c3e853739c2cd189eb73956bfedd7be6bc7801a94100aa050e6863e66c48780adc534ee69de1

Download Submit
C:\jaSIdyv12uio3v6.exe

Filesize
357KB

MD5
07305605d61ce055de9a6898643c903b

SHA1
8a91a4a99a1d9d1deb35a8b12f3db2fee354d548

SHA256
afcece67b86d3e4dd66605e4e06d52f0daf2b666254c7bff2a453d3b7353da9d

SHA512
e15190f6660cec7bacb58679c51d2e3986817ba468f10bd1d23bc797e58727f75d1a0c1ecce8ff406442d37f1126a115caf8ee162d3e93b1b3c9f72413337cf8

Download Submit
C:\jaSIdyv12uio3v6.exe

Filesize
357KB

MD5
07305605d61ce055de9a6898643c903b

SHA1
8a91a4a99a1d9d1deb35a8b12f3db2fee354d548

SHA256
afcece67b86d3e4dd66605e4e06d52f0daf2b666254c7bff2a453d3b7353da9d

SHA512
e15190f6660cec7bacb58679c51d2e3986817ba468f10bd1d23bc797e58727f75d1a0c1ecce8ff406442d37f1126a115caf8ee162d3e93b1b3c9f72413337cf8

Download Submit
memory/1476-54-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing