8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2

Analysis

max time kernel
178s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe
Size

1.1MB
MD5

4a5891330c78b6a09d6c2fa4746dc2b5
SHA1

f5183195a9a5dd28493b53e46a4cf2dba96bdd20
SHA256

8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2
SHA512

7621400db7ac6d0c00d96a6f327d6199579d3fe3a5d14ace2a1474509eb03c016b844c9ddf85b8ed65ddec440fe8632499a84c4006ae8e5d275ddeb246acf9d8
SSDEEP

24576:zm9ZM1+vNz6GwbBQ0tPSYvM/dyM9uT2S0vRxu7fe2wBt2l2yIYx:P2NOGwb7tPSYv6B9uv0vRxcfe2qMlGYx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5012	PocoDJxe-2.18.exe
4952	jaSIdyv12uio3v6.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2360	4952	WerFault.exe	80
560	4952	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4952	jaSIdyv12uio3v6.exe
4952	jaSIdyv12uio3v6.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4952	jaSIdyv12uio3v6.exe
5012	PocoDJxe-2.18.exe
5012	PocoDJxe-2.18.exe
5012	PocoDJxe-2.18.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 5012	2384	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	79
PID 2384 wrote to memory of 5012	2384	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	79
PID 2384 wrote to memory of 5012	2384	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	79
PID 2384 wrote to memory of 4952	2384	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	80
PID 2384 wrote to memory of 4952	2384	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	80
PID 2384 wrote to memory of 4952	2384	8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe	80
PID 4952 wrote to memory of 2360	4952	jaSIdyv12uio3v6.exe	83
PID 4952 wrote to memory of 2360	4952	jaSIdyv12uio3v6.exe	83
PID 4952 wrote to memory of 2360	4952	jaSIdyv12uio3v6.exe	83

C:\Users\Admin\AppData\Local\Temp\8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe
"C:\Users\Admin\AppData\Local\Temp\8db9c38380e4decc682a055cf8962566363c8bdf1bb2290bedd5365efc66a6e2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2384
- C:\PocoDJxe-2.18.exe
  "C:\PocoDJxe-2.18.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5012
- C:\jaSIdyv12uio3v6.exe
  "C:\jaSIdyv12uio3v6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 976
    3⤵
    - Program crash
    PID:2360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 976
    3⤵
    - Program crash
    PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4952 -ip 4952
1⤵
PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PocoDJxe-2.18.exe

Filesize
2.5MB

MD5
8a3ef74f54a457879d3edfe9d6ca9533

SHA1
ffc46152600efd7f248918e5b754e407799b4fe7

SHA256
1c8992edd998083d94f34fbf1dedb95e71de100446e0d333ac061d40a92228d4

SHA512
19255819731125dab1d7b0a6baf0852b563b02ddbd266f16cb72c3e853739c2cd189eb73956bfedd7be6bc7801a94100aa050e6863e66c48780adc534ee69de1

Download Submit
C:\PocoDJxe-2.18.exe

Filesize
2.5MB

MD5
8a3ef74f54a457879d3edfe9d6ca9533

SHA1
ffc46152600efd7f248918e5b754e407799b4fe7

SHA256
1c8992edd998083d94f34fbf1dedb95e71de100446e0d333ac061d40a92228d4

SHA512
19255819731125dab1d7b0a6baf0852b563b02ddbd266f16cb72c3e853739c2cd189eb73956bfedd7be6bc7801a94100aa050e6863e66c48780adc534ee69de1

Download Submit
C:\jaSIdyv12uio3v6.exe

Filesize
357KB

MD5
07305605d61ce055de9a6898643c903b

SHA1
8a91a4a99a1d9d1deb35a8b12f3db2fee354d548

SHA256
afcece67b86d3e4dd66605e4e06d52f0daf2b666254c7bff2a453d3b7353da9d

SHA512
e15190f6660cec7bacb58679c51d2e3986817ba468f10bd1d23bc797e58727f75d1a0c1ecce8ff406442d37f1126a115caf8ee162d3e93b1b3c9f72413337cf8

Download Submit
C:\jaSIdyv12uio3v6.exe

Filesize
357KB

MD5
07305605d61ce055de9a6898643c903b

SHA1
8a91a4a99a1d9d1deb35a8b12f3db2fee354d548

SHA256
afcece67b86d3e4dd66605e4e06d52f0daf2b666254c7bff2a453d3b7353da9d

SHA512
e15190f6660cec7bacb58679c51d2e3986817ba468f10bd1d23bc797e58727f75d1a0c1ecce8ff406442d37f1126a115caf8ee162d3e93b1b3c9f72413337cf8

Download Submit