Analysis Overview
SHA256
11fe45cccad95a86b7e7d29c9d92547dae0706d549485d37d482d3df5fe58ebb
Threat Level: Shows suspicious behavior
The file pojgysef.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
VMProtect packed file
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-29 12:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 12:43
Reported
2024-06-29 12:45
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\pojgysef.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\pojgysef.exe
"C:\Users\Admin\AppData\Local\Temp\pojgysef.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | greetclassifytalk.shop | udp |
| US | 8.8.8.8:53 | acceptabledcooeprs.shop | udp |
| US | 8.8.8.8:53 | obsceneclassyjuwks.shop | udp |
| US | 8.8.8.8:53 | zippyfinickysofwps.shop | udp |
| US | 8.8.8.8:53 | miniaturefinerninewjs.shop | udp |
| US | 8.8.8.8:53 | plaintediousidowsko.shop | udp |
| US | 8.8.8.8:53 | sweetsquarediaslw.shop | udp |
| US | 8.8.8.8:53 | holicisticscrarws.shop | udp |
| US | 8.8.8.8:53 | boredimperissvieos.shop | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
| MD5 | ff59d999beb970447667695ce3273f75 |
| SHA1 | 316fa09f467ba90ac34a054daf2e92e6e2854ff8 |
| SHA256 | 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2 |
| SHA512 | d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
| MD5 | cfb293de9746b2e41887b20155c1ee61 |
| SHA1 | 282f4eb7c72e0403b6176d9925c914878539458f |
| SHA256 | aa3fd950bcaa5a3bcf630976d6f5b25577468c4dba51a6421673435583bf309d |
| SHA512 | e57536d985e50f8ec649ea64c6faf4b2eb2c887d48a26eba8eadd3512a235a9cdaeed8aabea10f5cfed4a7bf597ca92b89c93ceb2ef552ad56a9813d79164b6e |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe
| MD5 | d09d8539c62597cd658a22b167acc4f9 |
| SHA1 | 67309103226da380034dba8e6fe5a0a4e8183464 |
| SHA256 | 15b67d1c9943ded17553939213a1c2d90541d05f59deee44e4ed2903d828ff16 |
| SHA512 | 15a7afdb8567d4db79dbc6e4df187cc7cf447f1467970f0c6c3de617791f66d820aa9b8bb46a95775723abe4d1dcc8bd1ff67b3b3fa1822e9ca0f07578d67336 |
memory/4236-19-0x0000000001360000-0x0000000001361000-memory.dmp
memory/4236-20-0x0000000000510000-0x0000000000E14000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 12:43
Reported
2024-06-29 12:45
Platform
win11-20240419-en
Max time kernel
89s
Max time network
95s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\pojgysef.exe
"C:\Users\Admin\AppData\Local\Temp\pojgysef.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | greetclassifytalk.shop | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
| MD5 | ff59d999beb970447667695ce3273f75 |
| SHA1 | 316fa09f467ba90ac34a054daf2e92e6e2854ff8 |
| SHA256 | 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2 |
| SHA512 | d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
| MD5 | cfb293de9746b2e41887b20155c1ee61 |
| SHA1 | 282f4eb7c72e0403b6176d9925c914878539458f |
| SHA256 | aa3fd950bcaa5a3bcf630976d6f5b25577468c4dba51a6421673435583bf309d |
| SHA512 | e57536d985e50f8ec649ea64c6faf4b2eb2c887d48a26eba8eadd3512a235a9cdaeed8aabea10f5cfed4a7bf597ca92b89c93ceb2ef552ad56a9813d79164b6e |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe
| MD5 | d09d8539c62597cd658a22b167acc4f9 |
| SHA1 | 67309103226da380034dba8e6fe5a0a4e8183464 |
| SHA256 | 15b67d1c9943ded17553939213a1c2d90541d05f59deee44e4ed2903d828ff16 |
| SHA512 | 15a7afdb8567d4db79dbc6e4df187cc7cf447f1467970f0c6c3de617791f66d820aa9b8bb46a95775723abe4d1dcc8bd1ff67b3b3fa1822e9ca0f07578d67336 |
memory/860-19-0x0000000001530000-0x0000000001531000-memory.dmp
memory/860-20-0x00000000006F0000-0x0000000000FF4000-memory.dmp