Malware Analysis Report

2024-11-30 05:17

Sample ID 240629-px6z4a1app
Target pojgysef.exe
SHA256 11fe45cccad95a86b7e7d29c9d92547dae0706d549485d37d482d3df5fe58ebb
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

11fe45cccad95a86b7e7d29c9d92547dae0706d549485d37d482d3df5fe58ebb

Threat Level: Shows suspicious behavior

The file pojgysef.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Checks computer location settings

Executes dropped EXE

VMProtect packed file

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 12:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 12:43

Reported

2024-06-29 12:45

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\pojgysef.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pojgysef.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\pojgysef.exe

"C:\Users\Admin\AppData\Local\Temp\pojgysef.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

work.exe -priverdD

C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 greetclassifytalk.shop udp
US 8.8.8.8:53 acceptabledcooeprs.shop udp
US 8.8.8.8:53 obsceneclassyjuwks.shop udp
US 8.8.8.8:53 zippyfinickysofwps.shop udp
US 8.8.8.8:53 miniaturefinerninewjs.shop udp
US 8.8.8.8:53 plaintediousidowsko.shop udp
US 8.8.8.8:53 sweetsquarediaslw.shop udp
US 8.8.8.8:53 holicisticscrarws.shop udp
US 8.8.8.8:53 boredimperissvieos.shop udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 ff59d999beb970447667695ce3273f75
SHA1 316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512 d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

MD5 cfb293de9746b2e41887b20155c1ee61
SHA1 282f4eb7c72e0403b6176d9925c914878539458f
SHA256 aa3fd950bcaa5a3bcf630976d6f5b25577468c4dba51a6421673435583bf309d
SHA512 e57536d985e50f8ec649ea64c6faf4b2eb2c887d48a26eba8eadd3512a235a9cdaeed8aabea10f5cfed4a7bf597ca92b89c93ceb2ef552ad56a9813d79164b6e

C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe

MD5 d09d8539c62597cd658a22b167acc4f9
SHA1 67309103226da380034dba8e6fe5a0a4e8183464
SHA256 15b67d1c9943ded17553939213a1c2d90541d05f59deee44e4ed2903d828ff16
SHA512 15a7afdb8567d4db79dbc6e4df187cc7cf447f1467970f0c6c3de617791f66d820aa9b8bb46a95775723abe4d1dcc8bd1ff67b3b3fa1822e9ca0f07578d67336

memory/4236-19-0x0000000001360000-0x0000000001361000-memory.dmp

memory/4236-20-0x0000000000510000-0x0000000000E14000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 12:43

Reported

2024-06-29 12:45

Platform

win11-20240419-en

Max time kernel

89s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\pojgysef.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\pojgysef.exe

"C:\Users\Admin\AppData\Local\Temp\pojgysef.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

work.exe -priverdD

C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 greetclassifytalk.shop udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 ff59d999beb970447667695ce3273f75
SHA1 316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512 d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

MD5 cfb293de9746b2e41887b20155c1ee61
SHA1 282f4eb7c72e0403b6176d9925c914878539458f
SHA256 aa3fd950bcaa5a3bcf630976d6f5b25577468c4dba51a6421673435583bf309d
SHA512 e57536d985e50f8ec649ea64c6faf4b2eb2c887d48a26eba8eadd3512a235a9cdaeed8aabea10f5cfed4a7bf597ca92b89c93ceb2ef552ad56a9813d79164b6e

C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe

MD5 d09d8539c62597cd658a22b167acc4f9
SHA1 67309103226da380034dba8e6fe5a0a4e8183464
SHA256 15b67d1c9943ded17553939213a1c2d90541d05f59deee44e4ed2903d828ff16
SHA512 15a7afdb8567d4db79dbc6e4df187cc7cf447f1467970f0c6c3de617791f66d820aa9b8bb46a95775723abe4d1dcc8bd1ff67b3b3fa1822e9ca0f07578d67336

memory/860-19-0x0000000001530000-0x0000000001531000-memory.dmp

memory/860-20-0x00000000006F0000-0x0000000000FF4000-memory.dmp