Overview
overview
6Static
static
Princess.Conquest.rar
windows7-x64
3Princess.Conquest.rar
windows10-2004-x64
3Princess.C...OM.url
windows7-x64
6Princess.C...OM.url
windows10-2004-x64
6Princess.C...OM.url
windows7-x64
6Princess.C...OM.url
windows10-2004-x64
6Princess.C...rr.ps1
windows7-x64
1Princess.C...rr.ps1
windows10-2004-x64
1Princess.C...rm.dll
windows7-x64
1Princess.C...rm.dll
windows10-2004-x64
1Princess.C...19.ttf
windows7-x64
1Princess.C...19.ttf
windows10-2004-x64
1Princess.C...ld.otf
windows7-x64
1Princess.C...ld.otf
windows10-2004-x64
1Princess.C...NS.ttf
windows7-x64
1Princess.C...NS.ttf
windows10-2004-x64
1Princess.C...TG.ttf
windows7-x64
1Princess.C...TG.ttf
windows10-2004-x64
1Princess.C...ar.ttf
windows7-x64
1Princess.C...ar.ttf
windows10-2004-x64
1Princess.C...ar.ttf
windows7-x64
1Princess.C...ar.ttf
windows10-2004-x64
1Princess.C...ngelog
windows7-x64
1Princess.C...ngelog
windows10-2004-x64
1Princess.C...ICENSE
windows7-x64
1Princess.C...ICENSE
windows10-2004-x64
1Princess.C...NSE.en
windows7-x64
1Princess.C...NSE.en
windows10-2004-x64
1Princess.C....mplus
windows7-x64
1Princess.C....mplus
windows10-2004-x64
1Princess.C....mplus
windows7-x64
1Princess.C....mplus
windows10-2004-x64
1Analysis
-
max time kernel
31s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28/12/2022, 06:29
Static task
static1
Behavioral task
behavioral1
Sample
Princess.Conquest.rar
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
Princess.Conquest.rar
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Princess.Conquest/IGG-GAMES.COM.url
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral4
Sample
Princess.Conquest/IGG-GAMES.COM.url
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Princess.Conquest/PCGAMESTORRENTS.COM.url
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
Princess.Conquest/PCGAMESTORRENTS.COM.url
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Audio/BGM/P&C - Pirate Barrr.ps1
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral8
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Audio/BGM/P&C - Pirate Barrr.ps1
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Princess.Conquest/Princess & Conquest v0.16.14/CoGenDrm.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral10
Sample
Princess.Conquest/Princess & Conquest v0.16.14/CoGenDrm.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/04b19.ttf
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral12
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/04b19.ttf
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/BebasNeueBold.otf
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral14
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/BebasNeueBold.otf
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/MODERNESANS.ttf
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral16
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/MODERNESANS.ttf
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/TG.ttf
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral18
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/TG.ttf
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/VL-Gothic-Regular.ttf
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/VL-Gothic-Regular.ttf
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/VL-PGothic-Regular.ttf
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral22
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/VL-PGothic-Regular.ttf
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/VLGothic/Changelog
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral24
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/VLGothic/Changelog
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/VLGothic/LICENSE
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral26
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/VLGothic/LICENSE
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/VLGothic/LICENSE.en
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral28
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/VLGothic/LICENSE.en
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/VLGothic/LICENSE_E.mplus
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral30
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/VLGothic/LICENSE_E.mplus
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/VLGothic/LICENSE_J.mplus
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral32
Sample
Princess.Conquest/Princess & Conquest v0.16.14/Fonts/VLGothic/LICENSE_J.mplus
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
Princess.Conquest.rar
-
Size
882.7MB
-
MD5
f6001824c7684a240c13bd1b802e8b6e
-
SHA1
1602f29a4b3c5a99ac9e2cce16dfe59936e32678
-
SHA256
f34c3b62fabb53ec10d4b0174eeb662bfda5d5a7dab84661f1acd94e40b101b2
-
SHA512
345deae4764aa599618d5b38720dc44ca373b4fd01aefe6df8f49cec2abfc077703b312b26699e97bdbcff230f56d06419a40c9288810e2a00767e49eb61c4bd
-
SSDEEP
25165824:lDnJTuVlmKHPgUUMVF5FEc29VypLmEY1Wa:5JFKv9nvfMLypLmEY1Wa
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1740 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1740 vlc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: 33 1908 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1908 AUDIODG.EXE Token: 33 1908 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1908 AUDIODG.EXE Token: 33 1740 vlc.exe Token: SeIncBasePriorityPrivilege 1740 vlc.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe 1740 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1740 vlc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2020 1704 cmd.exe 27 PID 1704 wrote to memory of 2020 1704 cmd.exe 27 PID 1704 wrote to memory of 2020 1704 cmd.exe 27 PID 2020 wrote to memory of 1740 2020 rundll32.exe 28 PID 2020 wrote to memory of 1740 2020 rundll32.exe 28 PID 2020 wrote to memory of 1740 2020 rundll32.exe 28
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Princess.Conquest.rar1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Princess.Conquest.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Princess.Conquest.rar"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1740
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5781⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908