Overview

overview

8

Static

static

1

plants-vs-...-1.exe

windows7-x64

8

plants-vs-...-1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    102s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220901-es
  • resource tags

    arch:x64arch:x86image:win7-20220901-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    15/02/2023, 18:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    plants-vs-zombies-3-1.exe

  • Size

    108KB

  • MD5

    59bdce6dc18274f6d2ac2c08ce603be0

  • SHA1

    6bdd74cfa4fb088df46e0e34e72b3a259044527a

  • SHA256

    662e184de4d4c852bfad5cda954baa3803624d8e1a998ef1f7764c30bb11dbf7

  • SHA512

    9663af1af6034f863a76c5bb624495e77c2c863de5ff09b3a89bd30df8148e8d57f967825f10a5e7491d65003beb4361c14d051303725f0e458a7ff7e03ce4c2

  • SSDEEP

    1536:/LXB65939tY6HBg4sXJUxIjVlWmBX6j6986ZLnVRwlWmBXOxIjxOcVf22Ir29:/Lk395hYXJU+Kpj25nDjr+8gm29

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\plants-vs-zombies-3-1.exe
    "C:\Users\Admin\AppData\Local\Temp\plants-vs-zombies-3-1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    PID:1100
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:476
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x144
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1160

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsyA01.tmp\NSISdl.dll
      Filesize

      14KB

      MD5

      a5f8399a743ab7f9c88c645c35b1ebb5

      SHA1

      168f3c158913b0367bf79fa413357fbe97018191

      SHA256

      dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

      SHA512

      824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsyA01.tmp\System.dll
      Filesize

      11KB

      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

      Download Submit

    • memory/476-57-0x000007FEFBF31000-0x000007FEFBF33000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1100-54-0x0000000076441000-0x0000000076443000-memory.dmp

      Filesize

      8KB

      Download