aab8daa28c24b51180e2a5ff0b248df5aa32223926c343ad31c9cdcea53a59d2

Analysis

max time kernel
119s
max time network
56s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-03-2023 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Poppy Playtime Chapter 2.exe
Size

39.6MB
MD5

6fa0bae386792e0d611be8645da59bc1
SHA1

dce2f1d8b0b5a61888cd38f1fe45bf2744b72294
SHA256

aab8daa28c24b51180e2a5ff0b248df5aa32223926c343ad31c9cdcea53a59d2
SHA512

59b92f157e3b479a386128658c8ce7779dd3598ba4aaab424f07d0b15f17f1324e0562dd78a847d60ef6655c041ab996e71df5b49ab0d1286c076425535dc720
SSDEEP

786432:PnH60LGTVMaIHuu7USb6DoQingfKnPrN2MmUAOoZ0PMXDuQshj2S+kB0XiER:v6wGTmtH+OxngfKnPB2MmUw0PMSQ++kY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

FRESH ADVICE LTD App Executable.exe

pid process

1620 FRESH ADVICE LTD App Executable.exe

pid	process
1620	FRESH ADVICE LTD App Executable.exe

Loads dropped DLL 6 IoCs

Processes:

Poppy Playtime Chapter 2.exeFRESH ADVICE LTD App Executable.exe

pid	process
1424	Poppy Playtime Chapter 2.exe
1424	Poppy Playtime Chapter 2.exe
1424	Poppy Playtime Chapter 2.exe
1424	Poppy Playtime Chapter 2.exe
1620	FRESH ADVICE LTD App Executable.exe
1620	FRESH ADVICE LTD App Executable.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Poppy Playtime Chapter 2.exe

description pid process

Token: SeSecurityPrivilege 1424 Poppy Playtime Chapter 2.exe

description	pid	process
Token: SeSecurityPrivilege	1424	Poppy Playtime Chapter 2.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Poppy Playtime Chapter 2.exeFRESH ADVICE LTD App Executable.exe

C:\Users\Admin\AppData\Local\Temp\Poppy Playtime Chapter 2.exe
"C:\Users\Admin\AppData\Local\Temp\Poppy Playtime Chapter 2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\FRESH ADVICE LTD App Executable.exe
"C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\FRESH ADVICE LTD App Executable.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\FRESH ADVICE LTD App Executable.exe
"C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\FRESH ADVICE LTD App Executable.exe" --type=gpu-process --field-trial-handle=1112,15678842269156446426,15208993919796862189,131072 --disable-features=LayoutNG,SpareRendererForSitePerProcess --gpu-preferences=IAAAAAAAAADgAAAgAAAAAAAAYAAAAAAACAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAABQAAABAAAAAAAAAAAAAAAAYAAAAQAAAAAAAAAAEAAAAFAAAAEAAAAAAAAAABAAAABgAAAA== --service-request-channel-token=14602814714126233176 --mojo-platform-channel-handle=1132 --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1604

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\FRESH ADVICE LTD App Executable.exe
Filesize
95.4MB

MD5
a3f48173ca45922bf8f123736f1c67e6

SHA1
e1f26662d130f83cee3c9474bdb0c622eeb5a7d1

SHA256
d0e58bb4e06d4b1ca6159f5ef2223ba1468ed4cbfc22ba36dc26eed000479330

SHA512
0d8ee3264fdc03ca460c7c25fad3e8761e3fa24ed9a59912f6e05b6dc358b278c758aff51729b9d6c9542048317a879cd6d79a3572a71c3818e27eed2ed84799

Download Submit
C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\FRESH ADVICE LTD App Executable.exe
Filesize
95.4MB

MD5
a3f48173ca45922bf8f123736f1c67e6

SHA1
e1f26662d130f83cee3c9474bdb0c622eeb5a7d1

SHA256
d0e58bb4e06d4b1ca6159f5ef2223ba1468ed4cbfc22ba36dc26eed000479330

SHA512
0d8ee3264fdc03ca460c7c25fad3e8761e3fa24ed9a59912f6e05b6dc358b278c758aff51729b9d6c9542048317a879cd6d79a3572a71c3818e27eed2ed84799

Download Submit
C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\chrome_100_percent.pak
Filesize
142KB

MD5
8d56d44c318d122f7931d03ba435f00b

SHA1
387f530e06f79a2a9f7fbf4446c71c31db08e7e0

SHA256
fcb4faaa82d13d90c42dfa0669f67391b3124d30310d0f4c510f31412974cab2

SHA512
03bd2f56f73ad06fe22ebd94fb0de4e37d1771f8a9d82a47ea93002ba4696d906b59d0e25db63e98af10a169a8c3dc9d047cfcbca01030924bf93abe7bce1590

Download Submit
C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\chrome_200_percent.pak
Filesize
204KB

MD5
879f88cafa5714994744bde20e7bd2c2

SHA1
d63b55f9f7c0e40f9585cac8a5cb28c0ea9f32ee

SHA256
76126341d0dc2b4b6ddccf30559709e6a856cd47148107808bd18ceb16ed1df3

SHA512
4d70ae16c2656cf3a8aaad00e2ce0ddcc030bf1ad29bbb1d0e90c03f866c413f893b273b8b03aa12c9ea5ae01537ad1d2d1b2c52b35bf7773278121a09a3af9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\ffmpeg.dll
Filesize
2.0MB

MD5
cb487d6310f6f6c95d86f64e39c14f16

SHA1
28a4f1915f9e8de5a46c88db629abb36710e3bfe

SHA256
716fc3ad741af677f719fdb6378111fcf788bfc5e3364d619976d6c7c7c57e61

SHA512
e25e2e24c074481363624ff0cda79fef4b61e5729a5e3b053dc1311234284a8e946d7c0867c2aa83fefb21843dbb07db0120a8d54cccd3788563b0d79a800f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\icudtl.dat
Filesize
9.9MB

MD5
4c8a9e9c260dc5a6fee2a3c37520f5bf

SHA1
5a9883dbeb5314a98e7ab5326f9868e78ba387dc

SHA256
8c2df1f6e2ea8df2e5fc5e4b016b0cddd64a7ce6985189ca45be3c0ec99472c2

SHA512
c0da0b08a0b0eaa898f96c6e6c6fb65bc7f773f5814fc0d612a40e2fcaea4049c67cd2812716a564dbc16d609677ee62eaa9f9747d2a7bc5c9bce43cd2208aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\locales\en-US.pak
Filesize
69KB

MD5
15e8556f737d17bd4d645513ee190990

SHA1
a24844d68fe3e9f4c57d14e6091a06f5e6b5f327

SHA256
12e4fd083a49e038578ea2993e6c88239083c8d098231527eee861299a4e1c99

SHA512
4e5c423b2b14def0e6ebb9c7844bdc050198064c9db69d3a880c1444314211995b1f0dec6fcbb12c6d5e59f690c3ffc893c2265bf7168d1ecbc8d83dfa5e1465

Download Submit
C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\natives_blob.bin
Filesize
81KB

MD5
f8ac49858ca8739658ff44c296f8aba6

SHA1
427b4da3bd619d85381c36d61daf2ce392e07909

SHA256
354ff502a0e1ed73df4e5c7b52970356b04777461f6e169f72a8567ab5f4c317

SHA512
52e875aedbdc5dad21e01a42e333ff5aefed9ae6468a00e80f2bb373b871196f9a82bc3f43a6c72c9dd6be0e4fbc591d3ede41ca47b23a806b788db5aa9bf313

Download Submit
C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\resources.pak
Filesize
8.1MB

MD5
978e8122033961585e14c65949d15e11

SHA1
3097d04bbcdfc6ff9e0bb52c2d38f6395e4bb631

SHA256
a435fa0e07a9124b0d457811de5e2245aeb225ad55ab99186cb665c6ec6e30ef

SHA512
5f6706116b7eaec70213f7343cac44eea2dc735de6262524b5508a659b150d8a5ad7f449fec984b45a2e5c170e1cb4feb927a19530c94841f3e6429a2fcaa1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\resources\app.asar
Filesize
10.7MB

MD5
98ab58d5af5afb8a7e0002bcfb202942

SHA1
d18a9d54b5866a9d99ce85b77c830a1f2064daa7

SHA256
7eebbaf8ad44f9979b5c6f2d2d36d23e1713c8f547525a8fcefc82590caabac2

SHA512
73bc17157c4e608f047ba5808b0c74b1ffe86b3aa1f2efbebcd945d0c11f13290f475b90d45627d45f0a0ece0957145330c5d48d2e20eefa06ee47733d4eca0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\resources\electron.asar
Filesize
347KB

MD5
1362f92031875676f4b082ff249abe1f

SHA1
bc9a9b6b08e28d8a33c5d388662b0fb3535af8ef

SHA256
5acf0deb20455487cb0f39cc4c752e7740137ab6adf8c049e62f092174310ca9

SHA512
2fc75d23c61b18b0537c0b5d889766fc51ad37b3a283f64c5edfc0c6abeff21123c055410c15f5d9c5945cba204937983409c865816669442ad8b165ab185d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\v8_context_snapshot.bin
Filesize
685KB

MD5
25bee133a55efa9756b25ba25ba3cfa7

SHA1
6980de30de3d8e6ae81b4b3a14954ca67f58f9de

SHA256
156f90f0a8c6748716428786dca9cb53d1275f4510ebae2be5502f3fd94b7dc1

SHA512
c80232eda1bc9a7dc52fac538b99cc9a9805c00b455661bd493c12e620286e1983afe37814b0941d90c9e4be970b63108e1f9428c1a7d6fc5ab083acc0ee2aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy198B.tmp\StdUtils.dll
Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\FRESH ADVICE LTD App Executable.exe
Filesize
95.4MB

MD5
a3f48173ca45922bf8f123736f1c67e6

SHA1
e1f26662d130f83cee3c9474bdb0c622eeb5a7d1

SHA256
d0e58bb4e06d4b1ca6159f5ef2223ba1468ed4cbfc22ba36dc26eed000479330

SHA512
0d8ee3264fdc03ca460c7c25fad3e8761e3fa24ed9a59912f6e05b6dc358b278c758aff51729b9d6c9542048317a879cd6d79a3572a71c3818e27eed2ed84799

Download Submit
\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\FRESH ADVICE LTD App Executable.exe
Filesize
95.4MB

MD5
a3f48173ca45922bf8f123736f1c67e6

SHA1
e1f26662d130f83cee3c9474bdb0c622eeb5a7d1

SHA256
d0e58bb4e06d4b1ca6159f5ef2223ba1468ed4cbfc22ba36dc26eed000479330

SHA512
0d8ee3264fdc03ca460c7c25fad3e8761e3fa24ed9a59912f6e05b6dc358b278c758aff51729b9d6c9542048317a879cd6d79a3572a71c3818e27eed2ed84799

Download Submit
\Users\Admin\AppData\Local\Temp\2KYwYtDZ475jS2a88GXqFMEy6XG\ffmpeg.dll
Filesize
2.0MB

MD5
cb487d6310f6f6c95d86f64e39c14f16

SHA1
28a4f1915f9e8de5a46c88db629abb36710e3bfe

SHA256
716fc3ad741af677f719fdb6378111fcf788bfc5e3364d619976d6c7c7c57e61

SHA512
e25e2e24c074481363624ff0cda79fef4b61e5729a5e3b053dc1311234284a8e946d7c0867c2aa83fefb21843dbb07db0120a8d54cccd3788563b0d79a800f6b

Download Submit
\Users\Admin\AppData\Local\Temp\nsy198B.tmp\StdUtils.dll
Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsy198B.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy198B.tmp\nsis7z.dll
Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/1604-235-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1620-267-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 1424 wrote to memory of 1620	1424	Poppy Playtime Chapter 2.exe	FRESH ADVICE LTD App Executable.exe
PID 1424 wrote to memory of 1620	1424	Poppy Playtime Chapter 2.exe	FRESH ADVICE LTD App Executable.exe
PID 1424 wrote to memory of 1620	1424	Poppy Playtime Chapter 2.exe	FRESH ADVICE LTD App Executable.exe
PID 1424 wrote to memory of 1620	1424	Poppy Playtime Chapter 2.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe
PID 1620 wrote to memory of 1604	1620	FRESH ADVICE LTD App Executable.exe	FRESH ADVICE LTD App Executable.exe