Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
03-05-2023 21:20
General
-
Target
PlantsVsZombies.exe
-
Size
287KB
-
MD5
25b2696070e2fcb0c6f54cdc48b1d928
-
SHA1
ef1eb10b13359aeaaf9adca4e0a6983f3f8255fd
-
SHA256
5dfa0659632684566c9626ab671eeda5270913cfbdb0603d23cdcf20a023786f
-
SHA512
c18bc77469f0346f393ca279d82f5f94f1109827499fc0c0b944fb281ae9e738da088805376947c0a3a4f2589d9a1885fdf2a6d0fc831444c9c13b0f8ffb7d62
-
SSDEEP
3072:hz+onVLcQv5G5cR56WyWIKWpHPxIbs043RGAr6mXE5Z7PyymBH60Xk8Cr:hz+onVLtpD63TVYhBIET7PyymFvTI
Malware Config
Signatures
-
Drops desktop.ini file(s) 1 IoCs
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PlantsVsZombies.exe"C:\Users\Admin\AppData\Local\Temp\PlantsVsZombies.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\GameBarPresenceWriter.exe"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
- Modifies registry class
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.0.784807593\353336233" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1724 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e59b0451-231b-40b1-9f44-815359e832e3} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 1900 1f6888a7958 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.1.65180482\2032818738" -parentBuildID 20221007134813 -prefsHandle 2292 -prefMapHandle 2288 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8df73acb-6328-4615-8166-e386ae79fcd2} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 2304 1f688d55558 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.2.987825090\297082529" -childID 1 -isForBrowser -prefsHandle 3240 -prefMapHandle 3268 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f23a4464-902c-4758-906c-2603df854663} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 3204 1f68ae81458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.3.242933716\1391287604" -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 2692 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00317245-77e8-437f-a875-1d755c978e55} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 3176 1f68ae81d58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.5.1006591292\963609726" -childID 4 -isForBrowser -prefsHandle 2848 -prefMapHandle 2864 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42a00cf8-e495-4211-a377-09755180db5d} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 3772 1f68ae83e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.4.747604451\1566599579" -childID 3 -isForBrowser -prefsHandle 3464 -prefMapHandle 3256 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {534d4abe-ce3a-432f-b4cf-170a6acedbde} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 3276 1f68ae82658 tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD56cef27eea66db27826fe0603070c6101
SHA15abe032b644922c8b05051d587dba18b746b1bf3
SHA256f28ac0b7aa1b166ecca30b59173f5c30e291191b30553740d6424eee6b200a03
SHA512d9d9725eacbb84d337c2d9c44e64d34b96b3658403e29697deb05b19cbcd803a085e89b61981e7f6001f189900b1d15d36caa841baf98bf66fef9513d5c72897
-
Filesize
6KB
MD500bd359b2c485e448b941c0ecffd25df
SHA14f36fdaec57f76f5a265fd918f33d0c402feaa9a
SHA2566d9b8c6fbb84bf0f53aa0c53399ac6be67f61a90e88cfe2146d88175f2ab527a
SHA512487675839c69c5119f82b6bfb77175ffd2926fc732af27ed2949183329466e03abf2fd27062c431856e568cb54b09fdc4590c783b1eb165581f370127a476500
-
Filesize
6KB
MD507944cefc677dc7664e03a0a1cfe1f4b
SHA1c4d24facf186e8bd4c841e16872951247a0d3bc6
SHA256e7fe3530d7b14a74d1164ec55ded6f0460fe616146b79834c023abfe825df301
SHA51246ce07af7db021eb540b1b64b0346154bdef70c9e602f4d2f777c0fe7ca60d2930a6355be6b04b87d5d1ec2c8b9b1549150b68cb9b8bd399162419cc1063e87e
-
Filesize
6KB
MD507fc25cefa96234db25928bd99f350da
SHA10e4cd88fe72fd903133a548fd029e2bad324f0b4
SHA2569e369ffde245a42b22511e51e3c99aae14729aacadef6a9459884d817bcc1275
SHA512b1c356b45eb9715a1971e4fef4a5c27b0e188315f8a8a6504a2fe0d2d70c99b76d7b54a3a5a3617a789b51cd129bc5f53ffe388399cfe7c323da3866c3471629
-
Filesize
6KB
MD5feb8a52858c8167a58f36caa1b37f116
SHA17ae7f9d2721ae3c579f9e18e4fea679e8c848158
SHA256adbc4c7b5e775c3d401ae811d5be5a69b844f5937e3d0a416d374dd5a7ec227a
SHA512109d42ec5b9744b3561d29a9cabdcf2ffb81233935fa5c2d80c39f27b92ae55366c3c51ae3d26cc1a8936635662acbd11af89e54efac374aceaa279f13e7dc16
-
Filesize
271B
MD5b00744dec2193bed0c30c8a92e496396
SHA1e986de9ca383231ab9c74606d04e085b1a659795
SHA256cacb606cde9459a5acbc85f119b9876f6f736dd4e4528cb6d12e245ed782caad
SHA5128d805774fd91271ace9aceacbdf2ae4866916b0bc99b4221264d794670755370d7c6b0c5855b45535266b09e3f4efe9ffc1dc741724206dd9bd338bcd2efb67f
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c