8e86e10a9b3a48604514c4fab81a68afcc48d1cbcf932255afdc8ca85e33c12d

Analysis

max time kernel
230s
max time network
36s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17/05/2023, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PvZ Road Trip.exe
Size

936KB
MD5

a99bb2d4387ad643ffc9a2d8d3a65b0d
SHA1

c4d9ccfb1a1a45a66cf7432d6a2cb80fae74580a
SHA256

9a884c29643a5eeef591855bebb1f687222fddbf46b76d225231bdecce9eb1aa
SHA512

cde8196b92508c2aafdf6e0225e8a4acfd3c8e289d8fa9e4b0a551973e165f426fde002b1389dcd61201e65bcb7087a24d1fd4957792428689149b7c4c51b2c8
SSDEEP

12288:g6LMFY+X+LJPgawU31s1YyN6HNAaWz+yFvbfZ2XhfDf+1G:g6LMdlCyNyA1FvjZ2I1G

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\discord-756532409352192059\shell\open\command	PvZ Road Trip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\discord-756532409352192059\URL Protocol	PvZ Road Trip.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\discord-756532409352192059\DefaultIcon	PvZ Road Trip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\discord-756532409352192059\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PvZ Road Trip.exe"	PvZ Road Trip.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\discord-756532409352192059\shell	PvZ Road Trip.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\discord-756532409352192059\shell\open	PvZ Road Trip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\discord-756532409352192059\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PvZ Road Trip.exe"	PvZ Road Trip.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\discord-756532409352192059	PvZ Road Trip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\discord-756532409352192059\ = "URL:Run game 756532409352192059 protocol"	PvZ Road Trip.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1700	PvZ Road Trip.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1700	PvZ Road Trip.exe

C:\Users\Admin\AppData\Local\Temp\PvZ Road Trip.exe
"C:\Users\Admin\AppData\Local\Temp\PvZ Road Trip.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1700

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x57c
1⤵
PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MMFApplications\PvZRT.Ini

Filesize
212B

MD5
2a301390e6e75b04082c02cfafc409cf

SHA1
09b55028c765f818c3a44e7cec18a948dc338c96

SHA256
9d8461db6643a4a59b7f0420156b8cea7809cde30268032363cebe5726d23fa2

SHA512
4f6f1f278c41cbfca4c3ff8cc8139d521248510a2c31a24f51cec8db3c0fd901b0b28bbf8c02b447e903864afb76e5ac8633df486831e947b0997be89bedfb82

Download Submit
memory/1700-54-0x0000000000180000-0x000000000018B000-memory.dmp

Filesize
44KB

Download
memory/1700-55-0x0000000000350000-0x0000000000399000-memory.dmp

Filesize
292KB

Download
memory/1700-57-0x0000000001E40000-0x0000000001E99000-memory.dmp

Filesize
356KB

Download
memory/1700-59-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/1700-60-0x0000000000780000-0x00000000007A2000-memory.dmp

Filesize
136KB

Download
memory/1700-62-0x00000000020F0000-0x000000000210B000-memory.dmp

Filesize
108KB

Download
memory/1700-64-0x00000000022B0000-0x00000000022D4000-memory.dmp

Filesize
144KB

Download