8e86e10a9b3a48604514c4fab81a68afcc48d1cbcf932255afdc8ca85e33c12d

Analysis

max time kernel
208s
max time network
260s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2023, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PvZ Road Trip.exe
Size

936KB
MD5

a99bb2d4387ad643ffc9a2d8d3a65b0d
SHA1

c4d9ccfb1a1a45a66cf7432d6a2cb80fae74580a
SHA256

9a884c29643a5eeef591855bebb1f687222fddbf46b76d225231bdecce9eb1aa
SHA512

cde8196b92508c2aafdf6e0225e8a4acfd3c8e289d8fa9e4b0a551973e165f426fde002b1389dcd61201e65bcb7087a24d1fd4957792428689149b7c4c51b2c8
SSDEEP

12288:g6LMFY+X+LJPgawU31s1YyN6HNAaWz+yFvbfZ2XhfDf+1G:g6LMdlCyNyA1FvjZ2I1G

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\discord-756532409352192059\shell	PvZ Road Trip.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\discord-756532409352192059\shell\open	PvZ Road Trip.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\discord-756532409352192059	PvZ Road Trip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\discord-756532409352192059\URL Protocol	PvZ Road Trip.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\discord-756532409352192059\shell\open\command	PvZ Road Trip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\discord-756532409352192059\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PvZ Road Trip.exe"	PvZ Road Trip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\discord-756532409352192059\ = "URL:Run game 756532409352192059 protocol"	PvZ Road Trip.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\discord-756532409352192059\DefaultIcon	PvZ Road Trip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\discord-756532409352192059\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PvZ Road Trip.exe"	PvZ Road Trip.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4424	PvZ Road Trip.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2812	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2812	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4424	PvZ Road Trip.exe

C:\Users\Admin\AppData\Local\Temp\PvZ Road Trip.exe
"C:\Users\Admin\AppData\Local\Temp\PvZ Road Trip.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4424

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x3fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MMFApplications\PvZRT.Ini

Filesize
212B

MD5
2a301390e6e75b04082c02cfafc409cf

SHA1
09b55028c765f818c3a44e7cec18a948dc338c96

SHA256
9d8461db6643a4a59b7f0420156b8cea7809cde30268032363cebe5726d23fa2

SHA512
4f6f1f278c41cbfca4c3ff8cc8139d521248510a2c31a24f51cec8db3c0fd901b0b28bbf8c02b447e903864afb76e5ac8633df486831e947b0997be89bedfb82

Download Submit
C:\Users\Admin\AppData\Roaming\MMFApplications\PvZRT.Ini

Filesize
223B

MD5
448b04833bce568dab5b9e10bdd68938

SHA1
f8c1a9e67a6b9934f590854e23a21c73497a31e2

SHA256
d0c2e68e8bb73868bddba164345ff3c84a78955b6cf609ccb5d50cf66858e3a1

SHA512
cdc0db649429431b20303e42a0fe958900f23242e29c5898f008186f28ef0acfad9b609b82400814340242a33383b99dec5e408b09d08310107d918f7167cac5

Download Submit
memory/4424-133-0x0000000002700000-0x000000000270B000-memory.dmp

Filesize
44KB

Download
memory/4424-134-0x0000000002760000-0x00000000027A9000-memory.dmp

Filesize
292KB

Download
memory/4424-136-0x00000000027B0000-0x0000000002809000-memory.dmp

Filesize
356KB

Download
memory/4424-138-0x0000000002860000-0x0000000002872000-memory.dmp

Filesize
72KB

Download
memory/4424-139-0x0000000002890000-0x00000000028B2000-memory.dmp

Filesize
136KB

Download
memory/4424-141-0x00000000028D0000-0x00000000028EB000-memory.dmp

Filesize
108KB

Download
memory/4424-143-0x0000000002A80000-0x0000000002AA4000-memory.dmp

Filesize
144KB

Download