Overview
overview
3Static
static
1PvZ_Toolki....3.zip
windows7-x64
1PvZ_Toolki....3.zip
windows10-2004-x64
1PvZ_Toolki....3.exe
windows7-x64
1PvZ_Toolki....3.exe
windows10-2004-x64
1PvZ_Toolki...xe.asc
windows7-x64
3PvZ_Toolki...xe.asc
windows10-2004-x64
3PvZ_Toolki...e.hash
windows7-x64
3PvZ_Toolki...e.hash
windows10-2004-x64
3PvZ_Toolki...h).exe
windows7-x64
1PvZ_Toolki...h).exe
windows10-2004-x64
1PvZ_Toolki...xe.asc
windows7-x64
1PvZ_Toolki...xe.asc
windows10-2004-x64
1PvZ_Toolki...e.hash
windows7-x64
1PvZ_Toolki...e.hash
windows10-2004-x64
1PvZ_Toolki...ds.yml
windows7-x64
3PvZ_Toolki...ds.yml
windows10-2004-x64
3PvZ_Toolki...up.yml
windows7-x64
3PvZ_Toolki...up.yml
windows10-2004-x64
3PvZ_Toolki...sh.png
windows7-x64
3PvZ_Toolki...sh.png
windows10-2004-x64
3PvZ_Toolki...pt.url
windows7-x64
1PvZ_Toolki...pt.url
windows10-2004-x64
1PvZ_Toolki...X1.der
windows7-x64
1PvZ_Toolki...X1.der
windows10-2004-x64
1PvZ_Toolki...X2.der
windows7-x64
1PvZ_Toolki...X2.der
windows10-2004-x64
1PvZ_Toolki...s).url
windows7-x64
1PvZ_Toolki...s).url
windows10-2004-x64
1PvZ_Toolki...t).url
windows7-x64
1PvZ_Toolki...t).url
windows10-2004-x64
1PvZ_Toolki...s).url
windows7-x64
1PvZ_Toolki...s).url
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-02-2024 16:01
Static task
static1
Behavioral task
behavioral1
Sample
PvZ_Toolkit_v1.20.3.zip
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
PvZ_Toolkit_v1.20.3.zip
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
PvZ_Toolkit_v1.20.3/PvZ_Toolkit_v1.20.3.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
PvZ_Toolkit_v1.20.3/PvZ_Toolkit_v1.20.3.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
PvZ_Toolkit_v1.20.3/PvZ_Toolkit_v1.20.3.exe.asc
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
PvZ_Toolkit_v1.20.3/PvZ_Toolkit_v1.20.3.exe.asc
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
PvZ_Toolkit_v1.20.3/PvZ_Toolkit_v1.20.3.exe.hash
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
PvZ_Toolkit_v1.20.3/PvZ_Toolkit_v1.20.3.exe.hash
Resource
win10v2004-20231222-en
Behavioral task
behavioral9
Sample
PvZ_Toolkit_v1.20.3/PvZ_Toolkit_v1.20.3_(English).exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
PvZ_Toolkit_v1.20.3/PvZ_Toolkit_v1.20.3_(English).exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
PvZ_Toolkit_v1.20.3/PvZ_Toolkit_v1.20.3_(English).exe.asc
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
PvZ_Toolkit_v1.20.3/PvZ_Toolkit_v1.20.3_(English).exe.asc
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
PvZ_Toolkit_v1.20.3/PvZ_Toolkit_v1.20.3_(English).exe.hash
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
PvZ_Toolkit_v1.20.3/PvZ_Toolkit_v1.20.3_(English).exe.hash
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
PvZ_Toolkit_v1.20.3/builds.yml
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
PvZ_Toolkit_v1.20.3/builds.yml
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
PvZ_Toolkit_v1.20.3/lineup.yml
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
PvZ_Toolkit_v1.20.3/lineup.yml
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
PvZ_Toolkit_v1.20.3/splash.png
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
PvZ_Toolkit_v1.20.3/splash.png
Resource
win10v2004-20231222-en
Behavioral task
behavioral21
Sample
PvZ_Toolkit_v1.20.3/植僵工具箱网站/HTTPS 根证书/Chain of Trust - Let's Encrypt.url
Resource
win7-20231129-en
Behavioral task
behavioral22
Sample
PvZ_Toolkit_v1.20.3/植僵工具箱网站/HTTPS 根证书/Chain of Trust - Let's Encrypt.url
Resource
win10v2004-20231222-en
Behavioral task
behavioral23
Sample
PvZ_Toolkit_v1.20.3/植僵工具箱网站/HTTPS 根证书/ISRG Root X1.der
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
PvZ_Toolkit_v1.20.3/植僵工具箱网站/HTTPS 根证书/ISRG Root X1.der
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
PvZ_Toolkit_v1.20.3/植僵工具箱网站/HTTPS 根证书/ISRG Root X2.der
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
PvZ_Toolkit_v1.20.3/植僵工具箱网站/HTTPS 根证书/ISRG Root X2.der
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
PvZ_Toolkit_v1.20.3/植僵工具箱网站/下载游戏 (Plants vs. Zombies).url
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
PvZ_Toolkit_v1.20.3/植僵工具箱网站/下载游戏 (Plants vs. Zombies).url
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
PvZ_Toolkit_v1.20.3/植僵工具箱网站/帮助文档 (Help Document).url
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
PvZ_Toolkit_v1.20.3/植僵工具箱网站/帮助文档 (Help Document).url
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
PvZ_Toolkit_v1.20.3/植僵工具箱网站/阵型列表 (Endless Builds).url
Resource
win7-20231129-en
Behavioral task
behavioral32
Sample
PvZ_Toolkit_v1.20.3/植僵工具箱网站/阵型列表 (Endless Builds).url
Resource
win10v2004-20231215-en
General
-
Target
PvZ_Toolkit_v1.20.3/lineup.yml
-
Size
27KB
-
MD5
4cfc666e635f226aa6ef67c7ce0a7e33
-
SHA1
78d0bbbec851bfbb1e2df25a6a256d8073348c29
-
SHA256
5e66d5eed40a4e47682b1673dbb82e3d5ba58a4bf598f0419c117f38cffd4b1d
-
SHA512
c6f04d0be0f33af4cb37dbbc44bd77238b7f24b65c5c68cab50777b31b64ebc1bc1b2bdaf6fd01c52ff6ffdfd01a8cc32158ecd7d574d12fd8c537acb1cb0938
-
SSDEEP
768:MCq6fysNjk8Kc5KxVyn7nh3k+Vzfecukqr4e9BrP:Q6fysNjde47t/heD1r59BrP
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\yml_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\yml_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\.yml\ = "yml_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\yml_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\yml_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\yml_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\.yml rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\yml_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2996 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2996 AcroRd32.exe 2996 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2812 1992 cmd.exe 29 PID 1992 wrote to memory of 2812 1992 cmd.exe 29 PID 1992 wrote to memory of 2812 1992 cmd.exe 29 PID 2812 wrote to memory of 2996 2812 rundll32.exe 30 PID 2812 wrote to memory of 2996 2812 rundll32.exe 30 PID 2812 wrote to memory of 2996 2812 rundll32.exe 30 PID 2812 wrote to memory of 2996 2812 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\PvZ_Toolkit_v1.20.3\lineup.yml1⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PvZ_Toolkit_v1.20.3\lineup.yml2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PvZ_Toolkit_v1.20.3\lineup.yml"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2996
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5e4c5362a2d2b0403f3e3c790493dc42c
SHA15e987006b2def10c739ffb5ad0c0f2a8470fff57
SHA2566d80925b3c6f0ce5cfb5d54d3e9efdb6be9f78d229e15785b99393199d9e5151
SHA512ba55e2c44c48241b8ebe44ffc4c4256f29abe434c76648d26922cb318fd4d748eb3d494f3d58aaa07596a7ffe27b4d18565c88ff6c35bf0ad73bdc38d953ce01