d189fde2678d9f8706efe61bc985bf634386ba549beab847eff4ded0ba4334b2

Resubmissions

08/04/2024, 15:36

240408-s1ydxagb3t 7

08/04/2024, 15:32

240408-sylmbsga6v 7

Analysis

max time kernel
129s
max time network
141s
platform
windows10-1703_x64
resource
win10-20240319-en
resource tags

arch:x64arch:x86image:win10-20240319-enlocale:en-usos:windows10-1703-x64system
submitted
08/04/2024, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

植物大战僵尸β版/beta6.30.exe
Size

5.5MB
MD5

ddc203bda30b899ce6f66f290918bb74
SHA1

622fb88e1d4772a473d6f79607b895d1105699fc
SHA256

f5cab4bb3f62e2f090426265eea9cd21571ca491b2266947a2049cb8e94bbf0c
SHA512

52c7e09ff5e636a75599452b8cc70ec25f58fdc09d708afba8cd8c3281b6b0ddc3857ab4da849a5c22095f8054186a02d2617688829bd4c68be63ab84407edf8
SSDEEP

98304:TgoQPw4q0CSYg1Rt1biqkTxAGZcknzHPQ39lOAFN1/JK9JD/mNuhaG8XIwQke9Vz:Tge9sL3kTeGZn43SuN1/JKzTmNuhaGX/

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/404-13-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-14-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-15-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-12-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-17-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-19-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-21-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-23-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-25-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-27-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-29-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-31-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-35-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-37-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-39-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-42-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-44-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-47-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-49-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-51-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-54-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-56-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-59-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-61-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx
behavioral1/memory/404-64-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
404	beta6.30.exe
404	beta6.30.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3392	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3392	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe
404	beta6.30.exe

C:\Users\Admin\AppData\Local\Temp\植物大战僵尸β版\beta6.30.exe
"C:\Users\Admin\AppData\Local\Temp\植物大战僵尸β版\beta6.30.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:404

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x398
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/404-0-0x0000000000400000-0x0000000000D57000-memory.dmp

Filesize
9.3MB

Download
memory/404-1-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/404-2-0x00000000779E2000-0x00000000779E3000-memory.dmp

Filesize
4KB

Download
memory/404-3-0x0000000000400000-0x0000000000D57000-memory.dmp

Filesize
9.3MB

Download
memory/404-6-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/404-9-0x0000000000400000-0x0000000000D57000-memory.dmp

Filesize
9.3MB

Download
memory/404-13-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-14-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-15-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-12-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-17-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-19-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-21-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-23-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-25-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-27-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-29-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-31-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-33-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/404-35-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-37-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-39-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-42-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-44-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-47-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-49-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-51-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-54-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-56-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-59-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-61-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-62-0x0000000000400000-0x0000000000D57000-memory.dmp

Filesize
9.3MB

Download
memory/404-63-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/404-64-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/404-65-0x0000000000400000-0x0000000000D57000-memory.dmp

Filesize
9.3MB

Download
memory/404-66-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/404-67-0x0000000004930000-0x0000000004971000-memory.dmp

Filesize
260KB

Download
memory/404-109-0x0000000000400000-0x0000000000D57000-memory.dmp

Filesize
9.3MB

Download
memory/404-114-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download
memory/404-117-0x0000000004930000-0x0000000004971000-memory.dmp

Filesize
260KB

Download
memory/404-165-0x0000000000400000-0x0000000000D57000-memory.dmp

Filesize
9.3MB

Download
memory/404-166-0x0000000010000000-0x0000000010269000-memory.dmp

Filesize
2.4MB

Download