Overview
overview
7Static
static
3SSDRM_for_...1).exe
windows7-x64
7SSDRM_for_...1).exe
windows10-2004-x64
3$PLUGINSDI...md.dll
windows7-x64
3$PLUGINSDI...md.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3PCWProtect...ce.exe
windows7-x64
7PCWProtect...ce.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...in.dll
windows7-x64
3$PLUGINSDI...in.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3GDISpy.sys
windows7-x64
1GDISpy.sys
windows10-2004-x64
1GDISpyB.sys
windows7-x64
1GDISpyB.sys
windows10-2004-x64
1PCW.dll
windows7-x64
1PCW.dll
windows10-2004-x64
1PCW64.dll
windows7-x64
7PCW64.dll
windows10-2004-x64
7PCWProtectorB.exe
windows7-x64
1PCWProtectorB.exe
windows10-2004-x64
1PCWProtectorDummy.exe
windows7-x64
1PCWProtectorDummy.exe
windows10-2004-x64
1PCWProtect...64.exe
windows7-x64
1PCWProtect...64.exe
windows10-2004-x64
1PCWProtect...4B.exe
windows7-x64
5PCWProtect...4B.exe
windows10-2004-x64
5Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/04/2024, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
SSDRM_for_mySingle (1).exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
SSDRM_for_mySingle (1).exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ExecCmd.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ExecCmd.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
PCWProtectorSetup_Voice_Service.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
PCWProtectorSetup_Voice_Service.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/PCWPlugin.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/PCWPlugin.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
GDISpy.sys
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
GDISpy.sys
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
GDISpyB.sys
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
GDISpyB.sys
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
PCW.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral22
Sample
PCW.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
PCW64.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
PCW64.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
PCWProtectorB.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
PCWProtectorB.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
PCWProtectorDummy.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral28
Sample
PCWProtectorDummy.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
PCWProtectorDummy64.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral30
Sample
PCWProtectorDummy64.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
PCWProtectorService64B.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
PCWProtectorService64B.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
PCWProtectorService64B.exe
-
Size
287KB
-
MD5
eb2aa21de1026a8a831af0797aac9a78
-
SHA1
0e5e03f209a50a46ac14246ae46ef19ee14d7233
-
SHA256
82c4c819c4d543f6131cbc462206e9cdaf4931abe6f73c21b6df4968897572a2
-
SHA512
89758110eef34b9c08b09cfb10569b0ce4b16788dc68029c12fda84859240d514d2a41827a61e99b9e2a8f1be1ce251a2fd8aeba990dfbb176158f6096ad11e2
-
SSDEEP
6144:sV7FOaQwYB3EOkbu/s6vsHgf4t7hGijknN+kh/h4:sxQwYB3E1u/n87hAnz9h4
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\TftLib.dll PCWProtectorService64B.exe File opened for modification C:\Windows\SysWOW64\TftLib.dll PCWProtectorService64B.exe File created C:\Windows\SysWOW64\T_Prevent.dll PCWProtectorService64B.exe File created C:\Windows\SysWOW64\TDepend.exe PCWProtectorService64B.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe 2084 PCWProtectorService64B.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2084 PCWProtectorService64B.exe Token: SeDebugPrivilege 2084 PCWProtectorService64B.exe Token: SeDebugPrivilege 2084 PCWProtectorService64B.exe Token: SeDebugPrivilege 2084 PCWProtectorService64B.exe Token: SeDebugPrivilege 2084 PCWProtectorService64B.exe Token: SeDebugPrivilege 2084 PCWProtectorService64B.exe Token: SeDebugPrivilege 2084 PCWProtectorService64B.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD57bc750a3e94403913851e41f1028a832
SHA1d035d67133c760b48522713bd3158ec2bf17fcbc
SHA25664aaa65abb2d5cfd49c96d349dec267e904457ec70c91fa64d0ee60b0b155817
SHA5128de51b3bb24cedf37a8a138f5c6177d3f8ad3602b81d387a129b2a7662c53ffe91afbba09b9f26844de535bab29ade8da7e25621efbc032e903882dda3974d61