Overview
overview
7Static
static
3SSDRM_for_...le.exe
windows7-x64
3SSDRM_for_...le.exe
windows10-2004-x64
3$PLUGINSDI...md.dll
windows7-x64
3$PLUGINSDI...md.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3PCWProtect...ce.exe
windows7-x64
7PCWProtect...ce.exe
windows10-2004-x64
7GDISpyB.sys
windows7-x64
1GDISpyB.sys
windows10-2004-x64
1PCW.dll
windows7-x64
1PCW.dll
windows10-2004-x64
1PCW64.dll
windows7-x64
7PCW64.dll
windows10-2004-x64
7PCWProtectorB.exe
windows7-x64
1PCWProtectorB.exe
windows10-2004-x64
1PCWProtectorDummy.exe
windows7-x64
1PCWProtectorDummy.exe
windows10-2004-x64
1PCWProtect...64.exe
windows7-x64
1PCWProtect...64.exe
windows10-2004-x64
1PCWProtect...4B.exe
windows7-x64
5PCWProtect...4B.exe
windows10-2004-x64
5PCWProtect...eB.exe
windows7-x64
1PCWProtect...eB.exe
windows10-2004-x64
1PCWUpdater.exe
windows7-x64
7PCWUpdater.exe
windows10-2004-x64
7PCWUpdater64.exe
windows7-x64
7PCWUpdater64.exe
windows10-2004-x64
7PscMng.exe
windows7-x64
1PscMng.exe
windows10-2004-x64
1RDUtil.dll
windows7-x64
1RDUtil.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-04-2024 14:07
Static task
static1
Behavioral task
behavioral1
Sample
SSDRM_for_mySingle.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
SSDRM_for_mySingle.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ExecCmd.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ExecCmd.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
PCWProtectorSetup_Voice_Service.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
PCWProtectorSetup_Voice_Service.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
GDISpyB.sys
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
GDISpyB.sys
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
PCW.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral12
Sample
PCW.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
PCW64.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
PCW64.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
PCWProtectorB.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral16
Sample
PCWProtectorB.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
PCWProtectorDummy.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
PCWProtectorDummy.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
PCWProtectorDummy64.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral20
Sample
PCWProtectorDummy64.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
PCWProtectorService64B.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
PCWProtectorService64B.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
PCWProtectorServiceB.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral24
Sample
PCWProtectorServiceB.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
PCWUpdater.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
PCWUpdater.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
PCWUpdater64.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
PCWUpdater64.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
PscMng.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral30
Sample
PscMng.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
RDUtil.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
RDUtil.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
General
-
Target
PCWProtectorService64B.exe
-
Size
287KB
-
MD5
eb2aa21de1026a8a831af0797aac9a78
-
SHA1
0e5e03f209a50a46ac14246ae46ef19ee14d7233
-
SHA256
82c4c819c4d543f6131cbc462206e9cdaf4931abe6f73c21b6df4968897572a2
-
SHA512
89758110eef34b9c08b09cfb10569b0ce4b16788dc68029c12fda84859240d514d2a41827a61e99b9e2a8f1be1ce251a2fd8aeba990dfbb176158f6096ad11e2
-
SSDEEP
6144:sV7FOaQwYB3EOkbu/s6vsHgf4t7hGijknN+kh/h4:sxQwYB3E1u/n87hAnz9h4
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\TftLib.dll PCWProtectorService64B.exe File opened for modification C:\Windows\SysWOW64\TftLib.dll PCWProtectorService64B.exe File created C:\Windows\SysWOW64\T_Prevent.dll PCWProtectorService64B.exe File created C:\Windows\SysWOW64\TDepend.exe PCWProtectorService64B.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe 1540 PCWProtectorService64B.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1540 PCWProtectorService64B.exe Token: SeDebugPrivilege 1540 PCWProtectorService64B.exe Token: SeDebugPrivilege 1540 PCWProtectorService64B.exe Token: SeDebugPrivilege 1540 PCWProtectorService64B.exe Token: SeDebugPrivilege 1540 PCWProtectorService64B.exe Token: SeDebugPrivilege 1540 PCWProtectorService64B.exe Token: SeDebugPrivilege 1540 PCWProtectorService64B.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD57bc750a3e94403913851e41f1028a832
SHA1d035d67133c760b48522713bd3158ec2bf17fcbc
SHA25664aaa65abb2d5cfd49c96d349dec267e904457ec70c91fa64d0ee60b0b155817
SHA5128de51b3bb24cedf37a8a138f5c6177d3f8ad3602b81d387a129b2a7662c53ffe91afbba09b9f26844de535bab29ade8da7e25621efbc032e903882dda3974d61