Overview
overview
7Static
static
3pvz.exe
windows7-x64
7pvz.exe
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...os.dll
windows7-x64
3$PLUGINSDI...os.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...se.rtf
windows7-x64
4$PLUGINSDI...se.rtf
windows10-2004-x64
1$PLUGINSDI...in.dll
windows7-x64
1$PLUGINSDI...in.dll
windows10-2004-x64
1$PLUGINSDI...ss.dll
windows7-x64
3$PLUGINSDI...ss.dll
windows10-2004-x64
3$PLUGINSDI...zU.dll
windows7-x64
3$PLUGINSDI...zU.dll
windows10-2004-x64
3PlantsVsZombies.exe
windows7-x64
1PlantsVsZombies.exe
windows10-2004-x64
6bass.dll
windows7-x64
1bass.dll
windows10-2004-x64
1gdi42.dll
windows7-x64
1gdi42.dll
windows10-2004-x64
1pvzHE-Laun...XP.exe
windows7-x64
1pvzHE-Laun...XP.exe
windows10-2004-x64
6pvzHE-Launcher.exe
windows7-x64
1pvzHE-Launcher.exe
windows10-2004-x64
6pvzHE-Save...te.exe
windows7-x64
1pvzHE-Save...te.exe
windows10-2004-x64
1uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3Analysis
-
max time kernel
444s -
max time network
367s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22/05/2024, 10:20
Static task
static1
Behavioral task
behavioral1
Sample
pvz.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
pvz.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/BgWorker.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/BgWorker.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/ExecDos.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/ExecDos.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/license.rtf
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/license.rtf
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsNiuniuSkin.dll
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsNiuniuSkin.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/nsis7zU.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/nsis7zU.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
PlantsVsZombies.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
PlantsVsZombies.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
bass.dll
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
bass.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
gdi42.dll
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
gdi42.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
pvzHE-Launcher-winXP.exe
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
pvzHE-Launcher-winXP.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
pvzHE-Launcher.exe
Resource
win7-20240215-en
Behavioral task
behavioral26
Sample
pvzHE-Launcher.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
pvzHE-Save-Relocate.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
pvzHE-Save-Relocate.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
uninst.exe
Resource
win7-20240220-en
Behavioral task
behavioral30
Sample
uninst.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/BgWorker.dll
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/BgWorker.dll
Resource
win10v2004-20240226-en
General
-
Target
pvz.exe
-
Size
73.6MB
-
MD5
1e70ff1df951f6dc11f55554d15f2c37
-
SHA1
714a0c595764c5d6c45cf5254fcad67a9cc8f10a
-
SHA256
94a47191fb3a307fdaa84a1f8f31d8e1b4b79b34048814725c373e54f3d4e37a
-
SHA512
9b9b44f42a5050e50550b8c266bdc9411598576ebcb10db896c991d792fc54c43429f63d8d7833257e06e916d73fc0f729357858aa046f202eab762c96259ddd
-
SSDEEP
1572864:lmMjfJ+8Xk4dNaZJyxA2fYlGsazJWE5jqerWb:lBzJ+aaKilGsazkEQerWb
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 348 pvzHE-Save-Relocate.exe 1328 pvzHE-Launcher.exe 1492 PlantsVsZombies.exe -
Loads dropped DLL 17 IoCs
pid Process 2228 pvz.exe 2228 pvz.exe 2228 pvz.exe 2228 pvz.exe 2228 pvz.exe 2228 pvz.exe 2228 pvz.exe 2228 pvz.exe 2228 pvz.exe 2228 pvz.exe 2228 pvz.exe 2228 pvz.exe 2228 pvz.exe 2228 pvz.exe 1328 pvzHE-Launcher.exe 1492 PlantsVsZombies.exe 1492 PlantsVsZombies.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1644 icacls.exe 1988 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 31 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\pvzHE\fonts\fzjz.ttf pvz.exe File created C:\Program Files (x86)\pvzHE\fonts\wryh+pico12num.ttf pvz.exe File opened for modification C:\Program Files (x86)\pvzHE\main.pak pvz.exe File opened for modification C:\Program Files (x86)\pvzHE\gdi42.dll pvz.exe File created C:\Program Files (x86)\pvzHE\app.7z pvz.exe File created C:\Program Files (x86)\pvzHE\fonts\fzyh.ttf pvz.exe File opened for modification C:\Program Files (x86)\pvzHE\fonts\fzyh.ttf pvz.exe File created C:\Program Files (x86)\pvzHE\uninst.exe pvz.exe File opened for modification C:\Program Files (x86)\pvzHE\fonts pvz.exe File created C:\Program Files (x86)\pvzHE\bass.dll pvz.exe File created C:\Program Files (x86)\pvzHE\pvzHE-Launcher-winXP.exe pvz.exe File created C:\Program Files (x86)\pvzHE\fonts\fzkt.TTF pvz.exe File opened for modification C:\Program Files (x86)\pvzHE\fonts\fzkt.TTF pvz.exe File created C:\Program Files (x86)\pvzHE\pvzHE-Save-Relocate.exe pvz.exe File created C:\Program Files (x86)\pvzHE\logo.ico pvz.exe File created C:\Program Files (x86)\pvzHE\fonts\fzcq.ttf pvz.exe File created C:\Program Files (x86)\pvzHE\fonts\fzjz.ttf pvz.exe File created C:\Program Files (x86)\pvzHE\main.pak pvz.exe File created C:\Program Files (x86)\pvzHE\pvzHE-Launcher.exe pvz.exe File opened for modification C:\Program Files (x86)\pvzHE\fonts\wryh.ttf pvz.exe File created C:\Program Files (x86)\pvzHE\PlantsVsZombies.exe pvz.exe File opened for modification C:\Program Files (x86)\pvzHE\pvzHE-Launcher.exe pvz.exe File opened for modification C:\Program Files (x86)\pvzHE\fonts\fzcq.ttf pvz.exe File created C:\Program Files (x86)\pvzHE\fonts\wryh.ttf pvz.exe File opened for modification C:\Program Files (x86)\pvzHE\bass.dll pvz.exe File created C:\Program Files (x86)\pvzHE\gdi42.dll pvz.exe File opened for modification C:\Program Files (x86)\pvzHE\pvzHE-Launcher-winXP.exe pvz.exe File opened for modification C:\Program Files (x86)\pvzHE\fonts\wryh+pico12num.ttf pvz.exe File opened for modification C:\Program Files (x86)\pvzHE\PlantsVsZombies.exe pvz.exe File opened for modification C:\Program Files (x86)\pvzHE\pvzHE-Save-Relocate.exe pvz.exe File opened for modification C:\Program Files (x86)\pvzHE\app.7z pvz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2228 pvz.exe 2228 pvz.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1492 PlantsVsZombies.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2228 wrote to memory of 348 2228 pvz.exe 30 PID 2228 wrote to memory of 348 2228 pvz.exe 30 PID 2228 wrote to memory of 348 2228 pvz.exe 30 PID 2228 wrote to memory of 348 2228 pvz.exe 30 PID 2228 wrote to memory of 1644 2228 pvz.exe 31 PID 2228 wrote to memory of 1644 2228 pvz.exe 31 PID 2228 wrote to memory of 1644 2228 pvz.exe 31 PID 2228 wrote to memory of 1644 2228 pvz.exe 31 PID 2228 wrote to memory of 1988 2228 pvz.exe 33 PID 2228 wrote to memory of 1988 2228 pvz.exe 33 PID 2228 wrote to memory of 1988 2228 pvz.exe 33 PID 2228 wrote to memory of 1988 2228 pvz.exe 33 PID 2228 wrote to memory of 1328 2228 pvz.exe 36 PID 2228 wrote to memory of 1328 2228 pvz.exe 36 PID 2228 wrote to memory of 1328 2228 pvz.exe 36 PID 2228 wrote to memory of 1328 2228 pvz.exe 36 PID 2228 wrote to memory of 1328 2228 pvz.exe 36 PID 2228 wrote to memory of 1328 2228 pvz.exe 36 PID 2228 wrote to memory of 1328 2228 pvz.exe 36 PID 1328 wrote to memory of 1492 1328 pvzHE-Launcher.exe 37 PID 1328 wrote to memory of 1492 1328 pvzHE-Launcher.exe 37 PID 1328 wrote to memory of 1492 1328 pvzHE-Launcher.exe 37 PID 1328 wrote to memory of 1492 1328 pvzHE-Launcher.exe 37 PID 1328 wrote to memory of 1492 1328 pvzHE-Launcher.exe 37 PID 1328 wrote to memory of 1492 1328 pvzHE-Launcher.exe 37 PID 1328 wrote to memory of 1492 1328 pvzHE-Launcher.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\pvz.exe"C:\Users\Admin\AppData\Local\Temp\pvz.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Program Files (x86)\pvzHE\pvzHE-Save-Relocate.exe"C:\Program Files (x86)\pvzHE\pvzHE-Save-Relocate.exe"2⤵
- Executes dropped EXE
PID:348
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\PopCap Games\PlantsVsZombies\pvzHE" /grant Users:(OI)(CI)F2⤵
- Modifies file permissions
PID:1644
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\pvzHE" /grant Users:(OI)(CI)F2⤵
- Modifies file permissions
PID:1988
-
-
C:\Program Files (x86)\pvzHE\pvzHE-Launcher.exe"C:\Program Files (x86)\pvzHE\pvzHE-Launcher.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Program Files (x86)\pvzHE\PlantsVsZombies.exe"PlantsVsZombies.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1492
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.1MB
MD55eb4b93a103edc16ec6655485ad85982
SHA1e2b56a04c40247175085e5c32c6367db323c105e
SHA256acfcb9eae3409391218e69ff3fe5c9424a4486d7ec752e889a59bf6bc784d961
SHA512fe4a81562037f4fa4c005dc27b180311eb855bcb40c8fab981ba88567ef0b90528dd780e6239b810a5cb221c32b50eb29bbf524897ed3bda57b78d42e0f0d47b
-
Filesize
90KB
MD56731f160e001bb85ba930574b8d42776
SHA1aa2b48c55d9350be1ccf1dce921c33100e627378
SHA2563627adef7e04dd7aa9b8e116d0afc11dcee40d0e09d573210a4f86bdc81a80b6
SHA51207ae0cb85464b015b35e6157228775a6ac66e5e62a1b47f9395307b61176b6df835e00a1518846507718acffc271263008cc8a9b2c1e8a0192c5438774e12437
-
Filesize
2.4MB
MD52167a0f0bf3f1cb718f2683d13a4c887
SHA1bb9c3bdafa5a0032ae2fa4e1b90c08c153a40026
SHA2565b7d4a996fc1077774a5a37c3dce400d6c7af152c95c17e80a257fdfa01b299d
SHA5129b18e693ba428a464abfaf482559b7e602339ce2125eac06a0127f9735aece5b593329591e4f33bf3b1d609b394949ebfde6270bd68ee8efd36900d449d70403
-
Filesize
1.4MB
MD5b020f94b37feaebe8827cbe20574f3fe
SHA10909fab3388b8c5f0af1a88bb0ca63e825ba89b9
SHA256d6e6bfaf209c2e6536b7fc91e73cfd0c65320913775bdd2c552b34cc6a4e3ad3
SHA512a282e437fac567d7f27f6a1f6e99e9a37d5e5f2512c5e2f45534c5116a9e06e545dd6197367dd1c300cdfcefdbe2be3552ee4c136063f188f93f6d01225ccbd2
-
Filesize
3.9MB
MD5d8d4f4cd37f444e0d4a32e7f8d429b1f
SHA1ffa5c01deeb65d36ffdb118e24351e958775b425
SHA256ca830a3680be9a70c8a661d5f7327b6d24c7059ca783ad7eb6d75be7919326fb
SHA5129577b0444fc6aebb5d7b902317d22d8a7fd39fd1fcdc7698f40d35e94905fbb3091ac536c2ca3789e9a9913f73908b756a4489b10fcb42727d93bd2eba55fbd4
-
Filesize
13.7MB
MD5ee6f32d05c738b25d7b8476f09d2a4e2
SHA1cec7dcaa5219a47826cff8b9d35a55fe8eb23c64
SHA25604242d27b05860c07906fbf0d5276b25e5951f892be898c59d4c9b755d79f52c
SHA51262b72347513ec2b9d78e8f13ffe0a11433c4a288fb10ff02849d4a48c005bc28f5f6f220916fddf01d28a4e238a75860f35ba924fd93efa628812873fc173b7d
-
Filesize
14.3MB
MD5c2db9c4749c6ecf521ffca0dd8f62752
SHA1b65631674c73acb0c5b3f40b0e4cb875c15ce377
SHA256c3c0e7bbcec69ee4765a53831c7be310acaca1ec1b408974ca4f4c73c1aa400c
SHA512cd49890025a987d9a1754156d036b8c337c6ad50f1504c1ddbd23c50ce5a622cf0cf51784f5c99eae8e6b8f1f0f8a6f70be064a0cc731064f8aa643bb252d5fe
-
Filesize
2.4MB
MD5925373c5522569c053ae3ff9a8879a40
SHA18e18a8dea1add62d9fb56414dfe42fc1c04b2505
SHA25657d7f0a0290fbf80d2b3399ba102df384fbc27edaee77fec86a5c106f4bf8429
SHA5122e239ba0fbab72d7bfef07746e287ac359341b5f96d14b754e8a16165da542ddb5431feb044ebb6b7084a06a33e65ff964b1cc2da9a6f2be0eb4a9a38b39278b
-
Filesize
264KB
MD56fb38ffb714d6d7d1e12697513fef822
SHA1ce7e98021d2dbeb3108e373e217deaf3019a20d3
SHA256ad55f328eb4dd9290a15dfbf4da474baed3269f934fd4a86de7b9487ee450cc4
SHA512bcba7e5a9e4b619b0b9192d4e6c5efc31a2b08c65ac7339338712bc4891f9beb12625e9c816f124022129336e7ce84ba86dadd94394b09d32b0f7165361fa266
-
Filesize
2.4MB
MD5293238829de472db381be13aa9173495
SHA175d6d4bc7992385167d1d4318edc9beb953db641
SHA2567442eea2b3cc5865d6a18d47828840e5545b32ca8273c1d90ab55092e1c760af
SHA512c7b44786810957f45c5e955c2880dd2f1d83fbe7715855d0f495de98372cf74b3a4a6e00e2dbe851fe69ec4212d1938fcb5fca882f722811060fccb3e5d5939a
-
Filesize
1.7MB
MD5477c0edf4d9a20eb949582457996b2e2
SHA109030647039b6c76128759133bafc3e3ddee7f2e
SHA256394360c438692fd46d2576e51a87ef09a6643b491e5cc6ee405ea5575905bca5
SHA51272f19fe6e2e60ffcbcd3e9645ff52cdaf3d1722df3a5a74d6ff1c06250e6629e3936149597a07344902bda1f02b435237965b53ec38e90a51a190bb0187712cc
-
Filesize
1.7MB
MD5c7afc46bb41f5d7f97e60b76329a2398
SHA1d18fd7153023ebca9cdc7df6d25a4142aae8e79c
SHA256269c238bbfd9f30c4490235cb403e2dfea3fbdc3db7c8dc367db0403ea908295
SHA5125766213d579891763220a6c7ae1fea317721b091e3b02fad2141cf75a5e44afa99a9320f0a74faa6dd1a590ba24668a1a90d6d368ecf8b0614689764253ab9bc
-
Filesize
2KB
MD533ec04738007e665059cf40bc0f0c22b
SHA14196759a922e333d9b17bda5369f14c33cd5e3bc
SHA25650f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be
SHA5122318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef
-
Filesize
6KB
MD5774e3b33d151413dc826bf2421cd51e8
SHA1ab2928dcf6fa54bb9eb16e5f64bfcffaaeee90fa
SHA25691d5481f576382164703e4ac244052265769377838ac30233ad79c983ed9d454
SHA5123cf955b13e81e4b6edb292df751ce7f64b0cf30979f57b1609f002859b4e68adc046b6674f76f7b7ce7144382316c344c11fed02d638e62fcc8464c32795a365
-
Filesize
11KB
MD5bf712f32249029466fa86756f5546950
SHA175ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA2567851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA51213f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
Filesize
891KB
MD5cb9ccb0f6923b5e38221a2c9603eb669
SHA17214cae53f36cab79841e9d49b07cffd7ce5e1c5
SHA2566a38b8084e7493ff57ea3eda7101fbfd6113d8470531b479ce05cefb4e34bc79
SHA5125d510870559737ba9f10447716a654e3aa609b64a1b753e2d3722b7b92e1768980d2ff070e639add57a13a7941c1d680ffa6e13abd47c44b1d18a230590ebb6c
-
Filesize
4KB
MD588d3e48d1c1a051c702d47046ade7b4c
SHA18fc805a8b7900b6ba895d1b809a9f3ad4c730d23
SHA25651da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257
SHA51283299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7
-
Filesize
313KB
MD506a47571ac922f82c098622b2f5f6f63
SHA18a581c33b7f2029c41edaad55d024fc0d2d7c427
SHA256e4ab3064f2e094910ae80104ef9d371ccb74ebbeeed592582cf099acd83f5fe9
SHA51204b3d18042f1faa536e1393179f412a5644d2cf691fbc14970f79df5c0594eeedb0826b495807a3243f27aaa0380423c1f975fe857f32e057309bb3f2a529a83