f503296a054e2d2b2fe6f3ec18bfafc010258bb2133a25e5324a8810e9fb3e86

General

Target

pvz-nd.exe
Size

45.0MB
MD5

ae07d3f9df22b5698bd243b806d928d2
SHA1

568d948e52eec0ffa420abda655f1747dcbebd6a
SHA256

f503296a054e2d2b2fe6f3ec18bfafc010258bb2133a25e5324a8810e9fb3e86
SHA512

9edc441b9228da3236cabe1bebee9f6b09f994e6641c8d294945a8b8621067c8ee014b2cfbee742ad8c5e180465f6617a6c65adf9710423dce106c4fada22f53
SSDEEP

786432:NfKxjqXvwQWCgfqwjVkXj2fgLbljlH/o8m4Wo86rs43datm0BYWaUL/AGituCWFJ:NyQLgJVkTggvxlfoWWo86P3d4Tqn81FJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4844	PvZ ND.exe

Loads dropped DLL 2 IoCs

pid	Process
4844	PvZ ND.exe
4844	PvZ ND.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	pvz-nd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4844	PvZ ND.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1720	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1720	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4844	PvZ ND.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 4844	2276	pvz-nd.exe	80
PID 2276 wrote to memory of 4844	2276	pvz-nd.exe	80
PID 2276 wrote to memory of 4844	2276	pvz-nd.exe	80

C:\Users\Admin\AppData\Local\Temp\pvz-nd.exe
"C:\Users\Admin\AppData\Local\Temp\pvz-nd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PvZ ND.exe
  "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PvZ ND.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PvZ ND.exe

Filesize
4.2MB

MD5
00b576a78b8895ba8bdf0052a78eb4cd

SHA1
264e29044239cb51e28f7e59c2dbf2b110871a7d

SHA256
d7becd5723e1e50e61542303b5d817440e05ec06016bc50e54fafdee61a54dd4

SHA512
37f4be77132531a9106ec79b8a8f015d4df63a86e421263b28d17d33975dca2e4f79ef0fb6146fc211e94004194f8192603d0639f1fede361ce70a0ed7e51a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\audiogroup1.dat

Filesize
6.1MB

MD5
a58d78f7e4579c97bc2324acd0af52d7

SHA1
a4b905fde83151369cae18dade85f89436aaf3e6

SHA256
2d9cb87372b695b7689bda26a916a87d0829972fee83706c2d50182ced0a1f05

SHA512
8e488821ad406469285498b3d137880cee57192a28391d2f14dca791ab3d2ba3467380103317fa9230da606ec8fa0c0dd4861adbb4476dde244c253002efc213

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\audiogroup2.dat

Filesize
21.9MB

MD5
3e33e9523992e095b31a025962d62ed2

SHA1
e12bb1303d4170a2ce9f3bc93a0d185e172f2028

SHA256
318e37dccda4e463684edc3fc4479f5a0b20748c3b64c4980872e61192cd642a

SHA512
c3620501b65551c58285a89e0c70bde58770fe68ece30ac2d8d761247602f9b0b732399b5b304399b9f6eb682c9851807187ab15064741216e377c3db927052c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3dx9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\data.win

Filesize
21.5MB

MD5
104f9c8fa82c52cb87cc181ba4e97155

SHA1
18ce00d1086b87440cd457c34f57837224b472db

SHA256
df8e8e1b19caf2345c1e8e19fc69436f609ef4c1a8b1c4785879acd137a5a3f4

SHA512
eb4362f986ca78e8b3123ae81ff974a753dd635cfdd0b7d5eda5d2f4b847b81b457e874baf7f4c37b4c911eea46ba6f8a376a3763600522ac6baa72a5008394c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\execute_shell_simple_ext.dll

Filesize
4KB

MD5
b0d2413df199cd182670d4ca816bd623

SHA1
cad45f4d8ddb54ed815aaea0983baf42a119daf5

SHA256
eb001ce800a9e301393c06f2a5dfb97cad1cfe93a0dd5eb160343b51dd4dcd33

SHA512
c93bbf830a73c5a2b47f3ba4a9cb0205f100ba326f5bef4fb3e0751e4bd1454eed6b67c70cfc00ffc5e46a21e9810d3d1e3f88775e372635e9d2b10e40b90e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\options.ini

Filesize
98B

MD5
9be0801d8f16730aa913f36f795f05b5

SHA1
007fdc779d5ddb58f6620fba9a9d16455a2e8996

SHA256
d17681df255e3b0abaaad8ddd3a4e2cf5a0b98064847b51bd170e6988f74e0c2

SHA512
4ddc808a91887626f16cea624c3e5c7d54887fa8581c33fafb5f5c7ad9caad3b53cb21ff72bc8e3666e4c66b6e73857daf92624f0c24a9464e9b7abf636060f5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads