Overview

overview

7

Static

static

7

植物大�...R1.zip

windows10-1703-x64

1

Resubmissions

04/09/2024, 00:41

240904-a19sts1eqq 7

04/09/2024, 00:37

240904-aypd4ssfkf 7

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/09/2024, 00:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    植物大战僵尸β版整合包v6.30-R1.zip

  • Size

    38.7MB

  • MD5

    fbe53a1a224fe0e610896cb019dae95b

  • SHA1

    36d952cd6897e8b9a43654357d837717e404434c

  • SHA256

    be9f3cafa56a0b87e078993a0cea69ce56c1b7027dab2dbeb94fc956732abc18

  • SHA512

    f5ba67caa11e5636ea6904355daa2ef9d05b283af5c86345acef55f10e9fdb3ff989c27a69618596898e70155803828ab6b801aef589b244db88371ea6adc064

  • SSDEEP

    786432:nPuJUxJQIobU6PswCWnSL3w8iM1BwtHVg2QVvecOuUU/kPuW8vrrq22p7:nPugJQIVwk3biM1B12QVvPcPuW8js

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\植物大战僵尸β版整合包v6.30-R1.zip
    1⤵
      PID:4540
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3808
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.0.604889477\2131250406" -parentBuildID 20221007134813 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82d1fbf9-e865-4171-9b17-ca8be8dfae1b} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 1828 243442c4b58 gpu
          3⤵
            PID:2484
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.1.1895755542\349603139" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c8062f0-14d2-41f6-a747-74fc809f3b79} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 2184 24331d72858 socket
            3⤵
              PID:4184
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.2.847382393\1746322174" -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2768 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c6a3cf5-7850-4ba6-9c09-b78d770c90b3} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 2752 24348299158 tab
              3⤵
                PID:2552
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.3.1512700518\1847541442" -childID 2 -isForBrowser -prefsHandle 3488 -prefMapHandle 2784 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {36a4c19a-4f7f-41a0-b4c8-d94914e63850} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 3500 243468f5258 tab
                3⤵
                  PID:3592
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.4.1894300318\257045041" -childID 3 -isForBrowser -prefsHandle 4264 -prefMapHandle 4260 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f2c738e-f442-4dea-85f3-7564a5f4da0d} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 4276 2434a011558 tab
                  3⤵
                    PID:4524
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.5.1243234595\1451034707" -childID 4 -isForBrowser -prefsHandle 4596 -prefMapHandle 4612 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7605444-90cc-4bfe-ae5f-7cf9b2736a51} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 4540 24331d6c458 tab
                    3⤵
                      PID:4280
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.6.420962353\1668492607" -childID 5 -isForBrowser -prefsHandle 4932 -prefMapHandle 4936 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a53cba24-1620-4d47-b6a8-5cdaa1997c95} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 4924 2434ab2b558 tab
                      3⤵
                        PID:2412
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4460.7.60877557\1584075724" -childID 6 -isForBrowser -prefsHandle 5124 -prefMapHandle 5128 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10172418-5ab8-4fa3-a00f-2565077b9844} 4460 "\\.\pipe\gecko-crash-server-pipe.4460" 4820 2434ab28558 tab
                        3⤵
                          PID:4756

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      9KB

                      MD5

                      97aee45c8c059b884daeac8af8235ccf

                      SHA1

                      6cfa6a92b95aa8f1d8e7ffef80160478e40006b8

                      SHA256

                      c5bc1d170f65f745c0a151b17304f1593a4dd52e2593812a1243c55060ec3f3c

                      SHA512

                      17057a30a22433b97e852b3b56007cd50ef1ce29f50e088e3affe9616b6a700fe00d2456528152827ad4282cba7ac97924b0b2be26613fbf13add80f5a6ecde0

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\415db757-7364-49db-809c-0c97c83e8b7e
                      Filesize

                      734B

                      MD5

                      9f2c49d27b1a6ddc3cd887151a025637

                      SHA1

                      2b81c3250505c178d9adaabc0079dce5ff08092d

                      SHA256

                      906636d387f24a08f2e16004e3fbf5616b416b0ec7d1a36db22687f75822edec

                      SHA512

                      7c700f2233e70957117082b09fd907d454bd35696ce90d61c9c41b24f78cf500c14ce24caceea8184398b9d0611995a9ba66f7f4690039f1a3ecd29a7bb7ed9a

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      fefffc77709de39ad3cdff97afb5e71b

                      SHA1

                      0609b5346520ed1df86d8a30f5bd4b1b3ffbc920

                      SHA256

                      494951fbbbc6f912319d287df80a633750a2bbad84000f5e9a2e20f19a0ed27d

                      SHA512

                      e90ccc53eade4e1e3e38cea62cde420ae1f6f90b04eb4dc261a1e2b6cd3d801ff4bdbb20f3e3f706d57c522a5b959b33c88259c006f32adb3ac9f7601381558a

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      d84df2a27fbc680f53eda2f0fe3115fd

                      SHA1

                      98a70bc17c0ed6f3064affa4dca2c5869fb7774c

                      SHA256

                      ed4d9b0090f0900544f343f8e5edbe758d714c0d06a7224d2bb73798b4a62e4a

                      SHA512

                      b82b57ea329c36a65a3c0d209a9d93f230212fa33cfe05b066a7eec854ba0f25f542fc3a7e186dfe2b018c9d4daf81584f70fde5889f28e1a65ea5cc902c29c2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      43e684d58b6009fb5e9ef5a0cd0cea32

                      SHA1

                      a2cda977cd219aeda60b35484eb4c32876da1733

                      SHA256

                      88112cc3de290e5c64f4284c1e06d4db411aa3b76817326bb7ef1d35093153ba

                      SHA512

                      04e1fa849caf63b1f583dd23e7bb8fe6394033334ab10a3b4f6c63966bdd39ace0806f95bba6f02b408fb909fef8831fa7888f2ebd83bd452f24b4e82951df1e

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      c40fded050226690a81085481a7525c2

                      SHA1

                      b776f70c2c8a03308474d6a7832a731ddceeb886

                      SHA256

                      c64eef9d18c87de5a4a7d145bb3d929a485191a9ea92f0f1208fd99cb51793ad

                      SHA512

                      b7ca8b1690606838a734956ba750daa528f03d840da8df6582d9e84ba5f8d25df192c1a5f419b24808ebd96fa56d0654e6ee2a7f70d202536017f409d97d2625

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      d9548c2bd7de58d229359aebc2b7ebaa

                      SHA1

                      c4ba12fd0818859e3160adb217fadd5a2c4d2883

                      SHA256

                      ca6f2c120f6cca5ba07272baa76f9867ecfbec47d30737dfa4514921d0d9df63

                      SHA512

                      a21c5bbb7c751ed31639886b184de2651fdf3696c5c5b6e916a7bead489c2c233aac9cadbb076723c63b39424d1d9ba7dee31f9fb8feb9810c3a6a2e0424624b

                      Download Submit