1adfe7331f6997e664db3065552e14000f9209db44c063c489d091dcf1378c80

Resubmissions

14-09-2024 12:11

240914-pc2jwasgpm 7

Analysis

max time kernel
184s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14-09-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pvz-hybrid-v2.4.exe
Size

90.1MB
MD5

9775b1915baa4ec31a69f8a1ffe712e9
SHA1

ec120f160a7bf57f3be7cd941e3e87134d39c566
SHA256

1adfe7331f6997e664db3065552e14000f9209db44c063c489d091dcf1378c80
SHA512

a77553f24ec010a2842cb6dc88e46ad07688a721bc0465c19874ea24fdb4e55d7d557b556c87faac61582ed09eacd203f10e0f9be3c703d7ca034207a23bfa79
SSDEEP

1572864:L6YlVs2yxfzngwsNV5K4N+UmkxuNXAS7av/MTQpJ8+jBxbCRbGPvur0RsKtcXLz:LFE2Qf7aVX+UnAwdvETQBj7bCRWur0Fs

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000700000001ac1b-93.dat	acprotect
behavioral1/memory/1424-97-0x0000000010000000-0x000000001000A000-memory.dmp	acprotect

Executes dropped EXE 2 IoCs

pid	Process
4560	pvzHE-Launcher.exe
2112	PlantsVsZombies.exe

Loads dropped DLL 15 IoCs

pid	Process
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
2112	PlantsVsZombies.exe
2112	PlantsVsZombies.exe
2112	PlantsVsZombies.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001ac1b-93.dat	upx
behavioral1/memory/1424-97-0x0000000010000000-0x000000001000A000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	bcastdvr.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3540	GameBarPresenceWriter.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\pvzHE\app.7z	pvz-hybrid-v2.4.exe
File opened for modification	C:\Program Files (x86)\pvzHE\fixes\补丁请放在此文件夹	pvzHE-Launcher.exe
File opened for modification	C:\Program Files (x86)\pvzHE\.tmpy519ps\bass.dll	pvzHE-Launcher.exe
File opened for modification	C:\Program Files (x86)\pvzHE\fonts\wryh+pico12num.ttf	pvzHE-Launcher.exe
File opened for modification	C:\Program Files (x86)\pvzHE\fonts\wryh.ttf	pvzHE-Launcher.exe
File opened for modification	C:\Program Files (x86)\pvzHE\.tmpy519ps\PlantsVsZombies.exe	pvzHE-Launcher.exe
File opened for modification	C:\Program Files (x86)\pvzHE\fonts\fzcq.ttf	pvzHE-Launcher.exe
File opened for modification	C:\Program Files (x86)\pvzHE\fonts\fzkt.TTF	pvzHE-Launcher.exe
File opened for modification	C:\Program Files (x86)\pvzHE\fonts\fzyh.ttf	pvzHE-Launcher.exe
File created	C:\Program Files (x86)\pvzHE\pvzHE-Launcher.exe	pvz-hybrid-v2.4.exe
File opened for modification	C:\Program Files (x86)\pvzHE\config.toml	pvzHE-Launcher.exe
File opened for modification	C:\Program Files (x86)\pvzHE\.tmpy519ps\gdi42.dll	pvzHE-Launcher.exe
File created	C:\Program Files (x86)\pvzHE\uninst.exe	pvz-hybrid-v2.4.exe
File opened for modification	C:\Program Files (x86)\pvzHE\fonts\fzjz.ttf	pvzHE-Launcher.exe
File opened for modification	C:\Program Files (x86)\pvzHE\main.pak	pvzHE-Launcher.exe
File created	C:\Program Files (x86)\pvzHE\logo.ico	pvz-hybrid-v2.4.exe
File created	C:\Program Files (x86)\pvzHE\app.7z	pvz-hybrid-v2.4.exe
File opened for modification	C:\Program Files (x86)\pvzHE\pvzHE-Launcher.exe	pvz-hybrid-v2.4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pvz-hybrid-v2.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pvzHE-Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PlantsVsZombies.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	GamePanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	GamePanel.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
1424	pvz-hybrid-v2.4.exe
4560	pvzHE-Launcher.exe
4560	pvzHE-Launcher.exe
4560	pvzHE-Launcher.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2112	PlantsVsZombies.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3252	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3252	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 2112	4560	pvzHE-Launcher.exe	77
PID 4560 wrote to memory of 2112	4560	pvzHE-Launcher.exe	77
PID 4560 wrote to memory of 2112	4560	pvzHE-Launcher.exe	77

C:\Users\Admin\AppData\Local\Temp\pvz-hybrid-v2.4.exe
"C:\Users\Admin\AppData\Local\Temp\pvz-hybrid-v2.4.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1424

C:\Program Files (x86)\pvzHE\pvzHE-Launcher.exe
"C:\Program Files (x86)\pvzHE\pvzHE-Launcher.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Program Files (x86)\pvzHE\.tmpy519ps\PlantsVsZombies.exe
  "C:\Program Files (x86)\pvzHE\.tmpy519ps\PlantsVsZombies.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x398
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:3540

C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 000000000005020C /startuptips
1⤵
- Checks SCSI registry key(s)
PID:3000

C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
1⤵
- Drops desktop.ini file(s)
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\pvzHE\.tmpy519ps\PlantsVsZombies.exe

Filesize
10.6MB

MD5
18dac202fdb3b98fe22beeec9e3154df

SHA1
7b66a2ffa31211791e0db2c60611c05b1c74d7f3

SHA256
f32c3e498e77bf7010cff2de377df062d8799d9dd50490e8920a68938e47ee3b

SHA512
377588ce15e8512c0466a5bb01b40c7c2507f162d657fddcab4f2c6dd96a0843d64932dfaf6c9560324f7c8fbe0020398aff6123237b7a19fc4e3eb9c62261ed

Download Submit
C:\Program Files (x86)\pvzHE\fonts\fzcq.ttf

Filesize
2.4MB

MD5
2167a0f0bf3f1cb718f2683d13a4c887

SHA1
bb9c3bdafa5a0032ae2fa4e1b90c08c153a40026

SHA256
5b7d4a996fc1077774a5a37c3dce400d6c7af152c95c17e80a257fdfa01b299d

SHA512
9b18e693ba428a464abfaf482559b7e602339ce2125eac06a0127f9735aece5b593329591e4f33bf3b1d609b394949ebfde6270bd68ee8efd36900d449d70403

Download Submit
C:\Program Files (x86)\pvzHE\fonts\fzjz.ttf

Filesize
1.4MB

MD5
b020f94b37feaebe8827cbe20574f3fe

SHA1
0909fab3388b8c5f0af1a88bb0ca63e825ba89b9

SHA256
d6e6bfaf209c2e6536b7fc91e73cfd0c65320913775bdd2c552b34cc6a4e3ad3

SHA512
a282e437fac567d7f27f6a1f6e99e9a37d5e5f2512c5e2f45534c5116a9e06e545dd6197367dd1c300cdfcefdbe2be3552ee4c136063f188f93f6d01225ccbd2

Download Submit
C:\Program Files (x86)\pvzHE\fonts\fzyh.ttf

Filesize
3.9MB

MD5
d8d4f4cd37f444e0d4a32e7f8d429b1f

SHA1
ffa5c01deeb65d36ffdb118e24351e958775b425

SHA256
ca830a3680be9a70c8a661d5f7327b6d24c7059ca783ad7eb6d75be7919326fb

SHA512
9577b0444fc6aebb5d7b902317d22d8a7fd39fd1fcdc7698f40d35e94905fbb3091ac536c2ca3789e9a9913f73908b756a4489b10fcb42727d93bd2eba55fbd4

Download Submit
C:\Program Files (x86)\pvzHE\fonts\wryh+pico12num.ttf

Filesize
13.7MB

MD5
ee6f32d05c738b25d7b8476f09d2a4e2

SHA1
cec7dcaa5219a47826cff8b9d35a55fe8eb23c64

SHA256
04242d27b05860c07906fbf0d5276b25e5951f892be898c59d4c9b755d79f52c

SHA512
62b72347513ec2b9d78e8f13ffe0a11433c4a288fb10ff02849d4a48c005bc28f5f6f220916fddf01d28a4e238a75860f35ba924fd93efa628812873fc173b7d

Download Submit
C:\Program Files (x86)\pvzHE\fonts\wryh.ttf

Filesize
14.3MB

MD5
c2db9c4749c6ecf521ffca0dd8f62752

SHA1
b65631674c73acb0c5b3f40b0e4cb875c15ce377

SHA256
c3c0e7bbcec69ee4765a53831c7be310acaca1ec1b408974ca4f4c73c1aa400c

SHA512
cd49890025a987d9a1754156d036b8c337c6ad50f1504c1ddbd23c50ce5a622cf0cf51784f5c99eae8e6b8f1f0f8a6f70be064a0cc731064f8aa643bb252d5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95F7.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq95F7.tmp\skin.zip

Filesize
2.0MB

MD5
4863dabae1416c25d51937362114d024

SHA1
f245c156882d52b9910b861d6986c3f736eb7ce2

SHA256
fbf082a3ce5305198105bbf97274838d881b07442fe6fb976deb2cd058d249ab

SHA512
643743a764aeafd6b5f9058381fa857e474b8a63ffbf54b8204ee9654f0551efb4af7de33b86d9cf7c3efb39b35fc57af9961b90d238d8f599fa77a694be863e

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
\Program Files (x86)\pvzHE\.tmpy519ps\bass.dll

Filesize
90KB

MD5
6731f160e001bb85ba930574b8d42776

SHA1
aa2b48c55d9350be1ccf1dce921c33100e627378

SHA256
3627adef7e04dd7aa9b8e116d0afc11dcee40d0e09d573210a4f86bdc81a80b6

SHA512
07ae0cb85464b015b35e6157228775a6ac66e5e62a1b47f9395307b61176b6df835e00a1518846507718acffc271263008cc8a9b2c1e8a0192c5438774e12437

Download Submit
\Program Files (x86)\pvzHE\.tmpy519ps\gdi42.dll

Filesize
2.4MB

MD5
925373c5522569c053ae3ff9a8879a40

SHA1
8e18a8dea1add62d9fb56414dfe42fc1c04b2505

SHA256
57d7f0a0290fbf80d2b3399ba102df384fbc27edaee77fec86a5c106f4bf8429

SHA512
2e239ba0fbab72d7bfef07746e287ac359341b5f96d14b754e8a16165da542ddb5431feb044ebb6b7084a06a33e65ff964b1cc2da9a6f2be0eb4a9a38b39278b

Download Submit
\Users\Admin\AppData\Local\Temp\nsq95F7.tmp\AccessControl.dll

Filesize
15KB

MD5
d74bb4447af48da081c7d9b499f3a023

SHA1
dadf6e140e6fd8e49a1851cc144bb022e0adb185

SHA256
5fd5d8aec97cffaad9b7df6371b348d436cf1401e86fab614dc4cb8575428e52

SHA512
9a15de5c6b08914f5e5bbc1c318fb0e84da28a316cf51ccddca8dfb64cd67b7ad06acac307b41d5086a0740055d327007ff890807d6853bb2e767179a3b3d758

Download Submit
\Users\Admin\AppData\Local\Temp\nsq95F7.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
\Users\Admin\AppData\Local\Temp\nsq95F7.tmp\ShellExecAsUser.dll

Filesize
43KB

MD5
34f26f7c3fe27d37dad8b799f61f2f06

SHA1
13693a61ef439137b9d4a05624f1b080c3773850

SHA256
1d1b08f87537884fcd95f4a8520bef11b89eeb852a025b04bf4cf62780992b5b

SHA512
18afe311c82574b77c344b3bb83bb9429614d51c3f408704b4544ada1a11dd9ef91fe1f41d7b7c246c4f028af65cfbe8df5b6b2455980d3426ebcf123b815891

Download Submit
\Users\Admin\AppData\Local\Temp\nsq95F7.tmp\md5dll.dll

Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Users\Admin\AppData\Local\Temp\nsq95F7.tmp\nsNiuniuSkin.dll

Filesize
891KB

MD5
cb9ccb0f6923b5e38221a2c9603eb669

SHA1
7214cae53f36cab79841e9d49b07cffd7ce5e1c5

SHA256
6a38b8084e7493ff57ea3eda7101fbfd6113d8470531b479ce05cefb4e34bc79

SHA512
5d510870559737ba9f10447716a654e3aa609b64a1b753e2d3722b7b92e1768980d2ff070e639add57a13a7941c1d680ffa6e13abd47c44b1d18a230590ebb6c

Download Submit
\Users\Admin\AppData\Local\Temp\nsq95F7.tmp\nsProcess.dll

Filesize
4KB

MD5
88d3e48d1c1a051c702d47046ade7b4c

SHA1
8fc805a8b7900b6ba895d1b809a9f3ad4c730d23

SHA256
51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257

SHA512
83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

Download Submit
\Users\Admin\AppData\Local\Temp\nsq95F7.tmp\nsis7zU.dll

Filesize
313KB

MD5
06a47571ac922f82c098622b2f5f6f63

SHA1
8a581c33b7f2029c41edaad55d024fc0d2d7c427

SHA256
e4ab3064f2e094910ae80104ef9d371ccb74ebbeeed592582cf099acd83f5fe9

SHA512
04b3d18042f1faa536e1393179f412a5644d2cf691fbc14970f79df5c0594eeedb0826b495807a3243f27aaa0380423c1f975fe857f32e057309bb3f2a529a83

Download Submit
memory/1424-97-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2112-339-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download
memory/2112-344-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download
memory/2112-335-0x0000000000400000-0x0000000000F4D000-memory.dmp

Filesize
11.3MB

Download
memory/2112-336-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download
memory/2112-337-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download
memory/2112-131-0x0000000000400000-0x0000000000F4D000-memory.dmp

Filesize
11.3MB

Download
memory/2112-340-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download
memory/2112-341-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download
memory/2112-342-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download
memory/2112-135-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download
memory/2112-345-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download
memory/2112-346-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download
memory/2112-347-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download
memory/2112-348-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download
memory/2112-349-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download
memory/2112-350-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download
memory/2112-351-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download
memory/2112-352-0x0000000010340000-0x0000000010381000-memory.dmp

Filesize
260KB

Download