611a9368a7233cb61e5f2e67e5b7d2d2d08c52dfd231f2e5301a97619254fd0e

Analysis

max time kernel
118s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

融合版迷雾2.1.3版本/PlantsVsZombiesRH.exe
Size

651KB
MD5

882d02f5907c402a9f28dd7584149168
SHA1

95a2b0c99886cbc7b849004ea0e0a8eb825c98c6
SHA256

4e013f15a3f60c6d01e433ac22aa5476dcb353f4fde3788e0bd5e3b856f50c60
SHA512

0ad9d73985152cdf93a465df6353163ae73c81e1d867df0174e857cbc684af49e4e9d106f1bf969b797ad0b05e45fb4bf5f8d4cff0c08d127890ec04305e1928
SSDEEP

12288:GH744aOD8yRbYq7TPGn38lXR5GIKklvZhW9Y:M9aON8sGn3kD/lxhWq

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PlantsVsZombiesRH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PlantsVsZombiesRH.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PlantsVsZombiesRH.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PlantsVsZombiesRH.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2376	PlantsVsZombiesRH.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2556	2376	PlantsVsZombiesRH.exe	31
PID 2376 wrote to memory of 2556	2376	PlantsVsZombiesRH.exe	31
PID 2376 wrote to memory of 2556	2376	PlantsVsZombiesRH.exe	31

C:\Users\Admin\AppData\Local\Temp\融合版迷雾2.1.3版本\PlantsVsZombiesRH.exe
"C:\Users\Admin\AppData\Local\Temp\融合版迷雾2.1.3版本\PlantsVsZombiesRH.exe"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\融合版迷雾2.1.3版本\UnityCrashHandler64.exe
  "C:\Users\Admin\AppData\Local\Temp\融合版迷雾2.1.3版本\UnityCrashHandler64.exe" --attach 2376 3215360
  2⤵
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\LanPiaoPiao\PlantsVsZombiesRH\Unity\local.9930545fac62bb54b88029ee6340031a\Analytics\ArchivedEvents\172808805600002.d69ee9d2\c

Filesize
1B

MD5
c81e728d9d4c2f636f067f89cc14862c

SHA1
da4b9237bacccdf19c0760cab7aec4a8359010b0

SHA256
d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35

SHA512
40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114

Download Submit
C:\Users\Admin\AppData\LocalLow\LanPiaoPiao\PlantsVsZombiesRH\Unity\local.9930545fac62bb54b88029ee6340031a\Analytics\ArchivedEvents\172808805600002.d69ee9d2\s

Filesize
466B

MD5
5a999eaefd613cf1486d7b54bc97e66b

SHA1
1611fac31456902e3e74cd13c8c4ce0a6de3b24a

SHA256
ec59b999b91d81fd114705e676b3d7a009ebb078f7bcb82ec481580b8cfbc27f

SHA512
7d321fb7e6a0e2054d0af53c12560751d932b18bb152453d5bb40bd232add3bad83681a014c8a3c3cde5c24a27d5e492e7ffb751f8850dc36b67080ada85a2f2

Download Submit
memory/2376-49-0x000007FFFFE80000-0x000007FFFFE90000-memory.dmp

Filesize
64KB

Download
memory/2376-53-0x000007FFFFEC0000-0x000007FFFFED0000-memory.dmp

Filesize
64KB

Download
memory/2376-87-0x000007FFFFE70000-0x000007FFFFE80000-memory.dmp

Filesize
64KB

Download
memory/2376-89-0x000007FFFFE60000-0x000007FFFFE70000-memory.dmp

Filesize
64KB

Download