6b16d8ba2bbb1c4e18adc235435e996325ffba178609b726be4b7e2d8576069e

Analysis

max time kernel
15s
max time network
7s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pvz-hybrid-v2.5.exe
Size

97.9MB
MD5

0aeec3acb34a701e8bcbf5679b7cc150
SHA1

148b63984fc0874f82e7d3b89fdce2f4ac03aedf
SHA256

6b16d8ba2bbb1c4e18adc235435e996325ffba178609b726be4b7e2d8576069e
SHA512

97db90f2ffd246ccc5407905d49d132ab78039a112333114aa40770d07c2dd37cfd2216101bf721f4080a48dd7f224dbd7c7932e667ed7a33e830195b976c5a7
SSDEEP

3145728:CLDbEj687kaZ2DJoB0y7MyeT98jjFGrIcQsC:CLkjDMy7TeT98jjoIEC

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000023cdb-93.dat	acprotect
behavioral1/memory/4848-96-0x0000000010000000-0x000000001000A000-memory.dmp	acprotect

Loads dropped DLL 12 IoCs

pid	Process
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023cdb-93.dat	upx
behavioral1/memory/4848-96-0x0000000010000000-0x000000001000A000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\pvzHE\pvzHE-Launcher.exe	pvz-hybrid-v2.5.exe
File opened for modification	C:\Program Files (x86)\pvzHE\app.7z	pvz-hybrid-v2.5.exe
File created	C:\Program Files (x86)\pvzHE\uninst.exe	pvz-hybrid-v2.5.exe
File created	C:\Program Files (x86)\pvzHE\logo.ico	pvz-hybrid-v2.5.exe
File created	C:\Program Files (x86)\pvzHE\app.7z	pvz-hybrid-v2.5.exe
File created	C:\Program Files (x86)\pvzHE\pvzHE-Launcher.exe	pvz-hybrid-v2.5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pvz-hybrid-v2.5.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe
4848	pvz-hybrid-v2.5.exe

C:\Users\Admin\AppData\Local\Temp\pvz-hybrid-v2.5.exe
"C:\Users\Admin\AppData\Local\Temp\pvz-hybrid-v2.5.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoE86D.tmp\AccessControl.dll

Filesize
15KB

MD5
d74bb4447af48da081c7d9b499f3a023

SHA1
dadf6e140e6fd8e49a1851cc144bb022e0adb185

SHA256
5fd5d8aec97cffaad9b7df6371b348d436cf1401e86fab614dc4cb8575428e52

SHA512
9a15de5c6b08914f5e5bbc1c318fb0e84da28a316cf51ccddca8dfb64cd67b7ad06acac307b41d5086a0740055d327007ff890807d6853bb2e767179a3b3d758

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoE86D.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoE86D.tmp\ShellExecAsUser.dll

Filesize
43KB

MD5
34f26f7c3fe27d37dad8b799f61f2f06

SHA1
13693a61ef439137b9d4a05624f1b080c3773850

SHA256
1d1b08f87537884fcd95f4a8520bef11b89eeb852a025b04bf4cf62780992b5b

SHA512
18afe311c82574b77c344b3bb83bb9429614d51c3f408704b4544ada1a11dd9ef91fe1f41d7b7c246c4f028af65cfbe8df5b6b2455980d3426ebcf123b815891

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoE86D.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoE86D.tmp\md5dll.dll

Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoE86D.tmp\nsNiuniuSkin.dll

Filesize
891KB

MD5
cb9ccb0f6923b5e38221a2c9603eb669

SHA1
7214cae53f36cab79841e9d49b07cffd7ce5e1c5

SHA256
6a38b8084e7493ff57ea3eda7101fbfd6113d8470531b479ce05cefb4e34bc79

SHA512
5d510870559737ba9f10447716a654e3aa609b64a1b753e2d3722b7b92e1768980d2ff070e639add57a13a7941c1d680ffa6e13abd47c44b1d18a230590ebb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoE86D.tmp\nsProcess.dll

Filesize
4KB

MD5
88d3e48d1c1a051c702d47046ade7b4c

SHA1
8fc805a8b7900b6ba895d1b809a9f3ad4c730d23

SHA256
51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257

SHA512
83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoE86D.tmp\nsis7zU.dll

Filesize
313KB

MD5
06a47571ac922f82c098622b2f5f6f63

SHA1
8a581c33b7f2029c41edaad55d024fc0d2d7c427

SHA256
e4ab3064f2e094910ae80104ef9d371ccb74ebbeeed592582cf099acd83f5fe9

SHA512
04b3d18042f1faa536e1393179f412a5644d2cf691fbc14970f79df5c0594eeedb0826b495807a3243f27aaa0380423c1f975fe857f32e057309bb3f2a529a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoE86D.tmp\skin.zip

Filesize
2.2MB

MD5
3f9c2b2237cb1f4f23ecfebafbfbe16a

SHA1
2249200fda0008b03666b2905c062f49d0cc1c3a

SHA256
f43d0ef72d6d94980eb1522dc2cb9571506a94b1bb65de26a94d0fbb295dd42c

SHA512
2d8475f1c0f9afe140c7881e7848bc10f1f6a8263895c3818f4a04cfb200e68c2041b0d599cbd2a6eb9cf2dcc97942c942aa2625e2ea46e773244cefb584f955

Download Submit
memory/4848-96-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download