General
-
Target
植物大战僵尸杂交版v2.6.1安装程序.exe
-
Size
102.4MB
-
Sample
241111-11t1gsxgra
-
MD5
98849e138ab6156ba18cb20db32bc2ac
-
SHA1
676b47bd3be7d47c96327194d7a70d5fbae48b24
-
SHA256
ffc7f1f83525fff84f63a0074b769bc7005a0e9610e7ce1b81013cb1b3c7228a
-
SHA512
ed342f015b9442b1fedf8053292935519e90cfc065531766a0647431516ff48eeef23ed8b60b0fc3b9b450cbf2e105a7c71a592e095a0497512e475f1ebc5e95
-
SSDEEP
1572864:48kRu3M0FLfwREdnoPdk9DRqXblGRbMccLFiy2p1NMPcJbfa2RA30uOROr8+CuvQ:4/GMKf9n2dk4hccsy2NC6bS2FuORFfoC
Behavioral task
behavioral1
Sample
植物大战僵尸杂交版v2.6.1安装程序.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
install.png
Resource
win11-20241007-en
Malware Config
Targets
-
-
Target
植物大战僵尸杂交版v2.6.1安装程序.exe
-
Size
102.4MB
-
MD5
98849e138ab6156ba18cb20db32bc2ac
-
SHA1
676b47bd3be7d47c96327194d7a70d5fbae48b24
-
SHA256
ffc7f1f83525fff84f63a0074b769bc7005a0e9610e7ce1b81013cb1b3c7228a
-
SHA512
ed342f015b9442b1fedf8053292935519e90cfc065531766a0647431516ff48eeef23ed8b60b0fc3b9b450cbf2e105a7c71a592e095a0497512e475f1ebc5e95
-
SSDEEP
1572864:48kRu3M0FLfwREdnoPdk9DRqXblGRbMccLFiy2p1NMPcJbfa2RA30uOROr8+CuvQ:4/GMKf9n2dk4hccsy2NC6bS2FuORFfoC
-
Modifies WinLogon for persistence
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies RDP port number used by Windows
-
Sets service image path in registry
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Boot or Logon Autostart Execution: Authentication Package
Suspicious Windows Authentication Registry Modification.
-
Drops file in System32 directory
-
-
-
Target
install.png
-
Size
4KB
-
MD5
cb42261cca6e4bdffca61ea42965d2a4
-
SHA1
b7eb72605c950978b9f1ead2806f7877771a0c85
-
SHA256
419e3ebca34426260b3b116ae0d4975b59d08b93ffaa03290d443e48b77fb5c2
-
SHA512
670be9e374bcf0cd00fc92d2087944734f081362b9f6c0471a5f5eaa6ca3f79e76464588eeab8d9e93c7b4f608c42998ff8426faa0653fc9482a8969a4519d72
-
SSDEEP
96:IStwknmWp80RcY1HiyrwLQiudwkj3uD6p0S:ISeknjn1XwpLkj+Wpj
-
Modifies WinLogon for persistence
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies RDP port number used by Windows
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Boot or Logon Autostart Execution: Authentication Package
Suspicious Windows Authentication Registry Modification.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
3Authentication Package
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Impair Defenses
1Safe Mode Boot
1Modify Registry
4Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1