Plantas Vs Zombies.exe
This report is generated from a file or URL submitted to this webservice on August 20th 2021 20:27:01 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.48.13 © Hybrid Analysis
Incident Response
Risk Assessment
- Fingerprint
-
Queries firmware table information (may be used to fingerprint/evade)
Queries kernel debugger information
Queries process information
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Anti-Detection/Stealthyness
-
Queries firmware table information (may be used to fingerprint/evade)
- details
-
"PlantasVsZombies.exe" at 00000000-00002488-00000105-9972552
"PlantasVsZombies.exe" at 00000000-00002488-00000105-9972729 - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries firmware table information (may be used to fingerprint/evade)
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/68 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Suspicious Indicators 13
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "PlantasVsZombies.exe" at 00000000-00002488-00000105-9326578
- source
- API Call
- relevance
- 6/10
-
Queries process information
- details
-
"PlantasVsZombies.exe" queried SystemProcessInformation at 00000000-00002488-00000105-10488684
"PlantasVsZombies.exe" queried SystemProcessInformation at 00000000-00002488-00000105-10489811 - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1057 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.99972360887
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Reads the active computer name
- details
- "PlantasVsZombies.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "PlantasVsZombies.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/87 reputation engines marked "http://xiph.org" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Reads configuration files
- details
-
"PlantasVsZombies.exe" read file "%APPDATA%\Microsoft\Windows\Start Menu\desktop.ini"
"PlantasVsZombies.exe" read file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"PlantasVsZombies.exe" read file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\desktop.ini"
"PlantasVsZombies.exe" read file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"PlantasVsZombies.exe" read file "%APPDATA%\Microsoft\Windows\SendTo\Desktop.ini"
"PlantasVsZombies.exe" read file "C:\Program Files\desktop.ini"
"PlantasVsZombies.exe" read file "%WINDIR%\win.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistence
-
Drops executable files
- details
- "vcredist_x86.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "PlantasVsZombies.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Drops executable files
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
SetSecurityDescriptorDacl
OpenProcessToken
DeviceIoControl
GetFileAttributesA
CopyFileA
GetVersionExA
GetModuleFileNameA
LoadLibraryA
CreateDirectoryA
DeleteFileA
GetCommandLineA
GetProcAddress
CreateThread
GetModuleHandleA
FindFirstFileA
WriteFile
FindNextFileA
GetDriveTypeA
TerminateProcess
CreateProcessA
Sleep
CreateFileA
GetTickCount
GetFileSize - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"PlantasVsZombies.exe" wrote bytes "75dc0e77273e0e7751c10c77ee9c0c7794980c770fb3127710990c7790970c770000000042c6b675152eb675c0d9b6751bf7b675c108b875e0c2b67536dab67530c6b675d5d9b67586c4b67500000000" to virtual address "0x6FE7E000" (part of module "MSLS31.DLL")
"PlantasVsZombies.exe" wrote bytes "c04e777720547877e0657877b53879770000000000d0b67500000000c5eab6750000000088eab67500000000e968887582287977ee29797700000000d2698875000000007dbbb6750000000009be887500000000ba18b67500000000" to virtual address "0x761F1000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"PlantasVsZombies.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
"PlantasVsZombies.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US")
"PlantasVsZombies.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"PlantasVsZombies.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN")
"PlantasVsZombies.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 13
-
General
-
Creates a writable file in a temporary directory
- details
-
"PlantasVsZombies.exe" created file "%TEMP%\popcfg2\install.xml"
"PlantasVsZombies.exe" created file "%TEMP%\popcfg2\leeme.html"
"PlantasVsZombies.exe" created file "%TEMP%\popcfg2\logo.bmp"
"PlantasVsZombies.exe" created file "%TEMP%\popcfg2\product.bmp"
"PlantasVsZombies.exe" created file "%TEMP%\popcfg2\props.xml"
"PlantasVsZombies.exe" created file "%TEMP%\popcfg2\vcredist_x86.exe"
"PlantasVsZombies.exe" created file "%TEMP%\popcfg2\defines.xml"
"PlantasVsZombies.exe" created file "%TEMP%\popcfg2\eula.rtf" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\DirectSound DllMain mutex (0x000009B8)"
"Local\DirectSound DllMain mutex (0x000009B8)" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "vcredist_x86.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "eula.rtf" as clean (type is "Rich Text Format data version 1 unknown character set")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
-
"PlantasVsZombies.exe" loaded module "%WINDIR%\System32\riched32.dll" at 72850000
"PlantasVsZombies.exe" loaded module "%WINDIR%\System32\riched20.dll" at 72420000 - source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
- "PlantasVsZombies.exe" searching for class "MPWClass"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "C=US, S=Washington, L=Seattle, O=PopCap Games, OU=Digital ID Class 3 - Microsoft Software Validation v2, CN=PopCap Games" (SHA1: 49:A4:88:A0:EA:21:43:9C:F6:92:88:A9:E3:8F:AB:4F:77:FB:0E:C0: (sha1RSA(RSA)); see report for more information)
The input sample is signed with a certificate issued by "C=US, O="VeriSign
Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa c09, CN=VeriSign Class 3 Code Signing 2009-2 CA" (SHA1: 12:D4:87:2B:C3:EF:01:9E:7E:0B:6F:13:24:80:AE:29:DB:5B:1C:A3: (sha1RSA(RSA)); see report for more information)
The input sample is signed with a certificate issued by "C=US, O="VeriSign
Inc.", OU=Class 3 Public Primary Certification Authority" (SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2: (md2RSA(RSA)); see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates a writable file in a temporary directory
-
Installation/Persistence
-
Connects to LPC ports
- details
- "PlantasVsZombies.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"vcredist_x86.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"product.bmp" has type "PC bitmap Windows 3.x format 70 x 96 x 24"
"logo.bmp" has type "PC bitmap Windows 3.x format 84 x 73 x 32"
"install.xml" has type "ISO-8859 text with CRLF line terminators"
"defines.xml" has type "ASCII text with CRLF line terminators"
"eula.rtf" has type "Rich Text Format data version 1 unknown character set"
"props.xml" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with CRLF line terminators"
"leeme.html" has type "HTML document Non-ISO extended-ASCII text with very long lines with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"PlantasVsZombies.exe" touched file "C:\Windows\Branding\Basebrd\basebrd.dll"
"PlantasVsZombies.exe" touched file "C:\Windows\System32\en-US\dxdiagn.dll.mui"
"PlantasVsZombies.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"PlantasVsZombies.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"PlantasVsZombies.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"PlantasVsZombies.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000027.db"
"PlantasVsZombies.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini"
"PlantasVsZombies.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu"
"PlantasVsZombies.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"PlantasVsZombies.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\desktop.ini"
"PlantasVsZombies.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu"
"PlantasVsZombies.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"PlantasVsZombies.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini"
"PlantasVsZombies.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"PlantasVsZombies.exe" touched file "C:\Windows\System32\rsaenh.dll"
"PlantasVsZombies.exe" touched file "C:\Windows\System32\ddraw.dll"
"PlantasVsZombies.exe" touched file "C:\Windows\System32\en-US\ddraw.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "\mpg2splt.ax"
Pattern match: "http://www.microsoft.com/directx"
Heuristic match: "~%Oy XY.cy"
Heuristic match: "<XTZVRr|R.TF"
Heuristic match: "i,vsko[5.IS"
Heuristic match: ":%;*(7`.ad"
Pattern match: "http://www.popcap.com/privacy.php"
Pattern match: "http://www.popcap.com"
Pattern match: "www.popcap.com}}}\sectd"
Pattern match: "http://www.popcap.com/help.php"
Pattern match: "http://www.popcap.com/?cid=PVZ_PC_DLD_ES"
Pattern match: "http://www.popcap.com/trademarks" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "PlantasVsZombies.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "vcredist_x86.exe" was detected as "tElock v1.0 (private) -> tE!"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
Plantas Vs Zombies.exe
- Filename
- Plantas Vs Zombies.exe
- Size
- 38MiB (39339584 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- f18ac9cd0611d7890a1e5944b2b6d5aa94db486adfb0bd68b9ea4bbba5ca3eb2
- MD5
- ae632c61a59cd216633d10cefb49f76d
- SHA1
- b8e912107d98a06aee90b786b96974ed54ea2ca3
Classification (TrID)
- 53.0% (.EXE) InstallShield setup
- 34.0% (.EXE) Win64 Executable (generic)
- 5.5% (.EXE) Win32 Executable (generic)
- 2.4% (.EXE) OS/2 Executable (generic)
- 2.4% (.EXE) Generic Win/DOS Executable
File Certificates
Certificate chain was successfully validated.
Download Certificate File (9KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
C=US, S=Washington, L=Seattle, O=PopCap Games, OU=Digital ID Class 3 - Microsoft Software Validation v2, CN=PopCap Games | C=US, S=Washington, L=Seattle, O=PopCap Games, OU=Digital ID Class 3 - Microsoft Software Validation v2, CN=PopCap Games Serial: 60f0be25f028bfedb5bdf0ce5c7a9e26 |
09/23/2009 02:00:00 09/21/2012 01:59:59 |
49:A4:88:A0:EA:21:43:9C:F6:92:88:A9:E3:8F:AB:4F:77:FB:0E:C0: (sha1RSA(RSA)) |
C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa c09, CN=VeriSign Class 3 Code Signing 2009-2 CA | C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa c09, CN=VeriSign Class 3 Code Signing 2009-2 CA Serial: 655226e1b22e18e1590f2985ac22e75c |
05/21/2009 02:00:00 05/21/2019 01:59:59 |
12:D4:87:2B:C3:EF:01:9E:7E:0B:6F:13:24:80:AE:29:DB:5B:1C:A3: (sha1RSA(RSA)) |
C=US, O="VeriSign, Inc.", OU=Class 3 Public Primary Certification Authority | C=US, O="VeriSign, Inc.", OU=Class 3 Public Primary Certification Authority Serial: 70bae41d10d92934b638ca7b03ccbabf |
01/29/1996 02:00:00 08/02/2028 01:59:59 |
74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2: (md2RSA(RSA)) |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- PlantasVsZombies.exe (PID: 2488) 1/68
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Clean 2
-
-
eula.rtf
- Size
- 68KiB (70095 bytes)
- Type
- rtf
- Description
- Rich Text Format data, version 1, unknown character set
- AV Scan Result
- 0/55
- Runtime Process
- PlantasVsZombies.exe (PID: 2488)
- MD5
- b9a97fabff3c0c15ec564909ac2df5ce
- SHA1
- e9df7d902f32888c6742661c339e59a6708a1225
- SHA256
- a0e57e5920f21ad3200b4c0ceac3cf0dc6adb8f413aee24e0898b0bf99d52739
-
vcredist_x86.exe
- Size
- 4MiB (4216840 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- PlantasVsZombies.exe (PID: 2488)
- MD5
- 5689d43c3b201dd3810fa3bba4a6476a
- SHA1
- 6939100e397cef26ec22e95e53fcd9fc979b7bc9
- SHA256
- 41f45a46ee56626ff2699d525bb56a3bb4718c5ca5f4fb5b3b38add64584026b
-
-
Informative 6
-
-
defines.xml
- Size
- 1.2KiB (1212 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- PlantasVsZombies.exe (PID: 2488)
- MD5
- f59f666354be0edc3ee8b766968229a7
- SHA1
- dc31f98358bac9307b0194b2daf0056b3e47e1bf
- SHA256
- 16d1e8d659ffbb93581acac368e52f200a1a64bd45eb8510716aaaa2a3ecf6bd
-
install.xml
- Size
- 3.8KiB (3931 bytes)
- Type
- text
- Description
- ISO-8859 text, with CRLF line terminators
- Runtime Process
- PlantasVsZombies.exe (PID: 2488)
- MD5
- 47de11f878875e850458c5c83af1e31f
- SHA1
- 44efa1c2b3df80a477aea11f23af67567b489e49
- SHA256
- 141125390d65dbe4289058357c2dfc79bb517ce91759708cc42b9574fac2182a
-
leeme.html
- Size
- 60KiB (61098 bytes)
- Type
- html
- Description
- HTML document, Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- PlantasVsZombies.exe (PID: 2488)
- MD5
- 755efb7b854248028c0c86492c2be767
- SHA1
- 51c0519bc334b99510601459df8e2734554e5081
- SHA256
- b055206c5a4e90ad61c05d9fe010f5eeda915bbf5c0f7d70e291787ad71ee635
-
logo.bmp
- Size
- 24KiB (24584 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 84 x 73 x 32
- Runtime Process
- PlantasVsZombies.exe (PID: 2488)
- MD5
- 1843d66328cedc1ce60cb98f3d593f4a
- SHA1
- d84a82214e498123609a13aa54164f972776d33a
- SHA256
- 7f3e2f0ec8926e7911fe024271387657adf8bda95581c6235f995be57ff56ea1
-
product.bmp
- Size
- 20KiB (20408 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 70 x 96 x 24
- Runtime Process
- PlantasVsZombies.exe (PID: 2488)
- MD5
- 802223a5402a14ef31768f3700450ae7
- SHA1
- ee2b9eb9b3be3a4559dfcbdf15532db526f9516e
- SHA256
- e0450e59cbffffa8987cc847dc62946da34b3bd74f6dc50e62f96602f223bb4d
-
props.xml
- Size
- 6.2KiB (6384 bytes)
- Type
- text
- Description
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
- Runtime Process
- PlantasVsZombies.exe (PID: 2488)
- MD5
- 0ce8786549bbc2c1bd778b988217474b
- SHA1
- 093d18a32805f5b11ccb7548fbc56ecbe28eaad7
- SHA256
- ba556d9af45e08eaccaf5bfd5c6f437c06f69a58c3d6b6b14a1f9fb9d6b9d9af
-
Notifications
-
Runtime
- Network whitenoise filtering was applied
- No static analysis parsing on sample was performed
- Not all Falcon MalQuery lookups completed in time
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)