Overview
overview
10Static
static
7GongShaFuZ...ll.dll
windows7-x64
1GongShaFuZ...ll.dll
windows10-2004-x64
1GongShaFuZ...LE.dll
windows7-x64
1GongShaFuZ...LE.dll
windows10-2004-x64
3GongShaFuZ...SG.dll
windows7-x64
1GongShaFuZ...SG.dll
windows10-2004-x64
3GongShaFuZ...AD.dll
windows7-x64
1GongShaFuZ...AD.dll
windows10-2004-x64
1GongShaFuZ...LL.dll
windows7-x64
1GongShaFuZ...LL.dll
windows10-2004-x64
1GongShaFuZ...OU.dll
windows7-x64
7GongShaFuZ...OU.dll
windows10-2004-x64
7GongShaFuZ...ER.dll
windows7-x64
1GongShaFuZ...ER.dll
windows10-2004-x64
1GongShaFuZ...ON.dll
windows7-x64
1GongShaFuZ...ON.dll
windows10-2004-x64
1GongShaFuZ...OW.dll
windows7-x64
1GongShaFuZ...OW.dll
windows10-2004-x64
3GongShaFuZ...ll.dll
windows7-x64
10GongShaFuZ...ll.dll
windows10-2004-x64
10GongShaFuZ...dm.dll
windows7-x64
10GongShaFuZ...dm.dll
windows10-2004-x64
10GongShaFuZ...lp.doc
windows7-x64
4GongShaFuZ...lp.doc
windows10-2004-x64
1GongShaFuZ....3.exe
windows7-x64
1GongShaFuZ....3.exe
windows10-2004-x64
1GongShaFuZ...er.exe
windows7-x64
1GongShaFuZ...er.exe
windows10-2004-x64
3GongShaFuZ...��.url
windows7-x64
1GongShaFuZ...��.url
windows10-2004-x64
1Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10/01/2024, 09:55
Behavioral task
behavioral1
Sample
GongShaFuZhu13/【x1】攻沙辅助/cfgdll.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
GongShaFuZhu13/【x1】攻沙辅助/cfgdll.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/FILE.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/FILE.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/MSG.dll
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/MSG.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/READ.dll
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/READ.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/REGDLL.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/REGDLL.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/REMOTEANSWER_JDYOU.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/REMOTEANSWER_JDYOU.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/SGUOBROWSER.dll
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/SGUOBROWSER.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/WEBOPERATION.dll
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/WEBOPERATION.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/WINDOW.dll
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/WINDOW.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
GongShaFuZhu13/【x1】攻沙辅助/xgs/RegDll.dll
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
GongShaFuZhu13/【x1】攻沙辅助/xgs/RegDll.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral21
Sample
GongShaFuZhu13/【x1】攻沙辅助/xgs/dm.dll
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
GongShaFuZhu13/【x1】攻沙辅助/xgs/dm.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
GongShaFuZhu13/【x1】攻沙辅助/xgs/help.doc
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
GongShaFuZhu13/【x1】攻沙辅助/xgs/help.doc
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
GongShaFuZhu13/【x1】攻沙辅助/攻沙辅助v1.3.exe
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
GongShaFuZhu13/【x1】攻沙辅助/攻沙辅助v1.3.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
GongShaFuZhu13/【x1】攻沙辅助/辅助浏览器-Browser.exe
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
GongShaFuZhu13/【x1】攻沙辅助/辅助浏览器-Browser.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
GongShaFuZhu13/游迅网.url
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
GongShaFuZhu13/游迅网.url
Resource
win10v2004-20231215-en
General
-
Target
GongShaFuZhu13/【x1】攻沙辅助/xgs/dm.dll
-
Size
906KB
-
MD5
faf2c7db70ec0fe4596c0395e5eb228f
-
SHA1
bcc89bff37ac8eccd85162c44c0477f412f2c616
-
SHA256
d003f814a6828ee02a26049407d38785262e969faeb00b6bc3179ed4fec061ae
-
SHA512
1b0ee5731f1726cce2047800e8c8adcc725f92b3c94b0e56e9cc2d33f64e3f9e1a0356558e97b8ed80ca40ba068dc07b70f4df46f6dc62729428d05e8725828a
-
SSDEEP
24576:DWQBeP+QrqH2zKBd3G0Ypdrcc2iIZl2mBVU89XQBpizYho1SH:DWZnGIKb20Ar8iIZfBVdXQBpuYw
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2448 regsvr32Srv.exe 2844 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
pid Process 2768 regsvr32.exe 2448 regsvr32Srv.exe -
resource yara_rule behavioral21/memory/2768-0-0x0000000010000000-0x0000000010194000-memory.dmp upx behavioral21/memory/2768-3-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral21/files/0x000e0000000126a6-2.dat upx behavioral21/memory/2844-21-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral21/memory/2448-9-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral21/memory/2448-7-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral21/files/0x000e0000000126a6-6.dat upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32Srv.exe regsvr32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px5B59.tmp regsvr32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe regsvr32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe regsvr32Srv.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411042422" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6D7C0D21-AF9E-11EE-B578-EAAD54D9E991} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2844 DesktopLayer.exe 2844 DesktopLayer.exe 2844 DesktopLayer.exe 2844 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2736 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2736 iexplore.exe 2736 iexplore.exe 2696 IEXPLORE.EXE 2696 IEXPLORE.EXE 2696 IEXPLORE.EXE 2696 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2768 2240 regsvr32.exe 28 PID 2240 wrote to memory of 2768 2240 regsvr32.exe 28 PID 2240 wrote to memory of 2768 2240 regsvr32.exe 28 PID 2240 wrote to memory of 2768 2240 regsvr32.exe 28 PID 2240 wrote to memory of 2768 2240 regsvr32.exe 28 PID 2240 wrote to memory of 2768 2240 regsvr32.exe 28 PID 2240 wrote to memory of 2768 2240 regsvr32.exe 28 PID 2768 wrote to memory of 2448 2768 regsvr32.exe 32 PID 2768 wrote to memory of 2448 2768 regsvr32.exe 32 PID 2768 wrote to memory of 2448 2768 regsvr32.exe 32 PID 2768 wrote to memory of 2448 2768 regsvr32.exe 32 PID 2448 wrote to memory of 2844 2448 regsvr32Srv.exe 31 PID 2448 wrote to memory of 2844 2448 regsvr32Srv.exe 31 PID 2448 wrote to memory of 2844 2448 regsvr32Srv.exe 31 PID 2448 wrote to memory of 2844 2448 regsvr32Srv.exe 31 PID 2844 wrote to memory of 2736 2844 DesktopLayer.exe 30 PID 2844 wrote to memory of 2736 2844 DesktopLayer.exe 30 PID 2844 wrote to memory of 2736 2844 DesktopLayer.exe 30 PID 2844 wrote to memory of 2736 2844 DesktopLayer.exe 30 PID 2736 wrote to memory of 2696 2736 iexplore.exe 29 PID 2736 wrote to memory of 2696 2736 iexplore.exe 29 PID 2736 wrote to memory of 2696 2736 iexplore.exe 29 PID 2736 wrote to memory of 2696 2736 iexplore.exe 29
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\GongShaFuZhu13\【x1】攻沙辅助\xgs\dm.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\GongShaFuZhu13\【x1】攻沙辅助\xgs\dm.dll2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\regsvr32Srv.exeC:\Windows\SysWOW64\regsvr32Srv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2448
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:21⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2696
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58274c5eb25a9cc6a20cea81c78e97e2b
SHA121dcca6f4abff83f6000252b93f5dcf853ab3b35
SHA2564db6c6ecae01e34dc2e7596886175025c10374fc458be515fe60bd227b3b4130
SHA512be7305a865e40746e4a3d75aac68f418a4b5b4387e304b698c4499cb068e2ba32557aa63646f05c53ff42b08284940701ba64d18254026c8bdc7a0f52a24e392
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59307e3f98762c02f00968d33e2550311
SHA10b2a40b37d2a71254a829ce7523c045cee21fc82
SHA2560a10d7889e3db5b1e5c840fdd8c86bce900d48203d6721418607e25202040294
SHA512e40dbedba1f262af189901b609b4b794bf705382cc6fac84be86fc7fd2cddbddc48cc88194acdc90691db8a3beae8efecb6ced57bae3a42929a093b123fb5f6a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b1a05930da3151598614a8bcc176adcc
SHA157f42bcedb0e7ccad47903649d7538441fb9422e
SHA256870ea814e3cb4856779b576e5639a261ce273b15923e41d1ae134024b0dcc740
SHA5124c5097be4700a3db20d66165116d5038c0ec3bd9a4fc39f4374b97fe0dc04e79880aa8b931e11a36941db46d22231d72c67e1d53d1be4000b18d5872ccdf5c62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD568f595337e709ef07600781b33a1856b
SHA1728d4dcf5f9a9e23317fac63e7a7587d94744930
SHA256d0f33a3398b15c96b671354a6486563f134752fbd0343eadf4713e33a54830b1
SHA512074ca40388e66d67e7344a67a860eddb96719023aa1bf7f5923f9f89cf108a34c9e9031587719f551678410eabd87fd80ad57893a01f55b172a677fc40f72ebf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ce201dbe184b38897aba7d41b0475e47
SHA15381264d9c5094e7dae33aa940cc42807c8a1340
SHA2563199870ff3ac4c07c189d123d867392a9137b3ce87d2ceb37ed6d0490c37e655
SHA512e37225706297a8ebf72eaa96fc77dae66776b764d8786de701877c11d32ccf06fa1f7fb4aa7f70e3e81f0613ff610a77f913228ba04b39844c3f2beb50f1d803
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54ab867b15a72ec2bc8c101b31e28d751
SHA16ab2476aeb3943ccd68e259f8e4cd219ff87bf29
SHA256d7bb35e4866c6c27d5989a9eedf300b0dd1228c5178a3fabea99a942db81c6d4
SHA512e80fcb8986616a7b4b6a197db82eccf0b3b9df12a7019fd2be8538782b687d8cf77744504160a2ee01e881b0a084148e8c6868a7d7d2fe272edbd74d820f10b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e3f80d0a250af6b9ff8b8664abaee5b5
SHA17face469e59fb9cd57d7e8b8bf315f66267c70ce
SHA256a1c994805d8f8012017939d7b90e1042237193e26bca2676929a5eaaac01607b
SHA512170d58d94c8e53406a21740f77deb5f1ce7a4cc824e071539ff3d2714859e3a64dec1b755403c2def8136d14227b99980d331de04f95977b23317e5fefd5ecd6
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a