Overview
overview
10Static
static
7GongShaFuZ...ll.dll
windows7-x64
1GongShaFuZ...ll.dll
windows10-2004-x64
1GongShaFuZ...LE.dll
windows7-x64
1GongShaFuZ...LE.dll
windows10-2004-x64
3GongShaFuZ...SG.dll
windows7-x64
1GongShaFuZ...SG.dll
windows10-2004-x64
3GongShaFuZ...AD.dll
windows7-x64
1GongShaFuZ...AD.dll
windows10-2004-x64
1GongShaFuZ...LL.dll
windows7-x64
1GongShaFuZ...LL.dll
windows10-2004-x64
1GongShaFuZ...OU.dll
windows7-x64
7GongShaFuZ...OU.dll
windows10-2004-x64
7GongShaFuZ...ER.dll
windows7-x64
1GongShaFuZ...ER.dll
windows10-2004-x64
1GongShaFuZ...ON.dll
windows7-x64
1GongShaFuZ...ON.dll
windows10-2004-x64
1GongShaFuZ...OW.dll
windows7-x64
1GongShaFuZ...OW.dll
windows10-2004-x64
3GongShaFuZ...ll.dll
windows7-x64
10GongShaFuZ...ll.dll
windows10-2004-x64
10GongShaFuZ...dm.dll
windows7-x64
10GongShaFuZ...dm.dll
windows10-2004-x64
10GongShaFuZ...lp.doc
windows7-x64
4GongShaFuZ...lp.doc
windows10-2004-x64
1GongShaFuZ....3.exe
windows7-x64
1GongShaFuZ....3.exe
windows10-2004-x64
1GongShaFuZ...er.exe
windows7-x64
1GongShaFuZ...er.exe
windows10-2004-x64
3GongShaFuZ...��.url
windows7-x64
1GongShaFuZ...��.url
windows10-2004-x64
1Analysis
-
max time kernel
0s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2024, 09:55
Behavioral task
behavioral1
Sample
GongShaFuZhu13/【x1】攻沙辅助/cfgdll.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
GongShaFuZhu13/【x1】攻沙辅助/cfgdll.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/FILE.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/FILE.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/MSG.dll
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/MSG.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/READ.dll
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/READ.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/REGDLL.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/REGDLL.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/REMOTEANSWER_JDYOU.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/REMOTEANSWER_JDYOU.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/SGUOBROWSER.dll
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/SGUOBROWSER.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/WEBOPERATION.dll
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/WEBOPERATION.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/WINDOW.dll
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
GongShaFuZhu13/【x1】攻沙辅助/plugin/WINDOW.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
GongShaFuZhu13/【x1】攻沙辅助/xgs/RegDll.dll
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
GongShaFuZhu13/【x1】攻沙辅助/xgs/RegDll.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral21
Sample
GongShaFuZhu13/【x1】攻沙辅助/xgs/dm.dll
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
GongShaFuZhu13/【x1】攻沙辅助/xgs/dm.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
GongShaFuZhu13/【x1】攻沙辅助/xgs/help.doc
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
GongShaFuZhu13/【x1】攻沙辅助/xgs/help.doc
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
GongShaFuZhu13/【x1】攻沙辅助/攻沙辅助v1.3.exe
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
GongShaFuZhu13/【x1】攻沙辅助/攻沙辅助v1.3.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
GongShaFuZhu13/【x1】攻沙辅助/辅助浏览器-Browser.exe
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
GongShaFuZhu13/【x1】攻沙辅助/辅助浏览器-Browser.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
GongShaFuZhu13/游迅网.url
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
GongShaFuZhu13/游迅网.url
Resource
win10v2004-20231215-en
General
-
Target
GongShaFuZhu13/【x1】攻沙辅助/xgs/dm.dll
-
Size
906KB
-
MD5
faf2c7db70ec0fe4596c0395e5eb228f
-
SHA1
bcc89bff37ac8eccd85162c44c0477f412f2c616
-
SHA256
d003f814a6828ee02a26049407d38785262e969faeb00b6bc3179ed4fec061ae
-
SHA512
1b0ee5731f1726cce2047800e8c8adcc725f92b3c94b0e56e9cc2d33f64e3f9e1a0356558e97b8ed80ca40ba068dc07b70f4df46f6dc62729428d05e8725828a
-
SSDEEP
24576:DWQBeP+QrqH2zKBd3G0Ypdrcc2iIZl2mBVU89XQBpizYho1SH:DWZnGIKb20Ar8iIZfBVdXQBpuYw
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2376 regsvr32Srv.exe 5132 DesktopLayer.exe -
resource yara_rule behavioral22/files/0x000f00000002315a-3.dat upx behavioral22/memory/5132-16-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral22/memory/5132-14-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral22/memory/2376-7-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral22/memory/2376-4-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral22/memory/208-0-0x0000000010000000-0x0000000010194000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32Srv.exe regsvr32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px44F8.tmp regsvr32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe regsvr32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe regsvr32Srv.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 5132 DesktopLayer.exe 5132 DesktopLayer.exe 5132 DesktopLayer.exe 5132 DesktopLayer.exe 5132 DesktopLayer.exe 5132 DesktopLayer.exe 5132 DesktopLayer.exe 5132 DesktopLayer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 424 iexplore.exe 424 iexplore.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1456 wrote to memory of 208 1456 regsvr32.exe 13 PID 1456 wrote to memory of 208 1456 regsvr32.exe 13 PID 1456 wrote to memory of 208 1456 regsvr32.exe 13 PID 208 wrote to memory of 2376 208 regsvr32.exe 20 PID 208 wrote to memory of 2376 208 regsvr32.exe 20 PID 208 wrote to memory of 2376 208 regsvr32.exe 20 PID 2376 wrote to memory of 5132 2376 regsvr32Srv.exe 19 PID 2376 wrote to memory of 5132 2376 regsvr32Srv.exe 19 PID 2376 wrote to memory of 5132 2376 regsvr32Srv.exe 19 PID 5132 wrote to memory of 424 5132 DesktopLayer.exe 18 PID 5132 wrote to memory of 424 5132 DesktopLayer.exe 18 PID 424 wrote to memory of 1836 424 iexplore.exe 17 PID 424 wrote to memory of 1836 424 iexplore.exe 17 PID 424 wrote to memory of 1836 424 iexplore.exe 17
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\GongShaFuZhu13\【x1】攻沙辅助\xgs\dm.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\GongShaFuZhu13\【x1】攻沙辅助\xgs\dm.dll2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\regsvr32Srv.exeC:\Windows\SysWOW64\regsvr32Srv.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2376
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:424 CREDAT:17410 /prefetch:21⤵PID:1836
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:424
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a