Overview
overview
8Static
static
3spvod_player.exe
windows7-x64
8spvod_player.exe
windows10-2004-x64
8$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$SYSDIR/pncrt.dll
windows7-x64
3$SYSDIR/pncrt.dll
windows10-2004-x64
3Codecs/Rea...er.dll
windows7-x64
1Codecs/Rea...er.dll
windows10-2004-x64
1Codecs/WMFDemux.dll
windows7-x64
1Codecs/WMFDemux.dll
windows10-2004-x64
1Codecs/asyncflt.dll
windows7-x64
1Codecs/asyncflt.dll
windows10-2004-x64
1Codecs/atrc.dll
windows7-x64
1Codecs/atrc.dll
windows10-2004-x64
1Codecs/cook.dll
windows7-x64
1Codecs/cook.dll
windows10-2004-x64
1Codecs/drvc.dll
windows7-x64
3Codecs/drvc.dll
windows10-2004-x64
3Codecs/msvcr71.dll
windows7-x64
3Codecs/msvcr71.dll
windows10-2004-x64
3Codecs/raac.dll
windows7-x64
1Codecs/raac.dll
windows10-2004-x64
1GifShower.dll
windows7-x64
1GifShower.dll
windows10-2004-x64
1Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7vjocx.dll
windows7-x64
8vjocx.dll
windows10-2004-x64
8新云软件.url
windows7-x64
1新云软件.url
windows10-2004-x64
1Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 00:28
Static task
static1
Behavioral task
behavioral1
Sample
spvod_player.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
spvod_player.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$SYSDIR/pncrt.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
$SYSDIR/pncrt.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Codecs/RealMediaSplitter.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral8
Sample
Codecs/RealMediaSplitter.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Codecs/WMFDemux.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral10
Sample
Codecs/WMFDemux.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Codecs/asyncflt.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral12
Sample
Codecs/asyncflt.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Codecs/atrc.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral14
Sample
Codecs/atrc.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Codecs/cook.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral16
Sample
Codecs/cook.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Codecs/drvc.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral18
Sample
Codecs/drvc.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Codecs/msvcr71.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral20
Sample
Codecs/msvcr71.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Codecs/raac.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral22
Sample
Codecs/raac.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
GifShower.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral24
Sample
GifShower.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Uninstall.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral26
Sample
Uninstall.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
vjocx.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral28
Sample
vjocx.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
新云软件.url
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral30
Sample
新云软件.url
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
GifShower.dll
-
Size
132KB
-
MD5
407ca7065f10a6397db208ad28b2990e
-
SHA1
574d120ff00d8204e159ef4372e7e9675330288f
-
SHA256
0e2b461e74409bd6d7a4f6f6cac153310d3b03aafc4d394c757aa3f26345ca14
-
SHA512
d4dce120d19bf0ceca38aeba4b08329ec9adac27c1b0e796709351971b923d6a88017bfa7a74fc09833f3bd15c803352f30c6a1b6692f80fb73150881cb36671
-
SSDEEP
3072:VCguN+rU8htnSec6la9rtTxvmcl2nO9k:VCjNv9rtNvcO9
Malware Config
Signatures
-
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GifShower.GifShow\CLSID\ = "{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\ = "PSFactoryBuffer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GifShower.GifShow.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GifShower.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GifShower.dll, 102" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GifShower.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\VersionIndependentProgID\ = "GifShower.GifShow" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\MiscStatus\1\ = "139665" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GifShower.DLL\AppID = "{B6188993-A07B-40E9-ADF8-CB3E53305870}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85087867-B23C-4425-864A-88AE60CD924D}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GifShower.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\ = "GifShow Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GifShower.GifShow.1\CLSID\ = "{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85087867-B23C-4425-864A-88AE60CD924D}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GifShower.GifShow\CurVer\ = "GifShower.GifShow.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85087867-B23C-4425-864A-88AE60CD924D}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85087867-B23C-4425-864A-88AE60CD924D}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\NumMethods\ = "9" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B6188993-A07B-40E9-ADF8-CB3E53305870}\ = "GifShower" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\TypeLib\ = "{85087867-B23C-4425-864A-88AE60CD924D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85087867-B23C-4425-864A-88AE60CD924D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GifShower.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B6188993-A07B-40E9-ADF8-CB3E53305870} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\TypeLib\ = "{85087867-B23C-4425-864A-88AE60CD924D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\ = "IGifShow" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\MiscStatus\1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85087867-B23C-4425-864A-88AE60CD924D}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GifShower.GifShow\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85087867-B23C-4425-864A-88AE60CD924D}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\TypeLib\ = "{85087867-B23C-4425-864A-88AE60CD924D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GifShower.GifShow regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GifShower.GifShow\ = "GifShow Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GifShower.GifShow\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\ProgID\ = "GifShower.GifShow.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85087867-B23C-4425-864A-88AE60CD924D}\1.0\ = "GifShower 1.0 ÀàÐÍ¿â" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GifShower.GifShow.1\Insertable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\Insertable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BAD2D8E-2B5C-4E1C-BDFE-D4D561D986E2}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\ = "IGifShow" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\ProxyStubClsid32\ = "{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05C43810-244F-4630-A9A2-F4CB5D2FB6D1}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GifShower.GifShow.1 regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2376 wrote to memory of 1092 2376 regsvr32.exe 28 PID 2376 wrote to memory of 1092 2376 regsvr32.exe 28 PID 2376 wrote to memory of 1092 2376 regsvr32.exe 28 PID 2376 wrote to memory of 1092 2376 regsvr32.exe 28 PID 2376 wrote to memory of 1092 2376 regsvr32.exe 28 PID 2376 wrote to memory of 1092 2376 regsvr32.exe 28 PID 2376 wrote to memory of 1092 2376 regsvr32.exe 28