Overview
overview
8Static
static
1Assistant/...64.exe
windows7-x64
1Assistant/...64.exe
windows10-2004-x64
1GameHallMain.dll
windows7-x64
8GameHallMain.dll
windows10-2004-x64
3Uninstall.exe
windows7-x64
4Uninstall.exe
windows10-2004-x64
4$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03/05/2024, 11:25
Static task
static1
Behavioral task
behavioral1
Sample
Assistant/HelperTool64.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
Assistant/HelperTool64.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
GameHallMain.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral4
Sample
GameHallMain.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Uninstall.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
Uninstall.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/FileInfo.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/FileInfo.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
GameHallMain.dll
-
Size
5.7MB
-
MD5
98d916578f4e6405232580963dd8b81c
-
SHA1
031329c64fe9a5e0e15b6c3c8d913be36e752b19
-
SHA256
65504f34d76db0372979658ea524d32a3aac4579f279b13728b958c5c9b0cc9e
-
SHA512
c9d0b48fec58ed4663ba58a847aeb686b119a3d96cdb4b83f87f858aef652e18b28e4b52489deca1512a74c79451e7a53159bd174f69ffc78a9142e427701c41
-
SSDEEP
98304:QLkmVLWcsuZJZqBcCldxV+4AqD/GDCSRgJheSzT2:7mVLkpdxV+4Am/WCxa
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
flow pid Process 5 2928 rundll32.exe 7 2928 rundll32.exe 8 2928 rundll32.exe 11 2928 rundll32.exe 12 2928 rundll32.exe 15 2928 rundll32.exe 18 2928 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe 2928 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2928 rundll32.exe 2928 rundll32.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2928 rundll32.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2928 2860 rundll32.exe 28 PID 2860 wrote to memory of 2928 2860 rundll32.exe 28 PID 2860 wrote to memory of 2928 2860 rundll32.exe 28 PID 2860 wrote to memory of 2928 2860 rundll32.exe 28 PID 2860 wrote to memory of 2928 2860 rundll32.exe 28 PID 2860 wrote to memory of 2928 2860 rundll32.exe 28 PID 2860 wrote to memory of 2928 2860 rundll32.exe 28 PID 2928 wrote to memory of 2252 2928 rundll32.exe 29 PID 2928 wrote to memory of 2252 2928 rundll32.exe 29 PID 2928 wrote to memory of 2252 2928 rundll32.exe 29 PID 2928 wrote to memory of 2252 2928 rundll32.exe 29 PID 2928 wrote to memory of 2252 2928 rundll32.exe 29 PID 2928 wrote to memory of 2252 2928 rundll32.exe 29 PID 2928 wrote to memory of 2252 2928 rundll32.exe 29 PID 2928 wrote to memory of 2400 2928 rundll32.exe 32 PID 2928 wrote to memory of 2400 2928 rundll32.exe 32 PID 2928 wrote to memory of 2400 2928 rundll32.exe 32 PID 2928 wrote to memory of 2400 2928 rundll32.exe 32 PID 2928 wrote to memory of 2400 2928 rundll32.exe 32 PID 2928 wrote to memory of 2400 2928 rundll32.exe 32 PID 2928 wrote to memory of 2400 2928 rundll32.exe 32 PID 2928 wrote to memory of 2556 2928 rundll32.exe 35 PID 2928 wrote to memory of 2556 2928 rundll32.exe 35 PID 2928 wrote to memory of 2556 2928 rundll32.exe 35 PID 2928 wrote to memory of 2556 2928 rundll32.exe 35 PID 2928 wrote to memory of 2556 2928 rundll32.exe 35 PID 2928 wrote to memory of 2556 2928 rundll32.exe 35 PID 2928 wrote to memory of 2556 2928 rundll32.exe 35
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\GameHallMain.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\GameHallMain.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" --action=upgrade --type=utility3⤵PID:2252
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" --action=trayicon --traydata=1201_131486 --type=utility3⤵PID:2516
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" --mode=ie --pipe-name=1714735556/com2345-447275 --type=renderer3⤵PID:2400
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" --mode=ie --pipe-name=1714735559/com2345-216498 --type=renderer3⤵PID:2556
-
-