Overview
overview
6Static
static
334a6d2657d...cs.exe
windows7-x64
334a6d2657d...cs.exe
windows10-2004-x64
3HFUILib.dll
windows7-x64
3HFUILib.dll
windows10-2004-x64
3HuofengGameWorld.exe
windows7-x64
6HuofengGameWorld.exe
windows10-2004-x64
6IEAux.dll
windows7-x64
1IEAux.dll
windows10-2004-x64
1hfgwupdate.exe
windows7-x64
6hfgwupdate.exe
windows10-2004-x64
6msvcp100.dll
windows7-x64
3msvcp100.dll
windows10-2004-x64
3msvcr100.dll
windows7-x64
3msvcr100.dll
windows10-2004-x64
3sqlite3.dll
windows7-x64
3sqlite3.dll
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 12:21
Static task
static1
Behavioral task
behavioral1
Sample
34a6d2657d9f3655e6513af83798be90_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
34a6d2657d9f3655e6513af83798be90_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
HFUILib.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
HFUILib.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
HuofengGameWorld.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
HuofengGameWorld.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
IEAux.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
IEAux.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
hfgwupdate.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
hfgwupdate.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
msvcp100.dll
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
msvcp100.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
msvcr100.dll
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
msvcr100.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
sqlite3.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
sqlite3.dll
Resource
win10v2004-20240426-en
General
-
Target
IEAux.dll
-
Size
64KB
-
MD5
3633de4079190b65d9c1a062db39b882
-
SHA1
70b6f944a6711b69b8d1a992456dccb3bc2618f2
-
SHA256
71141a084a6ccc601f9ae32b5a56476854efde219bdad3c4abc93865fb5e611b
-
SHA512
d8a7540713e34c74261ca542d3dc4ec1cb35da3953ba6fb390f4526147df1a14c68d940756a53a44676f6faa7ca9cc0bfb442ce390038c321117a832ace10362
-
SSDEEP
1536:syzCRxaBYqBh9W4rdIEYNvdfej3xkqKOZ0+OEU8Fx:syzCDGYqBh9fLYNvdWj3xkqKOZ0EUy
Malware Config
Signatures
-
Modifies registry class 64 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ = "IIEAux" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BB6E5AF6-C76F-48D1-A2C5-E412CD76AF87} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\ = "IEAux 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib\ = "{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEAux.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux.1\ = "IEAux Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ = "IIEAux" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AuxMod.DLL\AppID = "{BB6E5AF6-C76F-48D1-A2C5-E412CD76AF87}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux\ = "IEAux Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib\ = "{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux\CurVer\ = "IEAuxMod.IEAux.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEAux.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ = "_IIEAuxEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BB6E5AF6-C76F-48D1-A2C5-E412CD76AF87}\ = "AuxMod" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ = "_IIEAuxEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\ = "IEAux Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\TypeLib\ = "{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux.1\CLSID\ = "{C06F84BC-734A-4C66-B3AF-590E7FC440AB}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\TypeLib\ = "{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AuxMod.DLL regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAuxMod.IEAux\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\ProgID\ = "IEAuxMod.IEAux.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3FCE3BD-45D9-40C1-A929-526EE5285EFF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24520E44-778C-4AF9-828E-750E747E38E1}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E89584AE-50C3-4FDE-B54C-A3EF6D700A72}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C06F84BC-734A-4C66-B3AF-590E7FC440AB}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2160 wrote to memory of 3004 2160 regsvr32.exe regsvr32.exe PID 2160 wrote to memory of 3004 2160 regsvr32.exe regsvr32.exe PID 2160 wrote to memory of 3004 2160 regsvr32.exe regsvr32.exe PID 2160 wrote to memory of 3004 2160 regsvr32.exe regsvr32.exe PID 2160 wrote to memory of 3004 2160 regsvr32.exe regsvr32.exe PID 2160 wrote to memory of 3004 2160 regsvr32.exe regsvr32.exe PID 2160 wrote to memory of 3004 2160 regsvr32.exe regsvr32.exe