Resubmissions
24-01-2024 08:17
240124-j6t41adgg8 1024-01-2024 07:52
240124-jqd3vadcfj 1023-01-2024 11:54
240123-n28ttaafc8 1024-06-2020 13:13
200624-qjwbdtfea2 10Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
24-06-2020 13:13
Static task
static1
Behavioral task
behavioral1
Sample
june23.dll
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
General
-
Target
june23.dll
-
Size
383KB
-
MD5
7e889962ed9651933c46faa6f7b5ab6d
-
SHA1
015639fe2a6af8d9205e0fb36226c9d134b49fd8
-
SHA256
a51d5fe8c5f9ea9c4af866b7b6669845433934e4b4528995a3ac1702e7002c0e
-
SHA512
914e07996a14bd4499b91333ab0de65748e5617d543dd0eff3a269d24a542f15cbe1dca7be618843c0d7fb60dcaf96e20e5de95ac2989dc48850ab1a10aa8ff2
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 2176 msiexec.exe Token: SeSecurityPrivilege 2176 msiexec.exe -
Blacklisted process makes network request 17 IoCs
flow pid Process 10 2176 msiexec.exe 11 2176 msiexec.exe 12 2176 msiexec.exe 13 2176 msiexec.exe 14 2176 msiexec.exe 15 2176 msiexec.exe 16 2176 msiexec.exe 17 2176 msiexec.exe 18 2176 msiexec.exe 19 2176 msiexec.exe 20 2176 msiexec.exe 21 2176 msiexec.exe 22 2176 msiexec.exe 23 2176 msiexec.exe 24 2176 msiexec.exe 25 2176 msiexec.exe 26 2176 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2176 msiexec.exe 2176 msiexec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 908 wrote to memory of 1152 908 rundll32.exe 68 PID 908 wrote to memory of 1152 908 rundll32.exe 68 PID 908 wrote to memory of 1152 908 rundll32.exe 68 PID 1152 wrote to memory of 2176 1152 rundll32.exe 73 PID 1152 wrote to memory of 2176 1152 rundll32.exe 73 PID 1152 wrote to memory of 2176 1152 rundll32.exe 73 PID 1152 wrote to memory of 2176 1152 rundll32.exe 73 PID 1152 wrote to memory of 2176 1152 rundll32.exe 73 PID 2176 wrote to memory of 3460 2176 msiexec.exe 74 PID 2176 wrote to memory of 3460 2176 msiexec.exe 74 PID 2176 wrote to memory of 3460 2176 msiexec.exe 74 PID 3460 wrote to memory of 1860 3460 cmd.exe 76 PID 3460 wrote to memory of 1860 3460 cmd.exe 76 PID 3460 wrote to memory of 1860 3460 cmd.exe 76 PID 2176 wrote to memory of 424 2176 msiexec.exe 77 PID 2176 wrote to memory of 424 2176 msiexec.exe 77 PID 2176 wrote to memory of 424 2176 msiexec.exe 77 PID 424 wrote to memory of 3948 424 cmd.exe 79 PID 424 wrote to memory of 3948 424 cmd.exe 79 PID 424 wrote to memory of 3948 424 cmd.exe 79 PID 3948 wrote to memory of 3756 3948 net.exe 80 PID 3948 wrote to memory of 3756 3948 net.exe 80 PID 3948 wrote to memory of 3756 3948 net.exe 80 PID 2176 wrote to memory of 936 2176 msiexec.exe 81 PID 2176 wrote to memory of 936 2176 msiexec.exe 81 PID 2176 wrote to memory of 936 2176 msiexec.exe 81 PID 936 wrote to memory of 1236 936 cmd.exe 83 PID 936 wrote to memory of 1236 936 cmd.exe 83 PID 936 wrote to memory of 1236 936 cmd.exe 83 PID 2176 wrote to memory of 2384 2176 msiexec.exe 84 PID 2176 wrote to memory of 2384 2176 msiexec.exe 84 PID 2176 wrote to memory of 2384 2176 msiexec.exe 84 PID 2384 wrote to memory of 804 2384 cmd.exe 86 PID 2384 wrote to memory of 804 2384 cmd.exe 86 PID 2384 wrote to memory of 804 2384 cmd.exe 86 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1152 set thread context of 2176 1152 rundll32.exe 73 -
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 1236 net.exe 804 net.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\june23.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\june23.dll,#12⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1152 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /all4⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net config workstation4⤵
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\SysWOW64\net.exenet config workstation5⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 config workstation6⤵PID:3756
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all4⤵
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\net.exenet view /all5⤵
- Discovers systems in the same network
PID:1236
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all /domain4⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\net.exenet view /all /domain5⤵
- Discovers systems in the same network
PID:804
-
-
-
-