Analysis
-
max time kernel
134s -
max time network
140s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 05:49
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Zusy.307926.26624.1627.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Variant.Zusy.307926.26624.1627.dll
-
Size
579KB
-
MD5
09d36e00dae946e89fa442c410359e92
-
SHA1
990cb82fd620d8b5a0fd8e11be067532d31a4e04
-
SHA256
17ddc83d49b6cd1d511e8c5498c44d8b4bdbbb69b13011a180f8bded117ff2f7
-
SHA512
6f8782c482a5d2d3767d64f09146c1da1b4500a4bcbf87dae86896407582a6e90c35146746013b9440955f7ba578eafa266102c5f7cb3eda3a9d5d7e333bfbb8
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1616 created 1300 1616 rundll32.exe Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1616 set thread context of 1884 1616 rundll32.exe msiexec.exe -
Blacklisted process makes network request 18 IoCs
Processes:
msiexec.exeflow pid process 6 1884 msiexec.exe 7 1884 msiexec.exe 8 1884 msiexec.exe 9 1884 msiexec.exe 10 1884 msiexec.exe 11 1884 msiexec.exe 13 1884 msiexec.exe 15 1884 msiexec.exe 17 1884 msiexec.exe 19 1884 msiexec.exe 21 1884 msiexec.exe 23 1884 msiexec.exe 24 1884 msiexec.exe 25 1884 msiexec.exe 26 1884 msiexec.exe 27 1884 msiexec.exe 28 1884 msiexec.exe 30 1884 msiexec.exe -
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 112 wrote to memory of 1616 112 rundll32.exe rundll32.exe PID 112 wrote to memory of 1616 112 rundll32.exe rundll32.exe PID 112 wrote to memory of 1616 112 rundll32.exe rundll32.exe PID 112 wrote to memory of 1616 112 rundll32.exe rundll32.exe PID 112 wrote to memory of 1616 112 rundll32.exe rundll32.exe PID 112 wrote to memory of 1616 112 rundll32.exe rundll32.exe PID 112 wrote to memory of 1616 112 rundll32.exe rundll32.exe PID 1616 wrote to memory of 1884 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1884 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1884 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1884 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1884 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1884 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1884 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1884 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1884 1616 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1616 rundll32.exe Token: SeSecurityPrivilege 1884 msiexec.exe Token: SeSecurityPrivilege 1884 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1616 rundll32.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.307926.26624.1627.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.307926.26624.1627.dll,#13⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blacklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1616-0-0x0000000000000000-mapping.dmp
-
memory/1884-1-0x00000000000D0000-0x00000000000FC000-memory.dmpFilesize
176KB
-
memory/1884-2-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1884-3-0x00000000000D0000-0x00000000000FC000-memory.dmpFilesize
176KB
-
memory/1884-4-0x0000000000000000-mapping.dmp