Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 05:49
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Zusy.307926.26624.1627.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Variant.Zusy.307926.26624.1627.dll
-
Size
579KB
-
MD5
09d36e00dae946e89fa442c410359e92
-
SHA1
990cb82fd620d8b5a0fd8e11be067532d31a4e04
-
SHA256
17ddc83d49b6cd1d511e8c5498c44d8b4bdbbb69b13011a180f8bded117ff2f7
-
SHA512
6f8782c482a5d2d3767d64f09146c1da1b4500a4bcbf87dae86896407582a6e90c35146746013b9440955f7ba578eafa266102c5f7cb3eda3a9d5d7e333bfbb8
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3236 wrote to memory of 3884 3236 rundll32.exe rundll32.exe PID 3236 wrote to memory of 3884 3236 rundll32.exe rundll32.exe PID 3236 wrote to memory of 3884 3236 rundll32.exe rundll32.exe PID 3884 wrote to memory of 3796 3884 rundll32.exe msiexec.exe PID 3884 wrote to memory of 3796 3884 rundll32.exe msiexec.exe PID 3884 wrote to memory of 3796 3884 rundll32.exe msiexec.exe PID 3884 wrote to memory of 3796 3884 rundll32.exe msiexec.exe PID 3884 wrote to memory of 3796 3884 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3884 rundll32.exe Token: SeSecurityPrivilege 3796 msiexec.exe Token: SeSecurityPrivilege 3796 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3884 rundll32.exe 3884 rundll32.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3884 created 3008 3884 rundll32.exe Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3884 set thread context of 3796 3884 rundll32.exe msiexec.exe -
Blacklisted process makes network request 16 IoCs
Processes:
msiexec.exeflow pid process 9 3796 msiexec.exe 10 3796 msiexec.exe 11 3796 msiexec.exe 12 3796 msiexec.exe 13 3796 msiexec.exe 14 3796 msiexec.exe 16 3796 msiexec.exe 18 3796 msiexec.exe 20 3796 msiexec.exe 22 3796 msiexec.exe 23 3796 msiexec.exe 24 3796 msiexec.exe 25 3796 msiexec.exe 26 3796 msiexec.exe 27 3796 msiexec.exe 29 3796 msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.307926.26624.1627.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.307926.26624.1627.dll,#13⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request