Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 04:40
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Zusy.307926.22904.26447.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Variant.Zusy.307926.22904.26447.dll
-
Size
579KB
-
MD5
1bd992ee2bddba2ac275719624e52c05
-
SHA1
97cb4429abb8825772a52edebcbaf06a8f9b5308
-
SHA256
0573d56a84aac658edac1e93d08390c1a8378ed2d801b2460ac89a8ef643eb7d
-
SHA512
0d50462d485bad5d62bfc0d4304dfc7fd33621d6546b387c8cd501c9605b49a80c4bc4f3e888592daa359c056ad98553554d6f19382ea9ac3f7efda2406893a5
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1508 wrote to memory of 1560 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 1560 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 1560 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 1560 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 1560 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 1560 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 1560 1508 rundll32.exe rundll32.exe PID 1560 wrote to memory of 1864 1560 rundll32.exe msiexec.exe PID 1560 wrote to memory of 1864 1560 rundll32.exe msiexec.exe PID 1560 wrote to memory of 1864 1560 rundll32.exe msiexec.exe PID 1560 wrote to memory of 1864 1560 rundll32.exe msiexec.exe PID 1560 wrote to memory of 1864 1560 rundll32.exe msiexec.exe PID 1560 wrote to memory of 1864 1560 rundll32.exe msiexec.exe PID 1560 wrote to memory of 1864 1560 rundll32.exe msiexec.exe PID 1560 wrote to memory of 1864 1560 rundll32.exe msiexec.exe PID 1560 wrote to memory of 1864 1560 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1560 rundll32.exe Token: SeSecurityPrivilege 1864 msiexec.exe Token: SeSecurityPrivilege 1864 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1560 rundll32.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1560 created 1312 1560 rundll32.exe Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1560 set thread context of 1864 1560 rundll32.exe msiexec.exe -
Blacklisted process makes network request 18 IoCs
Processes:
msiexec.exeflow pid process 8 1864 msiexec.exe 9 1864 msiexec.exe 10 1864 msiexec.exe 11 1864 msiexec.exe 12 1864 msiexec.exe 13 1864 msiexec.exe 15 1864 msiexec.exe 17 1864 msiexec.exe 19 1864 msiexec.exe 21 1864 msiexec.exe 23 1864 msiexec.exe 25 1864 msiexec.exe 26 1864 msiexec.exe 27 1864 msiexec.exe 28 1864 msiexec.exe 29 1864 msiexec.exe 30 1864 msiexec.exe 32 1864 msiexec.exe -
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.307926.22904.26447.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.307926.22904.26447.dll,#13⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1560-0-0x0000000000000000-mapping.dmp
-
memory/1864-1-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/1864-2-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1864-3-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/1864-4-0x0000000000000000-mapping.dmp