Analysis
-
max time kernel
138s -
max time network
122s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 04:40
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Zusy.307926.22904.26447.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Variant.Zusy.307926.22904.26447.dll
-
Size
579KB
-
MD5
1bd992ee2bddba2ac275719624e52c05
-
SHA1
97cb4429abb8825772a52edebcbaf06a8f9b5308
-
SHA256
0573d56a84aac658edac1e93d08390c1a8378ed2d801b2460ac89a8ef643eb7d
-
SHA512
0d50462d485bad5d62bfc0d4304dfc7fd33621d6546b387c8cd501c9605b49a80c4bc4f3e888592daa359c056ad98553554d6f19382ea9ac3f7efda2406893a5
Malware Config
Signatures
-
Blacklisted process makes network request 16 IoCs
Processes:
msiexec.exeflow pid process 9 2512 msiexec.exe 10 2512 msiexec.exe 11 2512 msiexec.exe 12 2512 msiexec.exe 13 2512 msiexec.exe 14 2512 msiexec.exe 16 2512 msiexec.exe 18 2512 msiexec.exe 20 2512 msiexec.exe 22 2512 msiexec.exe 23 2512 msiexec.exe 24 2512 msiexec.exe 25 2512 msiexec.exe 26 2512 msiexec.exe 27 2512 msiexec.exe 29 2512 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3656 wrote to memory of 3768 3656 rundll32.exe rundll32.exe PID 3656 wrote to memory of 3768 3656 rundll32.exe rundll32.exe PID 3656 wrote to memory of 3768 3656 rundll32.exe rundll32.exe PID 3768 wrote to memory of 2512 3768 rundll32.exe msiexec.exe PID 3768 wrote to memory of 2512 3768 rundll32.exe msiexec.exe PID 3768 wrote to memory of 2512 3768 rundll32.exe msiexec.exe PID 3768 wrote to memory of 2512 3768 rundll32.exe msiexec.exe PID 3768 wrote to memory of 2512 3768 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3768 rundll32.exe Token: SeSecurityPrivilege 2512 msiexec.exe Token: SeSecurityPrivilege 2512 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3768 rundll32.exe 3768 rundll32.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3768 created 3012 3768 rundll32.exe Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3768 set thread context of 2512 3768 rundll32.exe msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.307926.22904.26447.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.307926.22904.26447.dll,#13⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken