Resubmissions
24-01-2024 07:41
240124-jh881sdbd8 1023-01-2024 11:54
240123-n22qhahhfj 1024-06-2020 14:53
200624-jtkdx94cps 10Analysis
-
max time kernel
888s -
max time network
891s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 11:54
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Johnnie.255811.4892.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Variant.Johnnie.255811.4892.dll
Resource
win10v2004-20231215-en
General
-
Target
SecuriteInfo.com.Variant.Johnnie.255811.4892.dll
-
Size
424KB
-
MD5
fc33761a594599efe5617c8359531b38
-
SHA1
c85e06833ba3a037e3685dd05308ef98e2c72e82
-
SHA256
c8b452572f409a7d0752734334371c900983c8e15cbf8299bda7fe7a33a1047e
-
SHA512
5566c9fbf50ad90db1b6f0ef66e56273acfe64d4855caf818ec1caf208016688c64cef75bfd58e1dcf2883a99576a717a26c39e55af003dd87d15eb2c4ed6824
-
SSDEEP
6144:kQ0fpRug1NzpAhY2Zgi1ny2YT2oqCesyq+V6pDDW3FdREH5gH+xWz1:kQ0Rsg58Yti9y2voyskVmO3BlH+W
Malware Config
Extracted
zloader
June18newret
June
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
-
build_id
3
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2156 set thread context of 2788 2156 rundll32.exe 31 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 2788 msiexec.exe Token: SeSecurityPrivilege 2788 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2156 2100 rundll32.exe 28 PID 2100 wrote to memory of 2156 2100 rundll32.exe 28 PID 2100 wrote to memory of 2156 2100 rundll32.exe 28 PID 2100 wrote to memory of 2156 2100 rundll32.exe 28 PID 2100 wrote to memory of 2156 2100 rundll32.exe 28 PID 2100 wrote to memory of 2156 2100 rundll32.exe 28 PID 2100 wrote to memory of 2156 2100 rundll32.exe 28 PID 2156 wrote to memory of 2788 2156 rundll32.exe 31 PID 2156 wrote to memory of 2788 2156 rundll32.exe 31 PID 2156 wrote to memory of 2788 2156 rundll32.exe 31 PID 2156 wrote to memory of 2788 2156 rundll32.exe 31 PID 2156 wrote to memory of 2788 2156 rundll32.exe 31 PID 2156 wrote to memory of 2788 2156 rundll32.exe 31 PID 2156 wrote to memory of 2788 2156 rundll32.exe 31 PID 2156 wrote to memory of 2788 2156 rundll32.exe 31 PID 2156 wrote to memory of 2788 2156 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Johnnie.255811.4892.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Johnnie.255811.4892.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-