Resubmissions
24-01-2024 07:41
240124-jh881sdbd8 1023-01-2024 11:54
240123-n22qhahhfj 1024-06-2020 14:53
200624-jtkdx94cps 10Analysis
-
max time kernel
1156s -
max time network
1161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2024 11:54
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Johnnie.255811.4892.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Variant.Johnnie.255811.4892.dll
Resource
win10v2004-20231215-en
General
-
Target
SecuriteInfo.com.Variant.Johnnie.255811.4892.dll
-
Size
424KB
-
MD5
fc33761a594599efe5617c8359531b38
-
SHA1
c85e06833ba3a037e3685dd05308ef98e2c72e82
-
SHA256
c8b452572f409a7d0752734334371c900983c8e15cbf8299bda7fe7a33a1047e
-
SHA512
5566c9fbf50ad90db1b6f0ef66e56273acfe64d4855caf818ec1caf208016688c64cef75bfd58e1dcf2883a99576a717a26c39e55af003dd87d15eb2c4ed6824
-
SSDEEP
6144:kQ0fpRug1NzpAhY2Zgi1ny2YT2oqCesyq+V6pDDW3FdREH5gH+xWz1:kQ0Rsg58Yti9y2voyskVmO3BlH+W
Malware Config
Extracted
zloader
June18newret
June
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
-
build_id
3
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4776 set thread context of 4388 4776 rundll32.exe 100 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 4388 msiexec.exe Token: SeSecurityPrivilege 4388 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4240 wrote to memory of 4776 4240 rundll32.exe 88 PID 4240 wrote to memory of 4776 4240 rundll32.exe 88 PID 4240 wrote to memory of 4776 4240 rundll32.exe 88 PID 4776 wrote to memory of 4388 4776 rundll32.exe 100 PID 4776 wrote to memory of 4388 4776 rundll32.exe 100 PID 4776 wrote to memory of 4388 4776 rundll32.exe 100 PID 4776 wrote to memory of 4388 4776 rundll32.exe 100 PID 4776 wrote to memory of 4388 4776 rundll32.exe 100
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Johnnie.255811.4892.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Johnnie.255811.4892.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-