Resubmissions
31-01-2024 21:42
240131-1ktpsadab6 1024-01-2024 07:47
240124-jml92sdcd6 1023-01-2024 11:54
240123-n25r6ahhfk 1024-06-2020 13:36
200624-enc457kzrj 10Analysis
-
max time kernel
907s -
max time network
910s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 11:54
Static task
static1
Behavioral task
behavioral1
Sample
A004BC8B4F3DB1EF5A66579B9746B5B1.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
A004BC8B4F3DB1EF5A66579B9746B5B1.dll
Resource
win10v2004-20231215-en
General
-
Target
A004BC8B4F3DB1EF5A66579B9746B5B1.dll
-
Size
424KB
-
MD5
a004bc8b4f3db1ef5a66579b9746b5b1
-
SHA1
88a5fcebfd7a037a9ca9573772ac2334a61b25de
-
SHA256
42bb5eae534eb2cea979c300b797a65febf291b28aea0b9d8bbea7d0a41bffa2
-
SHA512
28aed111b2ecea90c2da03871f36272b8680d392c245fdf0e2f4d4454974a3a51d6744133cecfc2576bbc778742f9b824e8355026b53d029d13ff79bb2136f9b
-
SSDEEP
6144:kQ0fpRug1NzpAhY2Zgi1ny2YT2oqCesyc+V6pDDW3FdREH5gH+xWz1:kQ0Rsg58Yti9y2voysiVmO3BlH+W
Malware Config
Extracted
zloader
June18newret
June
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
-
build_id
3
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2856 set thread context of 2944 2856 rundll32.exe 31 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 2944 msiexec.exe Token: SeSecurityPrivilege 2944 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2856 2236 rundll32.exe 28 PID 2236 wrote to memory of 2856 2236 rundll32.exe 28 PID 2236 wrote to memory of 2856 2236 rundll32.exe 28 PID 2236 wrote to memory of 2856 2236 rundll32.exe 28 PID 2236 wrote to memory of 2856 2236 rundll32.exe 28 PID 2236 wrote to memory of 2856 2236 rundll32.exe 28 PID 2236 wrote to memory of 2856 2236 rundll32.exe 28 PID 2856 wrote to memory of 2944 2856 rundll32.exe 31 PID 2856 wrote to memory of 2944 2856 rundll32.exe 31 PID 2856 wrote to memory of 2944 2856 rundll32.exe 31 PID 2856 wrote to memory of 2944 2856 rundll32.exe 31 PID 2856 wrote to memory of 2944 2856 rundll32.exe 31 PID 2856 wrote to memory of 2944 2856 rundll32.exe 31 PID 2856 wrote to memory of 2944 2856 rundll32.exe 31 PID 2856 wrote to memory of 2944 2856 rundll32.exe 31 PID 2856 wrote to memory of 2944 2856 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\A004BC8B4F3DB1EF5A66579B9746B5B1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\A004BC8B4F3DB1EF5A66579B9746B5B1.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-