Resubmissions
31-01-2024 21:42
240131-1ktpsadab6 1024-01-2024 07:47
240124-jml92sdcd6 1023-01-2024 11:54
240123-n25r6ahhfk 1024-06-2020 13:36
200624-enc457kzrj 10Analysis
-
max time kernel
1160s -
max time network
1165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2024 11:54
Static task
static1
Behavioral task
behavioral1
Sample
A004BC8B4F3DB1EF5A66579B9746B5B1.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
A004BC8B4F3DB1EF5A66579B9746B5B1.dll
Resource
win10v2004-20231215-en
General
-
Target
A004BC8B4F3DB1EF5A66579B9746B5B1.dll
-
Size
424KB
-
MD5
a004bc8b4f3db1ef5a66579b9746b5b1
-
SHA1
88a5fcebfd7a037a9ca9573772ac2334a61b25de
-
SHA256
42bb5eae534eb2cea979c300b797a65febf291b28aea0b9d8bbea7d0a41bffa2
-
SHA512
28aed111b2ecea90c2da03871f36272b8680d392c245fdf0e2f4d4454974a3a51d6744133cecfc2576bbc778742f9b824e8355026b53d029d13ff79bb2136f9b
-
SSDEEP
6144:kQ0fpRug1NzpAhY2Zgi1ny2YT2oqCesyc+V6pDDW3FdREH5gH+xWz1:kQ0Rsg58Yti9y2voysiVmO3BlH+W
Malware Config
Extracted
zloader
June18newret
June
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
-
build_id
3
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2800 set thread context of 4316 2800 rundll32.exe 97 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 4316 msiexec.exe Token: SeSecurityPrivilege 4316 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3260 wrote to memory of 2800 3260 rundll32.exe 85 PID 3260 wrote to memory of 2800 3260 rundll32.exe 85 PID 3260 wrote to memory of 2800 3260 rundll32.exe 85 PID 2800 wrote to memory of 4316 2800 rundll32.exe 97 PID 2800 wrote to memory of 4316 2800 rundll32.exe 97 PID 2800 wrote to memory of 4316 2800 rundll32.exe 97 PID 2800 wrote to memory of 4316 2800 rundll32.exe 97 PID 2800 wrote to memory of 4316 2800 rundll32.exe 97
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\A004BC8B4F3DB1EF5A66579B9746B5B1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\A004BC8B4F3DB1EF5A66579B9746B5B1.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
-