Resubmissions
24-01-2024 08:17
240124-j6t41adgg8 1024-01-2024 07:52
240124-jqd3vadcfj 1023-01-2024 11:54
240123-n28ttaafc8 1024-06-2020 13:13
200624-qjwbdtfea2 10Analysis
-
max time kernel
1164s -
max time network
1165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2024 11:54
Static task
static1
Behavioral task
behavioral1
Sample
june23.dll
Resource
win7-20231215-en
General
-
Target
june23.dll
-
Size
383KB
-
MD5
7e889962ed9651933c46faa6f7b5ab6d
-
SHA1
015639fe2a6af8d9205e0fb36226c9d134b49fd8
-
SHA256
a51d5fe8c5f9ea9c4af866b7b6669845433934e4b4528995a3ac1702e7002c0e
-
SHA512
914e07996a14bd4499b91333ab0de65748e5617d543dd0eff3a269d24a542f15cbe1dca7be618843c0d7fb60dcaf96e20e5de95ac2989dc48850ab1a10aa8ff2
-
SSDEEP
6144:0855ylon+ZoU2BrVjEv1Ah4voE4JDU20IRqTMjREIx6a:0mgllw9FmAhjxU2rRr6
Malware Config
Extracted
zloader
june23
june
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
-
build_id
7
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5976 set thread context of 3212 5976 rundll32.exe 98 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 3212 msiexec.exe Token: SeSecurityPrivilege 3212 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3092 wrote to memory of 5976 3092 rundll32.exe 86 PID 3092 wrote to memory of 5976 3092 rundll32.exe 86 PID 3092 wrote to memory of 5976 3092 rundll32.exe 86 PID 5976 wrote to memory of 3212 5976 rundll32.exe 98 PID 5976 wrote to memory of 3212 5976 rundll32.exe 98 PID 5976 wrote to memory of 3212 5976 rundll32.exe 98 PID 5976 wrote to memory of 3212 5976 rundll32.exe 98 PID 5976 wrote to memory of 3212 5976 rundll32.exe 98
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\june23.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\june23.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5976 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3212
-
-