Analysis
-
max time kernel
893s -
max time network
895s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 11:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
june30.dll
Resource
win7-20231215-en
windows7-x64
4 signatures
1200 seconds
General
-
Target
june30.dll
-
Size
607KB
-
MD5
086e1c7401f82543d162ebaef816ef35
-
SHA1
25fbe1ef6ed713011a02cd6fc930105d4f612130
-
SHA256
b8cef342a47915615a35aab7333567db7c86570d4d3362470e19b6d0b3dab1af
-
SHA512
be9bd937ef926cab65ada2f4103642993ae1428fa6b9a83f9824cc4f10cb07354954fa948a5d9b2c83ac79f7ac04269d9fb3ac8f21e46c53fdb2b4dd39c726f7
-
SSDEEP
12288:p+gJA98D0ogyQT7x1wn6UIxsuAmHdbL69ZqQB02iMQ/t:pu8DRgHLC6UyzZWJB02iMQ/
Malware Config
Extracted
Family
zloader
Botnet
june29
Campaign
june
C2
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
Attributes
-
build_id
11
rc4.plain
rsa_pubkey.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2540 set thread context of 1652 2540 rundll32.exe 31 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 1652 msiexec.exe Token: SeSecurityPrivilege 1652 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1444 wrote to memory of 2540 1444 rundll32.exe 28 PID 1444 wrote to memory of 2540 1444 rundll32.exe 28 PID 1444 wrote to memory of 2540 1444 rundll32.exe 28 PID 1444 wrote to memory of 2540 1444 rundll32.exe 28 PID 1444 wrote to memory of 2540 1444 rundll32.exe 28 PID 1444 wrote to memory of 2540 1444 rundll32.exe 28 PID 1444 wrote to memory of 2540 1444 rundll32.exe 28 PID 2540 wrote to memory of 1652 2540 rundll32.exe 31 PID 2540 wrote to memory of 1652 2540 rundll32.exe 31 PID 2540 wrote to memory of 1652 2540 rundll32.exe 31 PID 2540 wrote to memory of 1652 2540 rundll32.exe 31 PID 2540 wrote to memory of 1652 2540 rundll32.exe 31 PID 2540 wrote to memory of 1652 2540 rundll32.exe 31 PID 2540 wrote to memory of 1652 2540 rundll32.exe 31 PID 2540 wrote to memory of 1652 2540 rundll32.exe 31 PID 2540 wrote to memory of 1652 2540 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\june30.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\june30.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-