Analysis
-
max time kernel
927s -
max time network
930s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 11:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
june29.dll
Resource
win7-20231215-en
windows7-x64
4 signatures
1200 seconds
General
-
Target
june29.dll
-
Size
573KB
-
MD5
33a58437b5bc8f91e08960d2faa5f559
-
SHA1
f015e16c3847edd004aba53f358fe43b28c4f818
-
SHA256
dd84bd6db3500e786976d5c10fd2388a46dd5c34f79abd5dff624b9a568637aa
-
SHA512
0fa6349def8590aafc8badf198d1abc7e9f906eec5852088270e2ba11986a918ad6b620c2a545def82c694f340e05ed3a3ad89deb780cc7a23ead1b3f1930f42
-
SSDEEP
12288:wqZWueyN5dS3ioH+5hM+2lraLDjxBRQPe1ZFeg7fQ5om6tc:wqZreyN5derQ/bRrZFdkM
Malware Config
Extracted
Family
zloader
Botnet
june29
Campaign
june
C2
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
Attributes
-
build_id
11
rc4.plain
rsa_pubkey.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2252 set thread context of 1536 2252 regsvr32.exe 31 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 1536 msiexec.exe Token: SeSecurityPrivilege 1536 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2252 2288 regsvr32.exe 28 PID 2288 wrote to memory of 2252 2288 regsvr32.exe 28 PID 2288 wrote to memory of 2252 2288 regsvr32.exe 28 PID 2288 wrote to memory of 2252 2288 regsvr32.exe 28 PID 2288 wrote to memory of 2252 2288 regsvr32.exe 28 PID 2288 wrote to memory of 2252 2288 regsvr32.exe 28 PID 2288 wrote to memory of 2252 2288 regsvr32.exe 28 PID 2252 wrote to memory of 1536 2252 regsvr32.exe 31 PID 2252 wrote to memory of 1536 2252 regsvr32.exe 31 PID 2252 wrote to memory of 1536 2252 regsvr32.exe 31 PID 2252 wrote to memory of 1536 2252 regsvr32.exe 31 PID 2252 wrote to memory of 1536 2252 regsvr32.exe 31 PID 2252 wrote to memory of 1536 2252 regsvr32.exe 31 PID 2252 wrote to memory of 1536 2252 regsvr32.exe 31 PID 2252 wrote to memory of 1536 2252 regsvr32.exe 31 PID 2252 wrote to memory of 1536 2252 regsvr32.exe 31
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\june29.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\june29.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-