Analysis
-
max time kernel
1140s -
max time network
1144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2024 11:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
june29.dll
Resource
win7-20231215-en
windows7-x64
4 signatures
1200 seconds
General
-
Target
june29.dll
-
Size
573KB
-
MD5
33a58437b5bc8f91e08960d2faa5f559
-
SHA1
f015e16c3847edd004aba53f358fe43b28c4f818
-
SHA256
dd84bd6db3500e786976d5c10fd2388a46dd5c34f79abd5dff624b9a568637aa
-
SHA512
0fa6349def8590aafc8badf198d1abc7e9f906eec5852088270e2ba11986a918ad6b620c2a545def82c694f340e05ed3a3ad89deb780cc7a23ead1b3f1930f42
-
SSDEEP
12288:wqZWueyN5dS3ioH+5hM+2lraLDjxBRQPe1ZFeg7fQ5om6tc:wqZreyN5derQ/bRrZFdkM
Malware Config
Extracted
Family
zloader
Botnet
june29
Campaign
june
C2
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
Attributes
-
build_id
11
rc4.plain
rsa_pubkey.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1612 set thread context of 3480 1612 regsvr32.exe 98 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 3480 msiexec.exe Token: SeSecurityPrivilege 3480 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1704 wrote to memory of 1612 1704 regsvr32.exe 87 PID 1704 wrote to memory of 1612 1704 regsvr32.exe 87 PID 1704 wrote to memory of 1612 1704 regsvr32.exe 87 PID 1612 wrote to memory of 3480 1612 regsvr32.exe 98 PID 1612 wrote to memory of 3480 1612 regsvr32.exe 98 PID 1612 wrote to memory of 3480 1612 regsvr32.exe 98 PID 1612 wrote to memory of 3480 1612 regsvr32.exe 98 PID 1612 wrote to memory of 3480 1612 regsvr32.exe 98
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\june29.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\june29.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
-