Analysis
-
max time kernel
890s -
max time network
890s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 11:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JEsNEuI.dll
Resource
win7-20231129-en
windows7-x64
4 signatures
1200 seconds
General
-
Target
JEsNEuI.dll
-
Size
356KB
-
MD5
9eea7a0571baf33fa6877e8f8ebb3ad7
-
SHA1
9a7738f3f73d78d9fe18ba5401081d27f4222c8d
-
SHA256
121d7fc3a0a43a6ef4b73f564175b92727281155b221ff6f34c00d73438b679e
-
SHA512
90b6440f8c0fd2946eb5e47882aaf6b608fc900e9684daf4da74579d8863e83d26be7d27e2e074a98fdf631f2e9d44bc3e79a619ef88db009ade73516afa3e94
-
SSDEEP
6144:IOA9EZYHHOsAFPtetI7AW7JOpoTIXbv6M19HBqxJPVZ5IebbnB:9A9EZgAFPtkI751OnrRbOJ1P
Malware Config
Extracted
Family
zloader
Botnet
june25
Campaign
june
C2
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
Attributes
-
build_id
9
rc4.plain
rsa_pubkey.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2852 set thread context of 2804 2852 regsvr32.exe 31 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 2804 msiexec.exe Token: SeSecurityPrivilege 2804 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2852 2028 regsvr32.exe 28 PID 2028 wrote to memory of 2852 2028 regsvr32.exe 28 PID 2028 wrote to memory of 2852 2028 regsvr32.exe 28 PID 2028 wrote to memory of 2852 2028 regsvr32.exe 28 PID 2028 wrote to memory of 2852 2028 regsvr32.exe 28 PID 2028 wrote to memory of 2852 2028 regsvr32.exe 28 PID 2028 wrote to memory of 2852 2028 regsvr32.exe 28 PID 2852 wrote to memory of 2804 2852 regsvr32.exe 31 PID 2852 wrote to memory of 2804 2852 regsvr32.exe 31 PID 2852 wrote to memory of 2804 2852 regsvr32.exe 31 PID 2852 wrote to memory of 2804 2852 regsvr32.exe 31 PID 2852 wrote to memory of 2804 2852 regsvr32.exe 31 PID 2852 wrote to memory of 2804 2852 regsvr32.exe 31 PID 2852 wrote to memory of 2804 2852 regsvr32.exe 31 PID 2852 wrote to memory of 2804 2852 regsvr32.exe 31 PID 2852 wrote to memory of 2804 2852 regsvr32.exe 31
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\JEsNEuI.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\JEsNEuI.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-