Resubmissions

23-01-2024 11:25

240123-njkn9saeb5 10

26-06-2020 08:43

200626-2199vtd32x 10

Analysis

  • max time kernel
    1165s
  • max time network
    1166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2024 11:25

General

  • Target

    JEsNEuI.dll

  • Size

    356KB

  • MD5

    9eea7a0571baf33fa6877e8f8ebb3ad7

  • SHA1

    9a7738f3f73d78d9fe18ba5401081d27f4222c8d

  • SHA256

    121d7fc3a0a43a6ef4b73f564175b92727281155b221ff6f34c00d73438b679e

  • SHA512

    90b6440f8c0fd2946eb5e47882aaf6b608fc900e9684daf4da74579d8863e83d26be7d27e2e074a98fdf631f2e9d44bc3e79a619ef88db009ade73516afa3e94

  • SSDEEP

    6144:IOA9EZYHHOsAFPtetI7AW7JOpoTIXbv6M19HBqxJPVZ5IebbnB:9A9EZgAFPtkI751OnrRbOJ1P

Malware Config

Extracted

Family

zloader

Botnet

june25

Campaign

june

C2

http://snnmnkxdhflwgthqismb.com/web/post.php

http://nlbmfsyplohyaicmxhum.com/web/post.php

http://softwareserviceupdater1.com/web/post.php

http://softwareserviceupdater2.com/web/post.php

Attributes
  • build_id

    9

rc4.plain
rsa_pubkey.plain

Signatures

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JEsNEuI.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3880
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\JEsNEuI.dll
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4256
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4256-0-0x0000000010000000-0x0000000010159000-memory.dmp

    Filesize

    1.3MB

  • memory/4256-1-0x0000000010000000-0x0000000010159000-memory.dmp

    Filesize

    1.3MB

  • memory/4256-2-0x0000000010000000-0x0000000010159000-memory.dmp

    Filesize

    1.3MB

  • memory/4256-3-0x0000000010000000-0x0000000010159000-memory.dmp

    Filesize

    1.3MB

  • memory/4256-5-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

    Filesize

    4KB

  • memory/4256-4-0x0000000010000000-0x0000000010159000-memory.dmp

    Filesize

    1.3MB

  • memory/4256-10-0x0000000010000000-0x0000000010159000-memory.dmp

    Filesize

    1.3MB

  • memory/4528-9-0x0000000000490000-0x00000000004BB000-memory.dmp

    Filesize

    172KB

  • memory/4528-12-0x0000000000490000-0x00000000004BB000-memory.dmp

    Filesize

    172KB