Analysis
-
max time kernel
1165s -
max time network
1166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2024 11:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JEsNEuI.dll
Resource
win7-20231129-en
windows7-x64
4 signatures
1200 seconds
General
-
Target
JEsNEuI.dll
-
Size
356KB
-
MD5
9eea7a0571baf33fa6877e8f8ebb3ad7
-
SHA1
9a7738f3f73d78d9fe18ba5401081d27f4222c8d
-
SHA256
121d7fc3a0a43a6ef4b73f564175b92727281155b221ff6f34c00d73438b679e
-
SHA512
90b6440f8c0fd2946eb5e47882aaf6b608fc900e9684daf4da74579d8863e83d26be7d27e2e074a98fdf631f2e9d44bc3e79a619ef88db009ade73516afa3e94
-
SSDEEP
6144:IOA9EZYHHOsAFPtetI7AW7JOpoTIXbv6M19HBqxJPVZ5IebbnB:9A9EZgAFPtkI751OnrRbOJ1P
Malware Config
Extracted
Family
zloader
Botnet
june25
Campaign
june
C2
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
Attributes
-
build_id
9
rc4.plain
rsa_pubkey.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4256 set thread context of 4528 4256 regsvr32.exe 98 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 4528 msiexec.exe Token: SeSecurityPrivilege 4528 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3880 wrote to memory of 4256 3880 regsvr32.exe 86 PID 3880 wrote to memory of 4256 3880 regsvr32.exe 86 PID 3880 wrote to memory of 4256 3880 regsvr32.exe 86 PID 4256 wrote to memory of 4528 4256 regsvr32.exe 98 PID 4256 wrote to memory of 4528 4256 regsvr32.exe 98 PID 4256 wrote to memory of 4528 4256 regsvr32.exe 98 PID 4256 wrote to memory of 4528 4256 regsvr32.exe 98 PID 4256 wrote to memory of 4528 4256 regsvr32.exe 98
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\JEsNEuI.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\JEsNEuI.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-