Resubmissions
24-01-2024 08:17
240124-j6t41adgg8 1024-01-2024 07:52
240124-jqd3vadcfj 1023-01-2024 11:54
240123-n28ttaafc8 1024-06-2020 13:13
200624-qjwbdtfea2 10Analysis
-
max time kernel
909s -
max time network
911s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 08:17
Static task
static1
Behavioral task
behavioral1
Sample
june23.dll
Resource
win7-20231215-en
General
-
Target
june23.dll
-
Size
383KB
-
MD5
7e889962ed9651933c46faa6f7b5ab6d
-
SHA1
015639fe2a6af8d9205e0fb36226c9d134b49fd8
-
SHA256
a51d5fe8c5f9ea9c4af866b7b6669845433934e4b4528995a3ac1702e7002c0e
-
SHA512
914e07996a14bd4499b91333ab0de65748e5617d543dd0eff3a269d24a542f15cbe1dca7be618843c0d7fb60dcaf96e20e5de95ac2989dc48850ab1a10aa8ff2
-
SSDEEP
6144:0855ylon+ZoU2BrVjEv1Ah4voE4JDU20IRqTMjREIx6a:0mgllw9FmAhjxU2rRr6
Malware Config
Extracted
zloader
june23
june
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
-
build_id
7
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2056 set thread context of 1472 2056 rundll32.exe 31 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 1472 msiexec.exe Token: SeSecurityPrivilege 1472 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2056 1700 rundll32.exe 28 PID 1700 wrote to memory of 2056 1700 rundll32.exe 28 PID 1700 wrote to memory of 2056 1700 rundll32.exe 28 PID 1700 wrote to memory of 2056 1700 rundll32.exe 28 PID 1700 wrote to memory of 2056 1700 rundll32.exe 28 PID 1700 wrote to memory of 2056 1700 rundll32.exe 28 PID 1700 wrote to memory of 2056 1700 rundll32.exe 28 PID 2056 wrote to memory of 1472 2056 rundll32.exe 31 PID 2056 wrote to memory of 1472 2056 rundll32.exe 31 PID 2056 wrote to memory of 1472 2056 rundll32.exe 31 PID 2056 wrote to memory of 1472 2056 rundll32.exe 31 PID 2056 wrote to memory of 1472 2056 rundll32.exe 31 PID 2056 wrote to memory of 1472 2056 rundll32.exe 31 PID 2056 wrote to memory of 1472 2056 rundll32.exe 31 PID 2056 wrote to memory of 1472 2056 rundll32.exe 31 PID 2056 wrote to memory of 1472 2056 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\june23.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\june23.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-