Resubmissions
24-01-2024 08:17
240124-j6t41adgg8 1024-01-2024 07:52
240124-jqd3vadcfj 1023-01-2024 11:54
240123-n28ttaafc8 1024-06-2020 13:13
200624-qjwbdtfea2 10Analysis
-
max time kernel
1165s -
max time network
1166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2024 08:17
Static task
static1
Behavioral task
behavioral1
Sample
june23.dll
Resource
win7-20231215-en
General
-
Target
june23.dll
-
Size
383KB
-
MD5
7e889962ed9651933c46faa6f7b5ab6d
-
SHA1
015639fe2a6af8d9205e0fb36226c9d134b49fd8
-
SHA256
a51d5fe8c5f9ea9c4af866b7b6669845433934e4b4528995a3ac1702e7002c0e
-
SHA512
914e07996a14bd4499b91333ab0de65748e5617d543dd0eff3a269d24a542f15cbe1dca7be618843c0d7fb60dcaf96e20e5de95ac2989dc48850ab1a10aa8ff2
-
SSDEEP
6144:0855ylon+ZoU2BrVjEv1Ah4voE4JDU20IRqTMjREIx6a:0mgllw9FmAhjxU2rRr6
Malware Config
Extracted
zloader
june23
june
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
-
build_id
7
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4556 set thread context of 4136 4556 rundll32.exe 98 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 4136 msiexec.exe Token: SeSecurityPrivilege 4136 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1068 wrote to memory of 4556 1068 rundll32.exe 86 PID 1068 wrote to memory of 4556 1068 rundll32.exe 86 PID 1068 wrote to memory of 4556 1068 rundll32.exe 86 PID 4556 wrote to memory of 4136 4556 rundll32.exe 98 PID 4556 wrote to memory of 4136 4556 rundll32.exe 98 PID 4556 wrote to memory of 4136 4556 rundll32.exe 98 PID 4556 wrote to memory of 4136 4556 rundll32.exe 98 PID 4556 wrote to memory of 4136 4556 rundll32.exe 98
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\june23.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\june23.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
-