Resubmissions
24-01-2024 07:29
240124-jbnczachd9 1023-01-2024 11:54
240123-n2wjgsafc6 1026-06-2020 08:43
200626-953qfplyej 10Analysis
-
max time kernel
915s -
max time network
917s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
xiynk.dll
Resource
win7-20231215-en
General
-
Target
xiynk.dll
-
Size
356KB
-
MD5
e83a8a849188b48e79a6f49dd0c7ae91
-
SHA1
55a1669550d823104e1452f0e6a0a94c3f7fae12
-
SHA256
a97b7b2353dc9012b6cb914f6665d0e93f557859411d2e08b942316c09d7b07f
-
SHA512
b035faff865f72977879322f9d1c08c6f87c96a8805db76a0e5ae4b6118f2b075e58bb1cc6a9cee8ce1c51763301443bab40970ad1f072a1763d7d7727e477f4
-
SSDEEP
6144:IOA9EZXHHOsAFPtetI7AW7JOpoTIXbv6M19HBqxJPVZ5IebbnB:9A9EZZAFPtkI751OnrRbOJ1P
Malware Config
Extracted
zloader
june25
june
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
-
build_id
9
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2928 set thread context of 2908 2928 regsvr32.exe 31 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 2908 msiexec.exe Token: SeSecurityPrivilege 2908 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2928 2212 regsvr32.exe 28 PID 2212 wrote to memory of 2928 2212 regsvr32.exe 28 PID 2212 wrote to memory of 2928 2212 regsvr32.exe 28 PID 2212 wrote to memory of 2928 2212 regsvr32.exe 28 PID 2212 wrote to memory of 2928 2212 regsvr32.exe 28 PID 2212 wrote to memory of 2928 2212 regsvr32.exe 28 PID 2212 wrote to memory of 2928 2212 regsvr32.exe 28 PID 2928 wrote to memory of 2908 2928 regsvr32.exe 31 PID 2928 wrote to memory of 2908 2928 regsvr32.exe 31 PID 2928 wrote to memory of 2908 2928 regsvr32.exe 31 PID 2928 wrote to memory of 2908 2928 regsvr32.exe 31 PID 2928 wrote to memory of 2908 2928 regsvr32.exe 31 PID 2928 wrote to memory of 2908 2928 regsvr32.exe 31 PID 2928 wrote to memory of 2908 2928 regsvr32.exe 31 PID 2928 wrote to memory of 2908 2928 regsvr32.exe 31 PID 2928 wrote to memory of 2908 2928 regsvr32.exe 31
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\xiynk.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\xiynk.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-