Resubmissions
24-01-2024 07:29
240124-jbnczachd9 1023-01-2024 11:54
240123-n2wjgsafc6 1026-06-2020 08:43
200626-953qfplyej 10Analysis
-
max time kernel
1169s -
max time network
1174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
xiynk.dll
Resource
win7-20231215-en
General
-
Target
xiynk.dll
-
Size
356KB
-
MD5
e83a8a849188b48e79a6f49dd0c7ae91
-
SHA1
55a1669550d823104e1452f0e6a0a94c3f7fae12
-
SHA256
a97b7b2353dc9012b6cb914f6665d0e93f557859411d2e08b942316c09d7b07f
-
SHA512
b035faff865f72977879322f9d1c08c6f87c96a8805db76a0e5ae4b6118f2b075e58bb1cc6a9cee8ce1c51763301443bab40970ad1f072a1763d7d7727e477f4
-
SSDEEP
6144:IOA9EZXHHOsAFPtetI7AW7JOpoTIXbv6M19HBqxJPVZ5IebbnB:9A9EZZAFPtkI751OnrRbOJ1P
Malware Config
Extracted
zloader
june25
june
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
-
build_id
9
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2900 set thread context of 3692 2900 regsvr32.exe 98 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 3692 msiexec.exe Token: SeSecurityPrivilege 3692 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1220 wrote to memory of 2900 1220 regsvr32.exe 86 PID 1220 wrote to memory of 2900 1220 regsvr32.exe 86 PID 1220 wrote to memory of 2900 1220 regsvr32.exe 86 PID 2900 wrote to memory of 3692 2900 regsvr32.exe 98 PID 2900 wrote to memory of 3692 2900 regsvr32.exe 98 PID 2900 wrote to memory of 3692 2900 regsvr32.exe 98 PID 2900 wrote to memory of 3692 2900 regsvr32.exe 98 PID 2900 wrote to memory of 3692 2900 regsvr32.exe 98
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\xiynk.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\xiynk.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-