Resubmissions
24-01-2024 07:41
240124-jh881sdbd8 1023-01-2024 11:54
240123-n22qhahhfj 1024-06-2020 14:53
200624-jtkdx94cps 10Analysis
-
max time kernel
1173s -
max time network
1177s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2024 07:41
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Johnnie.255811.4892.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Variant.Johnnie.255811.4892.dll
Resource
win10v2004-20231215-en
General
-
Target
SecuriteInfo.com.Variant.Johnnie.255811.4892.dll
-
Size
424KB
-
MD5
fc33761a594599efe5617c8359531b38
-
SHA1
c85e06833ba3a037e3685dd05308ef98e2c72e82
-
SHA256
c8b452572f409a7d0752734334371c900983c8e15cbf8299bda7fe7a33a1047e
-
SHA512
5566c9fbf50ad90db1b6f0ef66e56273acfe64d4855caf818ec1caf208016688c64cef75bfd58e1dcf2883a99576a717a26c39e55af003dd87d15eb2c4ed6824
-
SSDEEP
6144:kQ0fpRug1NzpAhY2Zgi1ny2YT2oqCesyq+V6pDDW3FdREH5gH+xWz1:kQ0Rsg58Yti9y2voyskVmO3BlH+W
Malware Config
Extracted
zloader
June18newret
June
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
-
build_id
3
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3144 set thread context of 2152 3144 rundll32.exe 97 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 2152 msiexec.exe Token: SeSecurityPrivilege 2152 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3488 wrote to memory of 3144 3488 rundll32.exe 85 PID 3488 wrote to memory of 3144 3488 rundll32.exe 85 PID 3488 wrote to memory of 3144 3488 rundll32.exe 85 PID 3144 wrote to memory of 2152 3144 rundll32.exe 97 PID 3144 wrote to memory of 2152 3144 rundll32.exe 97 PID 3144 wrote to memory of 2152 3144 rundll32.exe 97 PID 3144 wrote to memory of 2152 3144 rundll32.exe 97 PID 3144 wrote to memory of 2152 3144 rundll32.exe 97
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Johnnie.255811.4892.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Johnnie.255811.4892.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-