Resubmissions
31-01-2024 21:42
240131-1ktpsadab6 1024-01-2024 07:47
240124-jml92sdcd6 1023-01-2024 11:54
240123-n25r6ahhfk 1024-06-2020 13:36
200624-enc457kzrj 10Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2024 21:42
Static task
static1
Behavioral task
behavioral1
Sample
A004BC8B4F3DB1EF5A66579B9746B5B1.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
A004BC8B4F3DB1EF5A66579B9746B5B1.dll
Resource
win10v2004-20231215-en
General
-
Target
A004BC8B4F3DB1EF5A66579B9746B5B1.dll
-
Size
424KB
-
MD5
a004bc8b4f3db1ef5a66579b9746b5b1
-
SHA1
88a5fcebfd7a037a9ca9573772ac2334a61b25de
-
SHA256
42bb5eae534eb2cea979c300b797a65febf291b28aea0b9d8bbea7d0a41bffa2
-
SHA512
28aed111b2ecea90c2da03871f36272b8680d392c245fdf0e2f4d4454974a3a51d6744133cecfc2576bbc778742f9b824e8355026b53d029d13ff79bb2136f9b
-
SSDEEP
6144:kQ0fpRug1NzpAhY2Zgi1ny2YT2oqCesyc+V6pDDW3FdREH5gH+xWz1:kQ0Rsg58Yti9y2voysiVmO3BlH+W
Malware Config
Extracted
zloader
June18newret
June
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
-
build_id
3
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4856 set thread context of 3100 4856 rundll32.exe 93 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 3100 msiexec.exe Token: SeSecurityPrivilege 3100 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1668 wrote to memory of 4856 1668 rundll32.exe 84 PID 1668 wrote to memory of 4856 1668 rundll32.exe 84 PID 1668 wrote to memory of 4856 1668 rundll32.exe 84 PID 4856 wrote to memory of 3100 4856 rundll32.exe 93 PID 4856 wrote to memory of 3100 4856 rundll32.exe 93 PID 4856 wrote to memory of 3100 4856 rundll32.exe 93 PID 4856 wrote to memory of 3100 4856 rundll32.exe 93 PID 4856 wrote to memory of 3100 4856 rundll32.exe 93
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\A004BC8B4F3DB1EF5A66579B9746B5B1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\A004BC8B4F3DB1EF5A66579B9746B5B1.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-