nloader | 8229a6d0339c001fd0ce51db1b10748d37c838baee130afea2488f2ad0e05ac4

Analysis

Target

sgm.bin.dll
Size

40KB
MD5

8a9a8739404210e7e454dc2466872f23
SHA1

a3dbb6cb1eed87147f734c933e087bd66954ca18
SHA256

8229a6d0339c001fd0ce51db1b10748d37c838baee130afea2488f2ad0e05ac4
SHA512

2479c99ffc4002c909a1e6acf66ed2b6dc32efeea0b6182eb2ca8bb5cbe65bd85e507a0bab5f1e38232918cf59f29b592dc1f83b4d9684106ebf5707e057726e

Score

10^/10

nloader loader

Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Nloader Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1668-5-0x0000000010000000-0x0000000010007000-memory.dmp	nloader
behavioral1/memory/1668-4-0x0000000000170000-0x0000000000179000-memory.dmp	nloader
behavioral1/memory/1668-8-0x0000000000160000-0x0000000000167000-memory.dmp	nloader

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

1916 1668 WerFault.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1916 WerFault.exe
1916 WerFault.exe
1916 WerFault.exe
1916 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1916 WerFault.exe

pid	pid_target	process
1916	1668	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1916	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1724 wrote to memory of 1668	1724	rundll32.exe	rundll32.exe
PID 1724 wrote to memory of 1668	1724	rundll32.exe	rundll32.exe
PID 1724 wrote to memory of 1668	1724	rundll32.exe	rundll32.exe
PID 1724 wrote to memory of 1668	1724	rundll32.exe	rundll32.exe
PID 1724 wrote to memory of 1668	1724	rundll32.exe	rundll32.exe
PID 1724 wrote to memory of 1668	1724	rundll32.exe	rundll32.exe
PID 1724 wrote to memory of 1668	1724	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1916	1668	rundll32.exe	WerFault.exe
PID 1668 wrote to memory of 1916	1668	rundll32.exe	WerFault.exe
PID 1668 wrote to memory of 1916	1668	rundll32.exe	WerFault.exe
PID 1668 wrote to memory of 1916	1668	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sgm.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\sgm.bin.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668

memory/1668-5-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1668-4-0x0000000000170000-0x0000000000179000-memory.dmp

Filesize
36KB

Download
memory/1668-3-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1668-2-0x0000000000000000-mapping.dmp

Download
memory/1668-8-0x0000000000160000-0x0000000000167000-memory.dmp

Filesize
28KB

Download
memory/1668-10-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1916-6-0x0000000000000000-mapping.dmp

Download
memory/1916-7-0x0000000001F70000-0x0000000001F81000-memory.dmp

Filesize
68KB

Download
memory/1916-9-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download