nloader | 3205ebcea1f138f0171ff3815d594883805b4af48a24bc0d6228d0b0ee12ddb4

Resubmissions

18-05-2021 21:02

18-05-2021 19:36

Target

4802545.xs2.dll
Size

110KB
MD5

cfb94c893280fd1edd40a4c74031727a
SHA1

9bf1f365e14842621854282f976b890478816a77
SHA256

3205ebcea1f138f0171ff3815d594883805b4af48a24bc0d6228d0b0ee12ddb4
SHA512

31b573054e5963c939cab24b48a8610f757ea94eba21c5101f2df3ffd8fc3120327795692feda7d448091a93b4befb389eed48e17662d7f2e3b19cc441a56988

Score

10^/10

nloader loader

Nloader
Simple loader that includes the keyword 'campo' in the URL used to download other families.
loader nloader

Nloader Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1968-62-0x00000000001F0000-0x00000000001F5000-memory.dmp	nloader

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1668 1968 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1668 WerFault.exe
1668 WerFault.exe
1668 WerFault.exe
1668 WerFault.exe
1668 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1668 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1668 WerFault.exe

pid	pid_target	process	target process
1668	1968	WerFault.exe	rundll32.exe

pid	process
1668	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1668	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1988 wrote to memory of 1968	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 1968	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 1968	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 1968	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 1968	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 1968	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 1968	1988	rundll32.exe	rundll32.exe
PID 1968 wrote to memory of 1668	1968	rundll32.exe	WerFault.exe
PID 1968 wrote to memory of 1668	1968	rundll32.exe	WerFault.exe
PID 1968 wrote to memory of 1668	1968	rundll32.exe	WerFault.exe
PID 1968 wrote to memory of 1668	1968	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4802545.xs2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4802545.xs2.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 436
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1668

memory/1668-64-0x0000000000000000-mapping.dmp

Download
memory/1668-65-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/1968-60-0x0000000000000000-mapping.dmp

Download
memory/1968-61-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1968-62-0x00000000001F0000-0x00000000001F5000-memory.dmp

Filesize
20KB

Download