nloader | a41258dd0239a487f31f91d4fd8e7d7eb05682bcb1e5f00d843382c3c5c20010

Analysis

Target

4802545.xs2.dll
Size

110KB
MD5

cfb94c893280fd1edd40a4c74031727a
SHA1

9bf1f365e14842621854282f976b890478816a77
SHA256

3205ebcea1f138f0171ff3815d594883805b4af48a24bc0d6228d0b0ee12ddb4
SHA512

31b573054e5963c939cab24b48a8610f757ea94eba21c5101f2df3ffd8fc3120327795692feda7d448091a93b4befb389eed48e17662d7f2e3b19cc441a56988

Score

10^/10

nloader loader

Nloader
Simple loader that includes the keyword 'campo' in the URL used to download other families.
loader nloader

Nloader Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1300-115-0x0000000001040000-0x0000000001045000-memory.dmp	nloader

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3132	1300	WerFault.exe	70

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1300	852	rundll32.exe	70
PID 852 wrote to memory of 1300	852	rundll32.exe	70
PID 852 wrote to memory of 1300	852	rundll32.exe	70

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4802545.xs2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4802545.xs2.dll,#1
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 820
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3132

memory/1300-115-0x0000000001040000-0x0000000001045000-memory.dmp

Filesize
20KB

Download