nloader | 3205ebcea1f138f0171ff3815d594883805b4af48a24bc0d6228d0b0ee12ddb4 | Triage

Resubmissions

18-05-2021 21:02

210518-4nn39mdaee 10

18-05-2021 19:36

210518-pw8287wyc2 10

Analysis

max time kernel
123s
max time network
123s
platform
windows7_x64
resource
win7v20210410
submitted
18-05-2021 19:36

Sharing

Report Analysis Logs

General

Target

4802545.xs2.dll
Size

110KB
MD5

cfb94c893280fd1edd40a4c74031727a
SHA1

9bf1f365e14842621854282f976b890478816a77
SHA256

3205ebcea1f138f0171ff3815d594883805b4af48a24bc0d6228d0b0ee12ddb4
SHA512

31b573054e5963c939cab24b48a8610f757ea94eba21c5101f2df3ffd8fc3120327795692feda7d448091a93b4befb389eed48e17662d7f2e3b19cc441a56988

Score

10^/10

nloader loader

Malware Config

Signatures

Nloader
Simple loader that includes the keyword 'campo' in the URL used to download other families.
loader nloader

Nloader Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1896-61-0x0000000000120000-0x0000000000125000-memory.dmp	nloader

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

6 1896 rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1088 wrote to memory of 1896	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1896	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1896	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1896	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1896	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1896	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1896	1088	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4802545.xs2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4802545.xs2.dll,#1
2⤵
- Blocklisted process makes network request
PID:1896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1896-59-0x0000000000000000-mapping.dmp

Download
memory/1896-60-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1896-61-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download