Analysis

  • max time kernel
    143s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 12:40

General

  • Target

    e29f14ed1dc3b16a16114912695d69e7a952ca0c51374c59618bfedeac56b43a.dll

  • Size

    22KB

  • MD5

    a469d5403003584e71c5e5bdbfc5d4e4

  • SHA1

    adf569be634c8bd03cc1948042499545a1bd1996

  • SHA256

    e29f14ed1dc3b16a16114912695d69e7a952ca0c51374c59618bfedeac56b43a

  • SHA512

    fabdb31756703f80cf168ee43f47e1538b43e02e4f9ac648c852aa7da3b87add8aaad1a08865ff2d8f2f1e48d4122fe7faf67453924885badad63df8c2f4c15a

Score
10/10

Malware Config

Signatures

  • Nloader

    Simple loader that includes the keyword 'campo' in the URL used to download other families.

  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Nloader Payload 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e29f14ed1dc3b16a16114912695d69e7a952ca0c51374c59618bfedeac56b43a.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e29f14ed1dc3b16a16114912695d69e7a952ca0c51374c59618bfedeac56b43a.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:1552
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 812
        3⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2452
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1552 -ip 1552
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:2852
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1552 -ip 1552
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:1076

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1552-130-0x0000000010000000-0x0000000010007000-memory.dmp

    Filesize

    28KB

  • memory/1552-132-0x00000000029F0000-0x00000000029F5000-memory.dmp

    Filesize

    20KB