5f1f4f061ffd3931d2d117476b0492d47b9d8201f293624fbf94b7f9968adb3e

Analysis

max time kernel
151s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 07:47

Target

5f1f4f061ffd3931d2d117476b0492d47b9d8201f293624fbf94b7f9968adb3e.dll
Size

26KB
MD5

58743a96cecb5db5c9d915a0aebae323
SHA1

c8105a3fd301f4b2d08416e16188dcd18d484a91
SHA256

5f1f4f061ffd3931d2d117476b0492d47b9d8201f293624fbf94b7f9968adb3e
SHA512

80951981d76d28d7f0f1c08c5dcbf1496b1f5ffbe30e1e3e48740245e19e699caf04cfd6fa0adf416698b1ac3a9db2cfbc41676b5294d4c23b7b003466056080
SSDEEP

768:Tdh9fQUpt79DTowgzkKPK6QOWVTnSlmg1wUulxC/3ESrDvL:RoUpzDTo1Q+UtSMuuloPESrDvL

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
1624	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\oficx.dll	rundll32.exe
File opened for modification	C:\Windows\oficx.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "5f1f4f061ffd3931d2d117476b0492d47b9d8201f293624fbf94b7f9968adb3e.dll,1293806123,641534121,-1814625877"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4012	4644	rundll32.exe	81
PID 4644 wrote to memory of 4012	4644	rundll32.exe	81
PID 4644 wrote to memory of 4012	4644	rundll32.exe	81
PID 4012 wrote to memory of 1624	4012	rundll32.exe	82
PID 4012 wrote to memory of 1624	4012	rundll32.exe	82
PID 4012 wrote to memory of 1624	4012	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f1f4f061ffd3931d2d117476b0492d47b9d8201f293624fbf94b7f9968adb3e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f1f4f061ffd3931d2d117476b0492d47b9d8201f293624fbf94b7f9968adb3e.dll,#1
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Windows\oficx.dll",_RunAs@16
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1624

C:\Windows\oficx.dll

Filesize
26KB

MD5
58743a96cecb5db5c9d915a0aebae323

SHA1
c8105a3fd301f4b2d08416e16188dcd18d484a91

SHA256
5f1f4f061ffd3931d2d117476b0492d47b9d8201f293624fbf94b7f9968adb3e

SHA512
80951981d76d28d7f0f1c08c5dcbf1496b1f5ffbe30e1e3e48740245e19e699caf04cfd6fa0adf416698b1ac3a9db2cfbc41676b5294d4c23b7b003466056080

Download Submit
C:\Windows\oficx.dll

Filesize
26KB

MD5
58743a96cecb5db5c9d915a0aebae323

SHA1
c8105a3fd301f4b2d08416e16188dcd18d484a91

SHA256
5f1f4f061ffd3931d2d117476b0492d47b9d8201f293624fbf94b7f9968adb3e

SHA512
80951981d76d28d7f0f1c08c5dcbf1496b1f5ffbe30e1e3e48740245e19e699caf04cfd6fa0adf416698b1ac3a9db2cfbc41676b5294d4c23b7b003466056080

Download Submit
memory/1624-137-0x0000000010000000-0x000000001004F000-memory.dmp

Filesize
316KB

Download
memory/1624-139-0x0000000010000000-0x000000001004F000-memory.dmp

Filesize
316KB

Download
memory/4012-133-0x0000000010000000-0x000000001004F000-memory.dmp

Filesize
316KB

Download
memory/4012-138-0x0000000010000000-0x000000001004F000-memory.dmp

Filesize
316KB

Download