035c1959eb274806f26b2e6c29d13152eeacb976560de99a331b4ece1de367b8

Analysis

max time kernel
176s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 19:12

Target

shfres.dll
Size

14KB
MD5

e341e3babd8c1aa0f9afd2f1dfda88b3
SHA1

8d5668854322b4b323ef8cf36cfdc1d2cfca1dfa
SHA256

fc9fd53ee4896414b3d8ce1b59d4764dbabde014bc37ef0364f292c69189ccf8
SHA512

e3012c4862dd8a87653ee84cb7ebac922f3540c35e3192a4621f4f436d4635ccafed49ddfe289364096ff9ab9d7c2c206c495ee5675e84d82c5d77235eae0994
SSDEEP

192:/n7sMpNoeVVhzNQXFiG+RhEekYlxeLBiqq2mJbixmBGnziiBMv3p6pajojEFk2XD:4MpaeBzNekG+RlS9c2mJbigbB2anLX

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral10/memory/4700-133-0x0000000010000000-0x000000001000E000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

4700 rundll32.exe
4700 rundll32.exe
4700 rundll32.exe
4700 rundll32.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4700	rundll32.exe
Token: SeSecurityPrivilege	4700	rundll32.exe
Token: SeTakeOwnershipPrivilege	4700	rundll32.exe
Token: SeLoadDriverPrivilege	4700	rundll32.exe
Token: SeSystemProfilePrivilege	4700	rundll32.exe
Token: SeSystemtimePrivilege	4700	rundll32.exe
Token: SeProfSingleProcessPrivilege	4700	rundll32.exe
Token: SeIncBasePriorityPrivilege	4700	rundll32.exe
Token: SeCreatePagefilePrivilege	4700	rundll32.exe
Token: SeShutdownPrivilege	4700	rundll32.exe
Token: SeDebugPrivilege	4700	rundll32.exe
Token: SeSystemEnvironmentPrivilege	4700	rundll32.exe
Token: SeRemoteShutdownPrivilege	4700	rundll32.exe
Token: SeUndockPrivilege	4700	rundll32.exe
Token: SeManageVolumePrivilege	4700	rundll32.exe
Token: 33	4700	rundll32.exe
Token: 34	4700	rundll32.exe
Token: 35	4700	rundll32.exe
Token: 36	4700	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1288 wrote to memory of 4700	1288	rundll32.exe	rundll32.exe
PID 1288 wrote to memory of 4700	1288	rundll32.exe	rundll32.exe
PID 1288 wrote to memory of 4700	1288	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\shfres.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1288

memory/4700-132-0x0000000000000000-mapping.dmp

Download
memory/4700-133-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download