1f3e35bc9dcd89456b88298823eba1cfcfd7348b79e7f4cfae216cc63f3e79c9

Analysis

max time kernel
187s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 05:43

Target

1f3e35bc9dcd89456b88298823eba1cfcfd7348b79e7f4cfae216cc63f3e79c9.dll
Size

184KB
MD5

949731bc33ea635a871c8776033cdfc0
SHA1

91ba83e7bea0b30a6f15e38e3177572f5799cc4c
SHA256

1f3e35bc9dcd89456b88298823eba1cfcfd7348b79e7f4cfae216cc63f3e79c9
SHA512

91fae54aeb48b77a1f5cc051aa912dc8d00ee1cd856b61fbda9aafaadb4f14c073eb97203afd7bf6986edf1baf6fa577d3aecdd8177ca0ee215e33e3bad3528f
SSDEEP

1536:wx/2gYgKckAQOrCgk3U5h9NlWq9pFqSVAI8rQqZVu6EyqS:s2gdbQrUTE2F9AIsxbu6Eyq

Score

5^/10

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\cdp3.dll	rundll32.exe
File opened for modification	C:\Windows\cdp3.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "1f3e35bc9dcd89456b88298823eba1cfcfd7348b79e7f4cfae216cc63f3e79c9.dll,1303464799,1869243552,-1814625877"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1348	1776	rundll32.exe	28
PID 1776 wrote to memory of 1348	1776	rundll32.exe	28
PID 1776 wrote to memory of 1348	1776	rundll32.exe	28
PID 1776 wrote to memory of 1348	1776	rundll32.exe	28
PID 1776 wrote to memory of 1348	1776	rundll32.exe	28
PID 1776 wrote to memory of 1348	1776	rundll32.exe	28
PID 1776 wrote to memory of 1348	1776	rundll32.exe	28
PID 1348 wrote to memory of 2024	1348	rundll32.exe	29
PID 1348 wrote to memory of 2024	1348	rundll32.exe	29
PID 1348 wrote to memory of 2024	1348	rundll32.exe	29
PID 1348 wrote to memory of 2024	1348	rundll32.exe	29
PID 1348 wrote to memory of 2024	1348	rundll32.exe	29
PID 1348 wrote to memory of 2024	1348	rundll32.exe	29
PID 1348 wrote to memory of 2024	1348	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f3e35bc9dcd89456b88298823eba1cfcfd7348b79e7f4cfae216cc63f3e79c9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f3e35bc9dcd89456b88298823eba1cfcfd7348b79e7f4cfae216cc63f3e79c9.dll,#1
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Windows\cdp3.dll",_RunAs@16
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2024

C:\Windows\cdp3.dll

Filesize
184KB

MD5
949731bc33ea635a871c8776033cdfc0

SHA1
91ba83e7bea0b30a6f15e38e3177572f5799cc4c

SHA256
1f3e35bc9dcd89456b88298823eba1cfcfd7348b79e7f4cfae216cc63f3e79c9

SHA512
91fae54aeb48b77a1f5cc051aa912dc8d00ee1cd856b61fbda9aafaadb4f14c073eb97203afd7bf6986edf1baf6fa577d3aecdd8177ca0ee215e33e3bad3528f

Download Submit
memory/1348-54-0x0000000000000000-mapping.dmp

Download
memory/1348-55-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1348-56-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/1348-61-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/2024-57-0x0000000000000000-mapping.dmp

Download
memory/2024-60-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/2024-62-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download