acefee64e780cac7cf26c225e8a95697413831421acc0d6e0a36b03e7310db70

Analysis

max time kernel
164s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 20:08

Target

acefee64e780cac7cf26c225e8a95697413831421acc0d6e0a36b03e7310db70.dll
Size

27KB
MD5

87761691222f8485a044078343ce20e1
SHA1

95e026549d7530156511c6b71ca22e8285203d28
SHA256

acefee64e780cac7cf26c225e8a95697413831421acc0d6e0a36b03e7310db70
SHA512

ad349501961da01c1310c201d10ef549d1767676410240b9c2369fc32a574d4b2a309705dfc27a02e92caa6c421b698e42d18ec165466053774b4ea8c3e081e2
SSDEEP

768:IuW3YLera9UR71m+tGrJRN4AloFWq6vLluV1rKo5h0L:IuWoCrWUR7Q+UMAYWq6DlubKKWL

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
3576	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\pdfshlex.dll	rundll32.exe
File opened for modification	C:\Windows\pdfshlex.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "acefee64e780cac7cf26c225e8a95697413831421acc0d6e0a36b03e7310db70.dll,1293173270,499387078,-1814625877"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 3264	2604	rundll32.exe	79
PID 2604 wrote to memory of 3264	2604	rundll32.exe	79
PID 2604 wrote to memory of 3264	2604	rundll32.exe	79
PID 3264 wrote to memory of 3576	3264	rundll32.exe	81
PID 3264 wrote to memory of 3576	3264	rundll32.exe	81
PID 3264 wrote to memory of 3576	3264	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acefee64e780cac7cf26c225e8a95697413831421acc0d6e0a36b03e7310db70.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\acefee64e780cac7cf26c225e8a95697413831421acc0d6e0a36b03e7310db70.dll,#1
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Windows\pdfshlex.dll",_RunAs@16
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3576

C:\Windows\pdfshlex.dll

Filesize
27KB

MD5
87761691222f8485a044078343ce20e1

SHA1
95e026549d7530156511c6b71ca22e8285203d28

SHA256
acefee64e780cac7cf26c225e8a95697413831421acc0d6e0a36b03e7310db70

SHA512
ad349501961da01c1310c201d10ef549d1767676410240b9c2369fc32a574d4b2a309705dfc27a02e92caa6c421b698e42d18ec165466053774b4ea8c3e081e2

Download Submit
C:\Windows\pdfshlex.dll

Filesize
27KB

MD5
87761691222f8485a044078343ce20e1

SHA1
95e026549d7530156511c6b71ca22e8285203d28

SHA256
acefee64e780cac7cf26c225e8a95697413831421acc0d6e0a36b03e7310db70

SHA512
ad349501961da01c1310c201d10ef549d1767676410240b9c2369fc32a574d4b2a309705dfc27a02e92caa6c421b698e42d18ec165466053774b4ea8c3e081e2

Download Submit
memory/3264-133-0x0000000010000000-0x0000000010053000-memory.dmp

Filesize
332KB

Download
memory/3264-138-0x0000000010000000-0x0000000010053000-memory.dmp

Filesize
332KB

Download
memory/3576-137-0x0000000010000000-0x0000000010053000-memory.dmp

Filesize
332KB

Download