Windows Analysis Report
iepdf32.dll

Overview

General Information

Sample name: iepdf32.dll
Analysis ID: 1579542
MD5: dcd66a6ee58bdda0a8affe5ce3becabd
SHA1: 083e497458a12954f126b8c1831f6256094b3664
SHA256: 5b08f88041a6f6cb43d56bddb86faadb79b435f04b3679d92c03be2bbfbbe9a0
Tags: dllHijackLoaderIDATLoaderuser-aachum
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Switches to a custom stack to bypass stack traces
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Entry point lies outside standard sections
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection

barindex
Source: iepdf32.dll Virustotal: Detection: 11% Perma Link
Source: iepdf32.dll ReversingLabs: Detection: 21%
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Source: iepdf32.dll Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL
Source: iepdf32.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\wgfvki Jump to behavior
Source: iepdf32.dll Static PE information: Number of sections : 11 > 10
Source: iepdf32.dll Binary or memory string: OriginalFilenamepdfium.dll. vs iepdf32.dll
Source: iepdf32.dll Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal60.evad.winDLL@12/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_CanRedo
Source: iepdf32.dll Virustotal: Detection: 11%
Source: iepdf32.dll ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\iepdf32.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iepdf32.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_CanRedo
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iepdf32.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_CanUndo
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_DoDocumentAAction
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iepdf32.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_CanRedo Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_CanUndo Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_DoDocumentAAction Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iepdf32.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: iepdf32.dll Static PE information: More than 430 > 100 exports found
Source: iepdf32.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: iepdf32.dll Static file information: File size 7347200 > 1048576
Source: iepdf32.dll Static PE information: Raw size of IJTNUY is bigger than: 0x100000 < 0x700e00
Source: iepdf32.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: initial sample Static PE information: section where entry point is pointing to: IJTNUY
Source: iepdf32.dll Static PE information: section name: XRLOQX
Source: iepdf32.dll Static PE information: section name: KEBDAI
Source: iepdf32.dll Static PE information: section name: UGLZPX
Source: iepdf32.dll Static PE information: section name: YTTJAF
Source: iepdf32.dll Static PE information: section name: IIPNOC
Source: iepdf32.dll Static PE information: section name: IJTNUY

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 7280 base: E60005 value: E9 8B 2F 0A 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 7280 base: 76F02F90 value: E9 7A D0 F5 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7344 base: 3500005 value: E9 8B 2F A0 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7344 base: 76F02F90 value: E9 7A D0 5F 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7360 base: 2360005 value: E9 8B 2F BA 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7360 base: 76F02F90 value: E9 7A D0 45 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7420 base: 2A70005 value: E9 8B 2F 49 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7420 base: 76F02F90 value: E9 7A D0 B6 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7456 base: 4110005 value: E9 8B 2F DF 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7456 base: 76F02F90 value: E9 7A D0 20 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CC6D965
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CF2DECB
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6C866FEB
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CC692E8
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CC8D2D3
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6C8FB4C1
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6C892AB9
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6C8D0AAC
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CC7766C
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CC22534
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6C85D540
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6C8D597A
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CCEC522
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CF073EE
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CC59A7B
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iepdf32.dll",#1 Jump to behavior
No contacted IP infos