Windows Analysis Report
iepdf32.dll

Overview

General Information

Sample name: iepdf32.dll
Analysis ID: 1579543
MD5: 2ae9f27410e7f9ed6dd4fcf511ef4fc7
SHA1: f8a0771d8a729e22ff228353001fef92c37386c2
SHA256: 2e7e4647b012766db1f0fe4e626becfdff223d0eff71b9500d302b37ed939070
Tags: dllHijackLoaderIDATLoaderuser-aachum
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Switches to a custom stack to bypass stack traces
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Entry point lies outside standard sections
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection

barindex
Source: iepdf32.dll ReversingLabs: Detection: 28%
Source: iepdf32.dll Virustotal: Detection: 16% Perma Link
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.2% probability
Source: iepdf32.dll Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL
Source: iepdf32.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\wgfvki Jump to behavior
Source: iepdf32.dll Static PE information: Number of sections : 11 > 10
Source: iepdf32.dll Binary or memory string: OriginalFilenamepdfium.dll. vs iepdf32.dll
Source: iepdf32.dll Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal60.evad.winDLL@12/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_03
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_CanRedo
Source: iepdf32.dll ReversingLabs: Detection: 28%
Source: iepdf32.dll Virustotal: Detection: 16%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\iepdf32.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iepdf32.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_CanRedo
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iepdf32.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_CanUndo
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_DoDocumentAAction
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\iepdf32.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_CanRedo Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_CanUndo Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iepdf32.dll,FORM_DoDocumentAAction Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iepdf32.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: iepdf32.dll Static PE information: More than 430 > 100 exports found
Source: iepdf32.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: iepdf32.dll Static file information: File size 7314944 > 1048576
Source: iepdf32.dll Static PE information: Raw size of FRYTYA is bigger than: 0x100000 < 0x6f9000
Source: iepdf32.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: initial sample Static PE information: section where entry point is pointing to: FRYTYA
Source: iepdf32.dll Static PE information: section name: GAUXUD
Source: iepdf32.dll Static PE information: section name: MPOQPS
Source: iepdf32.dll Static PE information: section name: YGLGIE
Source: iepdf32.dll Static PE information: section name: GTBYPK
Source: iepdf32.dll Static PE information: section name: JKOIHB
Source: iepdf32.dll Static PE information: section name: FRYTYA

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 6188 base: B50005 value: E9 8B 2F 83 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 6188 base: 77382F90 value: E9 7A D0 7C 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3648 base: 3190005 value: E9 8B 2F 1F 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3648 base: 77382F90 value: E9 7A D0 E0 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 716 base: 2A10005 value: E9 8B 2F 97 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 716 base: 77382F90 value: E9 7A D0 68 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1948 base: 2FD0005 value: E9 8B 2F 3B 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 1948 base: 77382F90 value: E9 7A D0 C4 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 2E60005 value: E9 8B 2F 52 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6308 base: 77382F90 value: E9 7A D0 AD 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CBF94A3
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CA65302
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CA9E3DB
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CAD422A
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6C68E2C4
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6C685169
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6C6D24B9
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CC03C04
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6C734293
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CD5878C
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CC03D35
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CBFEA1F
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6C6E621F
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CAAB887
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\iepdf32.dll",#1 Jump to behavior
No contacted IP infos