Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	C:\Windows\system32\cmd.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\mspaint.exe	N/A
N/A	N/A	C:\Windows\system32\mspaint.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\mspaint.exe	N/A
N/A	N/A	C:\Windows\system32\mspaint.exe	N/A
N/A	N/A	C:\Windows\system32\mspaint.exe	N/A
N/A	N/A	C:\Windows\system32\mspaint.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4748 wrote to memory of 4988	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\mspaint.exe
PID 4748 wrote to memory of 4988	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\mspaint.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp"

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	11.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	8.179.89.13.in-addr.arpa	udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-27 16:51

Reported

2024-05-27 16:54

Platform

win10-20240404-en

Max time kernel

133s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 5036 wrote to memory of 3800	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 5036 wrote to memory of 3800	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 5036 wrote to memory of 3800	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 644

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	13.251.17.2.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	36.56.20.217.in-addr.arpa	udp
US	8.8.8.8:53	8.179.89.13.in-addr.arpa	udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-27 16:51

Reported

2024-05-27 16:54

Platform

win10-20240404-en

Max time kernel

134s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisFile.dll,#1

Signatures

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1820 wrote to memory of 4628	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 1820 wrote to memory of 4628	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 1820 wrote to memory of 4628	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisFile.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisFile.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 620

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	50.251.17.2.in-addr.arpa	udp
US	8.8.8.8:53	8.179.89.13.in-addr.arpa	udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-27 16:51

Reported

2024-05-27 16:54

Platform

win10-20240404-en

Max time kernel

129s

Max time network

136s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$TEMP\image.bmp

Signatures

Drops file in Windows directory

Description	Indicator	Process	Target
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	C:\Windows\system32\mspaint.exe	N/A

Enumerates physical storage devices

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	C:\Windows\system32\cmd.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\mspaint.exe	N/A
N/A	N/A	C:\Windows\system32\mspaint.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\mspaint.exe	N/A
N/A	N/A	C:\Windows\system32\mspaint.exe	N/A
N/A	N/A	C:\Windows\system32\mspaint.exe	N/A
N/A	N/A	C:\Windows\system32\mspaint.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 5112 wrote to memory of 3020	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\mspaint.exe
PID 5112 wrote to memory of 3020	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\mspaint.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$TEMP\image.bmp

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\$TEMP\image.bmp"

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	31.243.111.52.in-addr.arpa	udp
US	8.8.8.8:53	208.143.182.52.in-addr.arpa	udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 16:51

Reported

2024-05-27 16:54

Platform

win10-20240404-en

Max time kernel

134s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe"

Signatures

Possible privilege escalation attempt

exploit

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\takeown.exe	N/A
N/A	N/A	C:\Windows\system32\icacls.exe	N/A
N/A	N/A	C:\Windows\system32\takeown.exe	N/A
N/A	N/A	C:\Windows\system32\takeown.exe	N/A
N/A	N/A	C:\Windows\system32\icacls.exe	N/A
N/A	N/A	C:\Windows\system32\takeown.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A

Modifies file permissions

discovery

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\takeown.exe	N/A
N/A	N/A	C:\Windows\system32\icacls.exe	N/A
N/A	N/A	C:\Windows\system32\takeown.exe	N/A
N/A	N/A	C:\Windows\system32\takeown.exe	N/A
N/A	N/A	C:\Windows\system32\icacls.exe	N/A
N/A	N/A	C:\Windows\system32\takeown.exe	N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description	Indicator	Process	Target
File opened for modification	C:\Windows\System32\themeui.dll.backup	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
File opened for modification	C:\Windows\system32\themeui.dll.old	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
File created	C:\Windows\System32\themeui.dll.backup	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
File created	C:\Windows\System32\themeui.dll.new	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
File opened for modification	C:\Windows\system32\themeui.dll.new	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
File created	C:\Windows\System32\uxinit.dll.backup	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
File created	C:\Windows\System32\uxinit.dll.new	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
File opened for modification	C:\Windows\system32\uxinit.dll.new	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A
File opened for modification	C:\Windows\system32\uxinit.dll.old	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File created	C:\Program Files (x86)\UltraUXThemePatcher\Uninstall.exe	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	N/A

Drops file in Windows directory

Description	Indicator	Process	Target
File created	C:\Windows\rescache\_merged\4272278488\2581520266.pri	C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe	N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\srtasks.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\srtasks.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\system32\srtasks.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\system32\srtasks.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\system32\takeown.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\srtasks.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\srtasks.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\system32\srtasks.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\system32\srtasks.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\system32\takeown.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 920 wrote to memory of 4956	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	C:\Windows\system32\takeown.exe
PID 920 wrote to memory of 4956	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	C:\Windows\system32\takeown.exe
PID 920 wrote to memory of 5056	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	C:\Windows\system32\icacls.exe
PID 920 wrote to memory of 5056	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	C:\Windows\system32\icacls.exe
PID 920 wrote to memory of 1516	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	C:\Windows\system32\takeown.exe
PID 920 wrote to memory of 1516	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	C:\Windows\system32\takeown.exe
PID 920 wrote to memory of 3852	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	C:\Windows\system32\takeown.exe
PID 920 wrote to memory of 3852	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	C:\Windows\system32\takeown.exe
PID 920 wrote to memory of 600	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	C:\Windows\system32\icacls.exe
PID 920 wrote to memory of 600	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	C:\Windows\system32\icacls.exe
PID 920 wrote to memory of 3520	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	C:\Windows\system32\takeown.exe
PID 920 wrote to memory of 3520	N/A	C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe	C:\Windows\system32\takeown.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe

"C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeui.dll" /grant Admin:F

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\system32\uxinit.dll" /grant Admin:F

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	50.251.17.2.in-addr.arpa	udp
US	8.8.8.8:53	71.31.126.40.in-addr.arpa	udp
US	8.8.8.8:53	watson.telemetry.microsoft.com	udp
US	20.189.173.20:443	watson.telemetry.microsoft.com	tcp
US	8.8.8.8:53	20.173.189.20.in-addr.arpa	udp
US	8.8.8.8:53	168.117.168.52.in-addr.arpa	udp

Files

\Users\Admin\AppData\Local\Temp\nsg708E.tmp\System.dll

MD5	192639861e3dc2dc5c08bb8f8c7260d5
SHA1	58d30e460609e22fa0098bc27d928b689ef9af78
SHA256	23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA512	6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

\Users\Admin\AppData\Local\Temp\nsg708E.tmp\nsisFile.dll

MD5	b7d0d765c151d235165823b48554e442
SHA1	fe530e6c6fd60392d4ce611b21ec9daad3f1bc84
SHA256	a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587
SHA512	5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

\Users\Admin\AppData\Local\Temp\nsg708E.tmp\nsDialogs.dll

MD5	b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1	15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
SHA256	89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
SHA512	6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

\Users\Admin\AppData\Local\Temp\nsg708E.tmp\SysRestore.dll

MD5	4310bd09fc2300b106f0437b6e995330
SHA1	c6790a68e410d4a619b9b59e7540b702a98ad661
SHA256	c686b4df9b4db50fc1ddb7be4cd50d4b1d75894288f4dc50571b79937d7c0d7e
SHA512	49e286ccd285871db74867810c9cf243e3c1522ce7b4c0d1d01bafe72552692234cf4b4d787b900e9c041b8a2c12f193b36a6a35c64ffd5deef0e1be9958b1f7

C:\Windows\System32\themeui.dll.new

MD5	3350fb97f17d354efaf67bd969b7a0d5
SHA1	213bcc525e91dd1cc3e2468d52d51deca6c923aa
SHA256	de6abddc242d9debf0d2b89d962a1c45cf41a57f6b9659eeedc6748f1b4d0ac6
SHA512	0c18d373781876a61d018c19b0c3060746cc0c9b8d053877a7d7d3427eb64cae33245c9c4074c8150088e617bfc37946868be362ae10f705a2a43b9908be5d4f

C:\Windows\System32\uxinit.dll.new

MD5	de67ac947b89d6f70cca4ec5a6b1f8ad
SHA1	79e71326f6131132d7b6a2113d32ee576913542e
SHA256	ded8fdb7bdc8192db3d740b052197995df1703374663342bc44bf315e937d2e7
SHA512	7b027d34988229680dd7fdd6866b9ff26dc418cde1d6c63488c149e99a39fa87bd9c175c02b3ae5d33751fbcd2132dce9dd5b470ae363d6f5af28a239af49b24

C:\Users\Admin\AppData\Local\Temp\nsg708E.tmp\modern-wizard.bmp

MD5	5f728e4e6b970db76c64be8ca3cafc87
SHA1	b7481efd9f6938903214451d792a8b13a645c922
SHA256	aea40659bdb08337064640ea8b4f171881d37456b37b3e2899349ac04f0889c5
SHA512	2cc4e870290f8faddc8eca1a03a1efb34711b3951e263a79f259fd998a9a1f957dbf58c110c5fe64febd414ec7a22e125353f9d5c363866bd0d4298452fdadc8

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 16:51

Reported

2024-05-27 16:54

Platform

win10-20240404-en

Max time kernel

134s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SysRestore.dll,#1

Signatures

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 748 wrote to memory of 4560	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 748 wrote to memory of 4560	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 748 wrote to memory of 4560	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SysRestore.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SysRestore.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 616

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	13.251.17.2.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	67.112.168.52.in-addr.arpa	udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-27 16:51

Reported

2024-05-27 16:54

Platform

win10-20240404-en

Max time kernel

79s

Max time network

80s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1260 wrote to memory of 1236	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 1236	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 1236	N/A	C:\Windows\system32\rundll32.exe	C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 628

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	13.251.17.2.in-addr.arpa	udp
US	8.8.8.8:53	31.243.111.52.in-addr.arpa	udp

Files

N/A

Sample ID	240527-vc3ptsaf6y
Target	UltraUXThemePatcher_4.4.2.exe
SHA256	48fb5c4c2a2e6ab49bb10c599d69ab614d2c69f91854e00adaf5508d9ee14f7a
Tags	discovery exploit

Malware Analysis Report

2024-09-11 07:24

Table of Contents

Analysis Overview

Threat Level: Likely malicious

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files