Malware Analysis Report

2024-09-11 07:24

Sample ID 240527-vc3ptsaf6y
Target UltraUXThemePatcher_4.4.2.exe
SHA256 48fb5c4c2a2e6ab49bb10c599d69ab614d2c69f91854e00adaf5508d9ee14f7a
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

48fb5c4c2a2e6ab49bb10c599d69ab614d2c69f91854e00adaf5508d9ee14f7a

Threat Level: Likely malicious

The file UltraUXThemePatcher_4.4.2.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Loads dropped DLL

Modifies file permissions

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-27 16:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-27 16:51

Reported

2024-05-27 16:54

Platform

win10-20240404-en

Max time kernel

133s

Max time network

135s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4748 wrote to memory of 4988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mspaint.exe
PID 4748 wrote to memory of 4988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mspaint.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp"

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-27 16:51

Reported

2024-05-27 16:54

Platform

win10-20240404-en

Max time kernel

133s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5036 wrote to memory of 3800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5036 wrote to memory of 3800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5036 wrote to memory of 3800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-27 16:51

Reported

2024-05-27 16:54

Platform

win10-20240404-en

Max time kernel

134s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisFile.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1820 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1820 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisFile.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisFile.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 50.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-27 16:51

Reported

2024-05-27 16:54

Platform

win10-20240404-en

Max time kernel

129s

Max time network

136s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$TEMP\image.bmp

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5112 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mspaint.exe
PID 5112 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mspaint.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$TEMP\image.bmp

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\$TEMP\image.bmp"

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 16:51

Reported

2024-05-27 16:54

Platform

win10-20240404-en

Max time kernel

134s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\themeui.dll.backup C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File opened for modification C:\Windows\system32\themeui.dll.old C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File created C:\Windows\System32\themeui.dll.backup C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File created C:\Windows\System32\themeui.dll.new C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File opened for modification C:\Windows\system32\themeui.dll.new C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File created C:\Windows\System32\uxinit.dll.backup C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File created C:\Windows\System32\uxinit.dll.new C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File opened for modification C:\Windows\system32\uxinit.dll.new C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File opened for modification C:\Windows\system32\uxinit.dll.old C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\UltraUXThemePatcher\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4272278488\2581520266.pri C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 920 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe
PID 920 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe
PID 920 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\icacls.exe
PID 920 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\icacls.exe
PID 920 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe
PID 920 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe
PID 920 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe
PID 920 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe
PID 920 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\icacls.exe
PID 920 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\icacls.exe
PID 920 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe
PID 920 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe

"C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeui.dll" /grant Admin:F

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\system32\uxinit.dll" /grant Admin:F

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 50.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 watson.telemetry.microsoft.com udp
US 20.189.173.20:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 20.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

\Users\Admin\AppData\Local\Temp\nsg708E.tmp\System.dll

MD5 192639861e3dc2dc5c08bb8f8c7260d5
SHA1 58d30e460609e22fa0098bc27d928b689ef9af78
SHA256 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA512 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

\Users\Admin\AppData\Local\Temp\nsg708E.tmp\nsisFile.dll

MD5 b7d0d765c151d235165823b48554e442
SHA1 fe530e6c6fd60392d4ce611b21ec9daad3f1bc84
SHA256 a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587
SHA512 5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

\Users\Admin\AppData\Local\Temp\nsg708E.tmp\nsDialogs.dll

MD5 b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1 15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
SHA256 89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
SHA512 6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

\Users\Admin\AppData\Local\Temp\nsg708E.tmp\SysRestore.dll

MD5 4310bd09fc2300b106f0437b6e995330
SHA1 c6790a68e410d4a619b9b59e7540b702a98ad661
SHA256 c686b4df9b4db50fc1ddb7be4cd50d4b1d75894288f4dc50571b79937d7c0d7e
SHA512 49e286ccd285871db74867810c9cf243e3c1522ce7b4c0d1d01bafe72552692234cf4b4d787b900e9c041b8a2c12f193b36a6a35c64ffd5deef0e1be9958b1f7

C:\Windows\System32\themeui.dll.new

MD5 3350fb97f17d354efaf67bd969b7a0d5
SHA1 213bcc525e91dd1cc3e2468d52d51deca6c923aa
SHA256 de6abddc242d9debf0d2b89d962a1c45cf41a57f6b9659eeedc6748f1b4d0ac6
SHA512 0c18d373781876a61d018c19b0c3060746cc0c9b8d053877a7d7d3427eb64cae33245c9c4074c8150088e617bfc37946868be362ae10f705a2a43b9908be5d4f

C:\Windows\System32\uxinit.dll.new

MD5 de67ac947b89d6f70cca4ec5a6b1f8ad
SHA1 79e71326f6131132d7b6a2113d32ee576913542e
SHA256 ded8fdb7bdc8192db3d740b052197995df1703374663342bc44bf315e937d2e7
SHA512 7b027d34988229680dd7fdd6866b9ff26dc418cde1d6c63488c149e99a39fa87bd9c175c02b3ae5d33751fbcd2132dce9dd5b470ae363d6f5af28a239af49b24

C:\Users\Admin\AppData\Local\Temp\nsg708E.tmp\modern-wizard.bmp

MD5 5f728e4e6b970db76c64be8ca3cafc87
SHA1 b7481efd9f6938903214451d792a8b13a645c922
SHA256 aea40659bdb08337064640ea8b4f171881d37456b37b3e2899349ac04f0889c5
SHA512 2cc4e870290f8faddc8eca1a03a1efb34711b3951e263a79f259fd998a9a1f957dbf58c110c5fe64febd414ec7a22e125353f9d5c363866bd0d4298452fdadc8

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 16:51

Reported

2024-05-27 16:54

Platform

win10-20240404-en

Max time kernel

134s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SysRestore.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 4560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 748 wrote to memory of 4560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 748 wrote to memory of 4560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SysRestore.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SysRestore.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-27 16:51

Reported

2024-05-27 16:54

Platform

win10-20240404-en

Max time kernel

79s

Max time network

80s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A