Analysis
-
max time kernel
0s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-10-2024 05:17
Static task
static1
Behavioral task
behavioral1
Sample
UltraUXThemePatcher_4.4.2.exe
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/SysRestore.dll
Resource
win11-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240802-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win11-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsisFile.dll
Resource
win11-20240802-en
General
-
Target
$PLUGINSDIR/SysRestore.dll
-
Size
5KB
-
MD5
4310bd09fc2300b106f0437b6e995330
-
SHA1
c6790a68e410d4a619b9b59e7540b702a98ad661
-
SHA256
c686b4df9b4db50fc1ddb7be4cd50d4b1d75894288f4dc50571b79937d7c0d7e
-
SHA512
49e286ccd285871db74867810c9cf243e3c1522ce7b4c0d1d01bafe72552692234cf4b4d787b900e9c041b8a2c12f193b36a6a35c64ffd5deef0e1be9958b1f7
-
SSDEEP
48:S5SLAPmT5fqaB2WB2BtBAQPcPzRcCB0E3ngT2p2UlE41qSK1Gx:ASQM57LAfuQULRxB0E3gKU941LKQx
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 8 3392 WerFault.exe 78 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 2860 wrote to memory of 3392 2860 rundll32.exe 78 PID 2860 wrote to memory of 3392 2860 rundll32.exe 78 PID 2860 wrote to memory of 3392 2860 rundll32.exe 78
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SysRestore.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SysRestore.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:3392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 4483⤵
- Program crash
PID:8
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3392 -ip 33921⤵PID:2516