Analysis
-
max time kernel
0s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-10-2024 05:17
Static task
static1
Behavioral task
behavioral1
Sample
UltraUXThemePatcher_4.4.2.exe
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/SysRestore.dll
Resource
win11-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240802-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win11-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsisFile.dll
Resource
win11-20240802-en
General
-
Target
$PLUGINSDIR/nsisFile.dll
-
Size
5KB
-
MD5
b7d0d765c151d235165823b48554e442
-
SHA1
fe530e6c6fd60392d4ce611b21ec9daad3f1bc84
-
SHA256
a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587
-
SHA512
5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66
-
SSDEEP
48:a+guelvxkcuEkVy5wM4zL5stbmaN0QpUFdAwsj1gAtl/lSFc/H9UhV0n:3CBxIEkVQwzR2300URs5ldSFcv9c
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1364 5012 WerFault.exe 78 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 3188 wrote to memory of 5012 3188 rundll32.exe 78 PID 3188 wrote to memory of 5012 3188 rundll32.exe 78 PID 3188 wrote to memory of 5012 3188 rundll32.exe 78
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisFile.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisFile.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:5012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 4483⤵
- Program crash
PID:1364
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5012 -ip 50121⤵PID:480