Malware Analysis Report

2024-12-07 14:55

Sample ID 241002-fywfbasfpd
Target UltraUXThemePatcher_4.4.2.exe
SHA256 48fb5c4c2a2e6ab49bb10c599d69ab614d2c69f91854e00adaf5508d9ee14f7a
Tags
discovery defense_evasion exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

48fb5c4c2a2e6ab49bb10c599d69ab614d2c69f91854e00adaf5508d9ee14f7a

Threat Level: Likely malicious

The file UltraUXThemePatcher_4.4.2.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery defense_evasion exploit

Possible privilege escalation attempt

Modifies file permissions

Loads dropped DLL

Checks installed software on the system

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-02 05:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-02 05:17

Reported

2024-10-02 05:18

Platform

win11-20240802-en

Max time kernel

0s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3272 wrote to memory of 944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3272 wrote to memory of 944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3272 wrote to memory of 944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 944 -ip 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 552

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-02 05:17

Reported

2024-10-02 05:18

Platform

win11-20240802-en

Max time kernel

0s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisFile.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3188 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3188 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3188 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisFile.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisFile.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5012 -ip 5012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 448

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-02 05:17

Reported

2024-10-02 05:18

Platform

win11-20240802-en

Max time kernel

46s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Checks installed software on the system

discovery

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\themeui.dll.backup C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File opened for modification C:\Windows\System32\themeui.dll.backup C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File created C:\Windows\System32\themeui.dll.new C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File created C:\Windows\System32\uxinit.dll.backup C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File created C:\Windows\System32\uxinit.dll.new C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File opened for modification C:\Windows\system32\uxinit.dll.old C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File opened for modification C:\Windows\system32\themeui.dll.new C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File opened for modification C:\Windows\system32\themeui.dll.old C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A
File opened for modification C:\Windows\system32\uxinit.dll.new C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\UltraUXThemePatcher\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000006586dee215ef0e8b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800006586dee20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809006586dee2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d6586dee2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000006586dee200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3080 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe
PID 3080 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe
PID 3080 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\icacls.exe
PID 3080 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\icacls.exe
PID 3080 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe
PID 3080 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe
PID 3080 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe
PID 3080 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe
PID 3080 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\icacls.exe
PID 3080 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\icacls.exe
PID 3080 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe
PID 3080 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe C:\Windows\system32\takeown.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe

"C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.2.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeui.dll" /grant Admin:F

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\system32\uxinit.dll" /grant Admin:F

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a1f855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsnCDD1.tmp\System.dll

MD5 192639861e3dc2dc5c08bb8f8c7260d5
SHA1 58d30e460609e22fa0098bc27d928b689ef9af78
SHA256 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA512 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

C:\Users\Admin\AppData\Local\Temp\nsnCDD1.tmp\nsisFile.dll

MD5 b7d0d765c151d235165823b48554e442
SHA1 fe530e6c6fd60392d4ce611b21ec9daad3f1bc84
SHA256 a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587
SHA512 5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

C:\Users\Admin\AppData\Local\Temp\nsnCDD1.tmp\nsDialogs.dll

MD5 b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1 15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
SHA256 89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
SHA512 6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

C:\Users\Admin\AppData\Local\Temp\nsnCDD1.tmp\SysRestore.dll

MD5 4310bd09fc2300b106f0437b6e995330
SHA1 c6790a68e410d4a619b9b59e7540b702a98ad661
SHA256 c686b4df9b4db50fc1ddb7be4cd50d4b1d75894288f4dc50571b79937d7c0d7e
SHA512 49e286ccd285871db74867810c9cf243e3c1522ce7b4c0d1d01bafe72552692234cf4b4d787b900e9c041b8a2c12f193b36a6a35c64ffd5deef0e1be9958b1f7

C:\Windows\System32\themeui.dll.new

MD5 48359e4ea17198c341697a50bd359ea3
SHA1 b178b6b3317ec0365b10f4b493fd80fbc85c709e
SHA256 a168df5b361469e957a8470d68fe2c4a1b664f519e6811b3ce7931ca7f01b669
SHA512 24ddd3c396630ce820d599168f856575bec19c065f73535565898d2eefc63b7c0515d56a4defee693328cb4b8e830ad1640b33e5ab316d8cd98be3aebc958075

C:\Windows\System32\uxinit.dll.new

MD5 83f209434ea9b3f4f48f0dc498dc9a7a
SHA1 49ef0f3c6d6e76e121a4cc480737677d303f5f9b
SHA256 59a124cff1d4ebd1a0043d7652ec3a241d736489626f05415f65bae3a45a13a2
SHA512 15b58125e0803bcf1e2b0827a9544d4390c6721931b82d238f856dab07a51db11f27d64f9595bd625999863a2160934119edf5537e67799206ed248e89c438c1

C:\Users\Admin\AppData\Local\Temp\nsnCDD1.tmp\modern-wizard.bmp

MD5 5f728e4e6b970db76c64be8ca3cafc87
SHA1 b7481efd9f6938903214451d792a8b13a645c922
SHA256 aea40659bdb08337064640ea8b4f171881d37456b37b3e2899349ac04f0889c5
SHA512 2cc4e870290f8faddc8eca1a03a1efb34711b3951e263a79f259fd998a9a1f957dbf58c110c5fe64febd414ec7a22e125353f9d5c363866bd0d4298452fdadc8

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-02 05:17

Reported

2024-10-02 05:18

Platform

win11-20240802-en

Max time kernel

0s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SysRestore.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 3392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2860 wrote to memory of 3392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2860 wrote to memory of 3392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SysRestore.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SysRestore.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3392 -ip 3392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 448

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-02 05:17

Reported

2024-10-02 05:18

Platform

win11-20240802-en

Max time kernel

0s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 468 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 468 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 468 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2180 -ip 2180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 460

Network

N/A

Files

N/A