Malware Analysis Report

2024-12-07 14:39

Sample ID 241007-glspbstbjb
Target UltraUXThemePatcher_4.4.3.exe
SHA256 431675fcbb448567fafc83fee2b93c620ab7a7f5d3d7a7c7b922fec52d58deb2
Tags
discovery defense_evasion exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

431675fcbb448567fafc83fee2b93c620ab7a7f5d3d7a7c7b922fec52d58deb2

Threat Level: Likely malicious

The file UltraUXThemePatcher_4.4.3.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery defense_evasion exploit

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Loads dropped DLL

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 05:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-07 05:53

Reported

2024-10-07 05:55

Platform

win10v2004-20240802-es

Max time kernel

53s

Max time network

55s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisFile.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1584 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisFile.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisFile.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1260 -ip 1260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,4879762769355355036,5727689225362452198,262144 --variations-seed-version --mojo-platform-channel-handle=3996 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 05:53

Reported

2024-10-07 05:54

Platform

win10v2004-20240802-es

Max time kernel

35s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Checks installed software on the system

discovery

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\uxinit.dll.backup C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe N/A
File created C:\Windows\System32\uxinit.dll.new C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe N/A
File opened for modification C:\Windows\system32\uxinit.dll.new C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe N/A
File opened for modification C:\Windows\system32\uxinit.dll.old C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe N/A
File created C:\Windows\System32\themeui.dll.backup C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe N/A
File opened for modification C:\Windows\System32\themeui.dll.backup C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe N/A
File created C:\Windows\System32\themeui.dll.new C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe N/A
File opened for modification C:\Windows\system32\themeui.dll.new C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe N/A
File opened for modification C:\Windows\system32\themeui.dll.old C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\UltraUXThemePatcher\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a54fc9f1d525247c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a54fc9f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a54fc9f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da54fc9f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a54fc9f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4152 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe C:\Windows\system32\takeown.exe
PID 4152 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe C:\Windows\system32\takeown.exe
PID 4152 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe C:\Windows\system32\icacls.exe
PID 4152 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe C:\Windows\system32\icacls.exe
PID 4152 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe C:\Windows\system32\takeown.exe
PID 4152 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe C:\Windows\system32\takeown.exe
PID 4152 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe C:\Windows\system32\takeown.exe
PID 4152 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe C:\Windows\system32\takeown.exe
PID 4152 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe C:\Windows\system32\icacls.exe
PID 4152 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe C:\Windows\system32\icacls.exe
PID 4152 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe C:\Windows\system32\takeown.exe
PID 4152 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe C:\Windows\system32\takeown.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe

"C:\Users\Admin\AppData\Local\Temp\UltraUXThemePatcher_4.4.3.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeui.dll" /grant Admin:F

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\system32\uxinit.dll" /grant Admin:F

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxinit.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 246.197.219.23.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nshA579.tmp\System.dll

MD5 192639861e3dc2dc5c08bb8f8c7260d5
SHA1 58d30e460609e22fa0098bc27d928b689ef9af78
SHA256 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA512 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

C:\Users\Admin\AppData\Local\Temp\nshA579.tmp\nsisFile.dll

MD5 b7d0d765c151d235165823b48554e442
SHA1 fe530e6c6fd60392d4ce611b21ec9daad3f1bc84
SHA256 a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587
SHA512 5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

C:\Users\Admin\AppData\Local\Temp\nshA579.tmp\nsDialogs.dll

MD5 b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1 15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
SHA256 89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
SHA512 6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

C:\Users\Admin\AppData\Local\Temp\nshA579.tmp\SysRestore.dll

MD5 4310bd09fc2300b106f0437b6e995330
SHA1 c6790a68e410d4a619b9b59e7540b702a98ad661
SHA256 c686b4df9b4db50fc1ddb7be4cd50d4b1d75894288f4dc50571b79937d7c0d7e
SHA512 49e286ccd285871db74867810c9cf243e3c1522ce7b4c0d1d01bafe72552692234cf4b4d787b900e9c041b8a2c12f193b36a6a35c64ffd5deef0e1be9958b1f7

C:\Windows\System32\themeui.dll.new

MD5 bc377febaa39552cd323cf2d46805e91
SHA1 c812c62292c62f518a9feca5c0366b22c04aa9c3
SHA256 0970d5aaab9247f5b6c63534cb29ff6e1b2b99ba0e4d96bc69eae895e67237c3
SHA512 5c5adb024d051eea9d16dc6411a1445359e5d219c3776fddefc51ea098a2d3c9db4dee22db382976e6911ec159a09bebe4f6249b36a77891d69a490cd0a8eed7

C:\Windows\System32\uxinit.dll.new

MD5 1249ecbaa8441b5f2425ca165b18bff3
SHA1 388fb66c58dedbd29e0b300406e7d20b2c7e8f6c
SHA256 79bfb188b481a28bfa4fced64dc45eaa7fab7b0c5f435e85b02025ae6910377a
SHA512 8b75fa4df32fad47f249fa581b5a969cdf78df84bfe9e95f8bdcfbbe00a38da4c3711d797028a1f63d8cccf6cdbc40594c26aadf0ba419782b2991a474ba5c4c

C:\Users\Admin\AppData\Local\Temp\nshA579.tmp\modern-wizard.bmp

MD5 5f728e4e6b970db76c64be8ca3cafc87
SHA1 b7481efd9f6938903214451d792a8b13a645c922
SHA256 aea40659bdb08337064640ea8b4f171881d37456b37b3e2899349ac04f0889c5
SHA512 2cc4e870290f8faddc8eca1a03a1efb34711b3951e263a79f259fd998a9a1f957dbf58c110c5fe64febd414ec7a22e125353f9d5c363866bd0d4298452fdadc8

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 05:53

Reported

2024-10-07 05:55

Platform

win10v2004-20240802-es

Max time kernel

34s

Max time network

35s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SysRestore.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1120 wrote to memory of 4420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1120 wrote to memory of 4420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1120 wrote to memory of 4420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SysRestore.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SysRestore.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4420 -ip 4420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-07 05:53

Reported

2024-10-07 05:55

Platform

win10v2004-20240802-es

Max time kernel

32s

Max time network

35s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3512 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3512 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1348 -ip 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-07 05:53

Reported

2024-10-07 05:55

Platform

win10v2004-20240802-es

Max time kernel

33s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4404 wrote to memory of 3516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4404 wrote to memory of 3516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4404 wrote to memory of 3516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3516 -ip 3516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp

Files

N/A