Overview

overview

8

Static

static

7

ab40b4d665...18.exe

windows7-x64

3

ab40b4d665...18.exe

windows10-2004-x64

3

$PLUGINSDIR/Aero.dll

windows7-x64

5

$PLUGINSDIR/Aero.dll

windows10-2004-x64

5

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...md.dll

windows7-x64

3

$PLUGINSDI...md.dll

windows10-2004-x64

3

$PLUGINSDI...mp.exe

windows7-x64

1

$PLUGINSDI...mp.exe

windows10-2004-x64

3

$PLUGINSDIR/RP.exe

windows7-x64

4

$PLUGINSDIR/RP.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...er.exe

windows7-x64

$PLUGINSDI...er.exe

windows10-2004-x64

7

$PLUGINSDIR/Aero.dll

windows7-x64

5

$PLUGINSDIR/Aero.dll

windows10-2004-x64

5

$PLUGINSDI...on.dll

windows7-x64

3

$PLUGINSDI...on.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...le.dll

windows7-x64

3

$PLUGINSDI...le.dll

windows10-2004-x64

3

Uninstall.exe

windows7-x64

Uninstall.exe

windows10-2004-x64

$PLUGINSDI...on.dll

windows7-x64

3

$PLUGINSDI...on.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    53s
  • max time network
    55s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2024 06:06

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/UXTheme Patcher.exe

  • Size

    155KB

  • MD5

    3156c1dfc05cb509aad5cc94a77511ee

  • SHA1

    e9be935ea42141277d618e02f49fb77df56d7279

  • SHA256

    602fa4344d7fdb830e6c0f8b1f94c38fae71adf75a194bd6e86028d849677744

  • SHA512

    e043ce7e2a84d960632abd9abc56baa8b749cb75951ad655620c660583a9dbcadf0b8d73f5ea83a505cedd41a5ce2ffe760375836844fac2ec85d3d1897a07d0

  • SSDEEP

    3072:WQIURTXJ6stVm12xqQzIQsAYG33xb6nCaPpVti4pfUtcT1Gt+4:WsdtEgxn2ngxb6nCaPpVtiCcMI3

Score
8/10
defense_evasiondiscoveryexploitupx

Malware Config

Signatures

  • Possible privilege escalation attempt 6 IoCs
    exploit
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 64 IoCs
  • Modifies file permissions 1 TTPs 6 IoCs
    discovery
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
    defense_evasion
  • Drops file in System32 directory 12 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher.exe
    "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UXTheme Patcher.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\system32\takeown.exe
      "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxtheme.dll"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:444
    • C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" "C:\Windows\system32\uxtheme.dll" /grant Admin:f
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1476
    • C:\Windows\system32\takeown.exe
      "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2792
    • C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeui.dll" /grant Admin:f
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2732
    • C:\Windows\system32\takeown.exe
      "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeservice.dll"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2296
    • C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeservice.dll" /grant Admin:f
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2396
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1916
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2996

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nstA4D9.tmp\modern-wizard.bmp
        Filesize

        201KB

        MD5

        5f728e4e6b970db76c64be8ca3cafc87

        SHA1

        b7481efd9f6938903214451d792a8b13a645c922

        SHA256

        aea40659bdb08337064640ea8b4f171881d37456b37b3e2899349ac04f0889c5

        SHA512

        2cc4e870290f8faddc8eca1a03a1efb34711b3951e263a79f259fd998a9a1f957dbf58c110c5fe64febd414ec7a22e125353f9d5c363866bd0d4298452fdadc8

        Download Submit

      • C:\Windows\System32\themeservice.dll.new
        Filesize

        43KB

        MD5

        bf69cdedb4f36015e43dc8117134f058

        SHA1

        717b59942919209a01dc88218bb9e28517ff63c5

        SHA256

        b9737b8b11687bc241e150a1a9eceee0fa979dd4ab30c01e335f970564f0c3c7

        SHA512

        2cfce2abcd9806275f44ad2df6f5259a9e02e88802e7c4359665ae415dfa88d478447eea80d81c12f130c544c8a8a71a2706d95ce4cccf5e5d0180b464a3629c

        Download Submit

      • C:\Windows\System32\themeui.dll.new
        Filesize

        2.7MB

        MD5

        274c75ff99e6bc973232dfb4d450cdcd

        SHA1

        e000812516d3d60d6fcf340f34d13f51e4d23912

        SHA256

        35415d2a7d97ac2fd9ccfe28a93c3aff0f4fa9d83636699b4d89139dc9d23f34

        SHA512

        f1e922c74725e29f980a63c369c86f8d56e91e7f83652830633941f918777207ec2941ba91fe2a3e259851f45d92defde538f31324788aba4cce051247a674a2

        Download Submit

      • C:\Windows\System32\uxtheme.dll.new
        Filesize

        324KB

        MD5

        2e08363a75712e753f4d5b3b34531584

        SHA1

        323190cd2c21152df3dedfee1ca701f11e355a01

        SHA256

        66fd0a342d0c56f2d73edc7ee4c0f7dc3c8ab3ab77be1a8f5083f6984f4be754

        SHA512

        b8c00275a61236de4145007f7301dff452300ba3d7807684ac226ab2a61e3712223f31c6f431346a5e452ddd5585aa867d2e2b6b1b7c147b24ce110ca6615dc3

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nstA4D9.tmp\Aero.dll
        Filesize

        6KB

        MD5

        243bf44688b131c3171f2827a93e39dc

        SHA1

        07e9c7bd16ae47953e42c06ae2606de188386f35

        SHA256

        04a577df50431eb0ff6fb103566402bf66c50415bcc1f8a86b9c235053131455

        SHA512

        a1a8c21d38c54a43d1c6c394f481dfbddcb359c617e9928ecca8f84d47354616a78d20735a1fe7bebd21626c21cf96d0e1a69e3e98f6b35f2a774cc0244f9516

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nstA4D9.tmp\GetVersion.dll
        Filesize

        9KB

        MD5

        225f776172f1baccd2721a6e5d512b36

        SHA1

        2dbbc86f7b0285682880a627b56a75de09f4bed6

        SHA256

        ecfcbe30f5b248673f9cbebb734b9981ed14b06380ea787c563d67b30e2d069e

        SHA512

        4b99a5ac68122501a5913cf54bd3ae99d851d57656b0e136980122739cceef739fa2d5ea097f2442068b9489a4c25ea0884653c41d85f27f25996792bf6c21bb

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nstA4D9.tmp\System.dll
        Filesize

        11KB

        MD5

        c17103ae9072a06da581dec998343fc1

        SHA1

        b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

        SHA256

        dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

        SHA512

        d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nstA4D9.tmp\nsDialogs.dll
        Filesize

        9KB

        MD5

        c10e04dd4ad4277d5adc951bb331c777

        SHA1

        b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

        SHA256

        e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

        SHA512

        853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nstA4D9.tmp\nsisFile.dll
        Filesize

        5KB

        MD5

        a35adabef191a1d5870096543ffc18ec

        SHA1

        76a77d50b8f0be5a77fdb7b71a661a356ead1b7f

        SHA256

        bb5be80416d8e381fbcb0f03ea3433d94a75786e3842e8cfe1b7b8bd57354457

        SHA512

        97eb8186abc0ae5a6c1858b78042c41fa377dea33ea0bae3c6957b7a22486ba0f1e0a4a43d817627bbba85d5de786c82e05d7505dc7df62bff51439fd0f8401c

        Download Submit

      • memory/2384-18-0x00000000746B0000-0x00000000746BA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2384-25078-0x00000000746B0000-0x00000000746B9000-memory.dmp

        Filesize

        36KB

        Download