Edit tour
Windows
Analysis Report
UxTheme.dll.dll
Overview
General Information
| Sample name: | UxTheme.dll.dll (renamed file extension from exe to dll) |
| Original sample name: | UxTheme.dll.exe |
| Analysis ID: | 1468058 |
| MD5: | 336bed2506b03c75235a8549888e64b9 |
| SHA1: | da0808fe16c9b3cf20a133d56343d45bf0faf8ea |
| SHA256: | d25d0df1669dc0f2c1eff862518b263fb3ced9e4ec2a150de6af06939dd9738e |
| Tags: | exe |
| Infos: |  |
 | |
Detection
CobaltStrike
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Entry point lies outside standard sections
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
loaddll64.exe (PID: 3868 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\UxT heme.dll.d ll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) 
conhost.exe (PID: 6700 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7132 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\UxT heme.dll.d ll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
rundll32.exe (PID: 6376 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",#1 MD5: EF3179D498793BF4234F708D3BE28633) - regsvr32.exe (PID: 6472 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\Ux Theme.dll. dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - rundll32.exe (PID: 6536 cmdline:
rundll32.e xe C:\User s\user\Des ktop\UxThe me.dll.dll ,BeginBuff eredAnimat ion MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 4116 cmdline:
rundll32.e xe C:\User s\user\Des ktop\UxThe me.dll.dll ,BeginBuff eredPaint MD5: EF3179D498793BF4234F708D3BE28633) 
WerFault.exe (PID: 4348 cmdline: C:\Windows \system32\ WerFault.e xe -u -p 4 116 -s 416 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0) - rundll32.exe (PID: 4812 cmdline:
rundll32.e xe C:\User s\user\Des ktop\UxThe me.dll.dll ,BeginPann ingFeedbac k MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 1280 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",BeginBu fferedAnim ation MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 4544 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",BeginBu fferedPain t MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6604 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",BeginPa nningFeedb ack MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6788 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",UpdateS ignature MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 3644 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",UpdateP anningFeed back MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6116 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",ThemeIn itApiHook MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 5216 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",SetWind owThemeAtt ribute MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6592 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",SetWind owTheme MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 788 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",SetThem eAppProper ties MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6272 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",OpenThe meDataForD pi MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 5340 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",OpenThe meDataEx MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 5380 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",OpenThe meData MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 2340 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",IsTheme PartDefine d MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 2024 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",IsTheme DialogText ureEnabled MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6596 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",IsTheme Background PartiallyT ransparent MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 4904 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",IsTheme Active MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 1352 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",IsCompo sitionActi ve MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6516 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",IsAppTh emed MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 5684 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",HitTest ThemeBackg round MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 3920 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",GetWind owTheme MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 3732 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",GetUser ColorPrefe rence MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6376 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",GetThem eTransitio nDuration MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6916 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",GetThem eTimingFun ction MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 4512 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",GetThem eTextMetri cs MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 7116 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",GetThem eTextExten t MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 792 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",GetThem eSysString MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 1424 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",GetThem eSysSize MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 1652 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",GetThem eSysInt MD5: EF3179D498793BF4234F708D3BE28633) - rundll32.exe (PID: 6464 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\UxTh eme.dll.dl l",GetThem eSysFont MD5: EF3179D498793BF4234F708D3BE28633)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Cobalt Strike, CobaltStrike | Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable. |
{"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 60000, "MaxGetSize": 11456204, "Jitter": 51, "C2Server": "us-central1-keepass-415209.cloudfunctions.net,/keepasswork/api/v1/metadata/private", "HttpPostUri": "/keepasswork/api/v1/metadata/user/avatar", "Malleable_C2_Instructions": ["Remove 2 bytes from the end", "Remove 60 bytes from the beginning", "Base64 URL-safe decode", "XOR mask w/ random key", "NetBIOS decode 'a'"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\WerFault.exe -u -p 1324 -s 1528", "Spawnto_x64": "%windir%\\sysnative\\WerFault.exe -u -p 1324 -s 1528", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 628807914, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": "2024-03-31", "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 379133, "ProcInject_PrependAppend_x86": ["kJCQkJCQkJCQ", "kJCQkJCQkJCQ"], "ProcInject_PrependAppend_x64": ["kJCQkJCQkJCQ", "kJCQkJCQkJCQ"], "ProcInject_Execute": ["ntdll:RtlUserThreadStart", "CreateThread", "NtQueueApcThread-s", "NtQueueApcThread", "RtlCreateUserThread", "SetThreadContext", "CreateRemoteThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "True", "HostHeader": "Host: us-central1-keepass-415209.cloudfunctions.net\r\n"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CobaltStrike_2 | Yara detected CobaltStrike | Joe Security | ||
| JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
| Windows_Trojan_CobaltStrike_663fc95d | Identifies CobaltStrike via unidentified function code | unknown |
| |
| Windows_Trojan_CobaltStrike_663fc95d | Identifies CobaltStrike via unidentified function code | unknown |
| |
| JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
| Click to see the 13 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CobaltStrike_2 | Yara detected CobaltStrike | Joe Security | ||
| JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
| Windows_Trojan_CobaltStrike_663fc95d | Identifies CobaltStrike via unidentified function code | unknown |
| |
| JoeSecurity_CobaltStrike_2 | Yara detected CobaltStrike | Joe Security | ||
| JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
| Click to see the 13 entries | ||||
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Binary string: | ||