Analysis Report uxtheme.bin

Overview

General Information

Sample Name: uxtheme.bin (renamed file extension from bin to dll)
Analysis ID: 356525
MD5: ceb5fbc654f39a7b9ea9c62eeecdfa19
SHA1: e1f19599ea001f2f7ee8d336edb7b114e0ef437e
SHA256: c6cfb034a82e6e4fa018dd063e7e91e47f4034248b6ad90b62219e3c367a3673
Tags: OOOFobos

Most interesting Screenshot:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

System Summary:

barindex
PE file contains more sections than normal
Source: uxtheme.dll Static PE information: Number of sections : 17 > 10
Source: classification engine Classification label: clean2.winDLL@1/0@0/0
Source: uxtheme.dll Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: uxtheme.dll Static PE information: Image base 0x64880000 > 0x60000000

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: uxtheme.dll Static PE information: real checksum: 0x18e9e should be: 0xc2cd
PE file contains sections with non-standard names
Source: uxtheme.dll Static PE information: section name: .xdata
Source: uxtheme.dll Static PE information: section name: /4
Source: uxtheme.dll Static PE information: section name: /19
Source: uxtheme.dll Static PE information: section name: /31
Source: uxtheme.dll Static PE information: section name: /45
Source: uxtheme.dll Static PE information: section name: /57
Source: uxtheme.dll Static PE information: section name: /70

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_648815C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 0_2_648815C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_648814E0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_648814E0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 356525 Sample: uxtheme.bin Startdate: 23/02/2021 Architecture: WINDOWS Score: 2 4 loaddll64.exe 1 2->4         started       
No contacted IP infos