07c70968c66c93b6d6c9a90255e1c81a3b385632c83f53f69534b3f55212ced9

Analysis

max time kernel
125s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2023, 02:31

Target

bd83e75f_dllreflinj.dll
Size

373KB
MD5

473d65d1231ccdfa0099d463b09cf9b9
SHA1

9cbc7417fa5ce2f6d87026337fc7892e4f485819
SHA256

07c70968c66c93b6d6c9a90255e1c81a3b385632c83f53f69534b3f55212ced9
SHA512

06556787876e7078b07ab61859f87c29d78b481b8d542dcb25d4ce74fffa503d5232ff6c5eb934217b41cdf9aefb5d351b8db84612624baab635bb4a56bf50fd
SSDEEP

6144:/OwxmL8r1P1piUUXP5n1o0g08Fxr3AV/SNxBUnjF444C48t9g4/N:WwZpw/Rb8FmZWBWj/48oo

Score

10^/10

evasion trojan

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regsvr32.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 3252	2188	regsvr32.exe	83
PID 2188 wrote to memory of 3252	2188	regsvr32.exe	83
PID 2188 wrote to memory of 3252	2188	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bd83e75f_dllreflinj.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\bd83e75f_dllreflinj.dll
  2⤵
  - UAC bypass
  - Enumerates connected drives
  PID:3252