db8c5c6595d504c8ac4e4abc46a52fd4db56dba28306901d7f8db7467c1fe089

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2023, 18:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

UserAccountControlSettings.exe
Size

86KB
MD5

478a41ec2ace22fcc12e71be0c8123c6
SHA1

201c3d4a152c46ce7b6418df2f9a196174b1af7f
SHA256

db8c5c6595d504c8ac4e4abc46a52fd4db56dba28306901d7f8db7467c1fe089
SHA512

29d408c08ee0327751ebce7ac88c22c33ef6fd508e1073855f7493254ae5bf072a638929577c71d49536f4390a6a69c211d24df1d23989a9a47a7fde74847783
SSDEEP

1536:62cr9wPgaNMr/fsfy4Bw751sNz0UCdkV/L7:hcKVNM7dI+5K

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	DllHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	DllHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	DllHost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3028	DllHost.exe
3028	DllHost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 2616	3160	DllHost.exe	86
PID 3160 wrote to memory of 2616	3160	DllHost.exe	86
PID 3160 wrote to memory of 2616	3160	DllHost.exe	86

C:\Users\Admin\AppData\Local\Temp\UserAccountControlSettings.exe
"C:\Users\Admin\AppData\Local\Temp\UserAccountControlSettings.exe"
1⤵
PID:4932

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}
1⤵
- UAC bypass
- Suspicious use of FindShellTrayWindow
PID:3028

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06C792F8-6212-4F39-BF70-E8C0AC965C23}
1⤵
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\SysWOW64\UserAccountControlSettings.exe
  "C:\Windows\system32\UserAccountControlSettings.exe" /applySettings
  2⤵
  PID:2616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads