91dc5221a5094dd1e1fbae2a006c2ba5882a714bb016e1653e850e4dfc9d22e3

Analysis

max time kernel
88s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15-02-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25957F0047439E9CA9D1486816DCFAEB.dll
Size

469KB
MD5

25957f0047439e9ca9d1486816dcfaeb
SHA1

10567d7746547ac76abe6659a13b4ebc171e16e0
SHA256

91dc5221a5094dd1e1fbae2a006c2ba5882a714bb016e1653e850e4dfc9d22e3
SHA512

042006131965019f5709a493eea83f7dd2681f3faca0a21ec4d291f884901fc4ebe0de52a707d835a958d0bbd305192f0ff165e509d92906d2b044f1e4d47f72
SSDEEP

12288:FW7QZ+Bo1deUWdLfV3PNHVvKYfZspQUo:poo1dO/NNK+Z/

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

8 1464 rundll32.exe
11 1464 rundll32.exe
25 1464 rundll32.exe
26 1464 rundll32.exe
31 1464 rundll32.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4556 reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

flow	pid	process
8	1464	rundll32.exe
11	1464	rundll32.exe
25	1464	rundll32.exe
26	1464	rundll32.exe
31	1464	rundll32.exe

pid	process
4556	reg.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.execmd.exe

description	pid	process	target process
PID 3992 wrote to memory of 1464	3992	rundll32.exe	rundll32.exe
PID 3992 wrote to memory of 1464	3992	rundll32.exe	rundll32.exe
PID 3992 wrote to memory of 1464	3992	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1228	1464	rundll32.exe	cmd.exe
PID 1464 wrote to memory of 1228	1464	rundll32.exe	cmd.exe
PID 1464 wrote to memory of 1228	1464	rundll32.exe	cmd.exe
PID 1228 wrote to memory of 4556	1228	cmd.exe	reg.exe
PID 1228 wrote to memory of 4556	1228	cmd.exe	reg.exe
PID 1228 wrote to memory of 4556	1228	cmd.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\25957F0047439E9CA9D1486816DCFAEB.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\25957F0047439E9CA9D1486816DCFAEB.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads