5b0d2e01961a6f6fa93475d20296adfa618af4486ab87431db0abf5eaa163264

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 14:08

Target

5b0d2e01961a6f6fa93475d20296adfa618af4486ab87431db0abf5eaa163264.dll
Size

903KB
MD5

8dbb372a9bb442185c4092e6de335ea0
SHA1

e7505d73f96eb2702ed3e09b95b921dc036393a6
SHA256

5b0d2e01961a6f6fa93475d20296adfa618af4486ab87431db0abf5eaa163264
SHA512

0b4e4ec5ac0246a8a3b71fd9e3aab8be37b50875f1624adde4f80ec07f93364ff2e3f28387e11d00177c1f77373277ad18d40365dfe4a430a24cc58d77685bbc
SSDEEP

12288:XtP7oB0p8IQEusymBFZuZT3DX11ki+JxLTifGO8TWzOZgBmi/BBEWPtL1oPpIRlf:XtDc0WIysjBFcZjDX1CTXOmnTVIuvmB

Score

10^/10

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2500	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 2500	1012	rundll32.exe	29
PID 1012 wrote to memory of 2500	1012	rundll32.exe	29
PID 1012 wrote to memory of 2500	1012	rundll32.exe	29
PID 1012 wrote to memory of 2500	1012	rundll32.exe	29
PID 1012 wrote to memory of 2500	1012	rundll32.exe	29
PID 1012 wrote to memory of 2500	1012	rundll32.exe	29
PID 1012 wrote to memory of 2500	1012	rundll32.exe	29

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5b0d2e01961a6f6fa93475d20296adfa618af4486ab87431db0abf5eaa163264.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5b0d2e01961a6f6fa93475d20296adfa618af4486ab87431db0abf5eaa163264.dll,#1
  2⤵
  - UAC bypass
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2500