02bec7916fa848356227d27af53c8dcb88ebe54d051153bcc3f800e1862ec8a2

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:05

Target

02bec7916fa848356227d27af53c8dcb88ebe54d051153bcc3f800e1862ec8a2.dll
Size

914KB
MD5

dcc7500d66410da4c24bbb7ca0907004
SHA1

54127b1c0c499fe891679ce12ffbe9e4cbaa93ea
SHA256

02bec7916fa848356227d27af53c8dcb88ebe54d051153bcc3f800e1862ec8a2
SHA512

6d99f7db6d68869587b04b548fd76c17107fca1f1cb3aeb84816dc328590c885564b526c9dfb8adf7ad2ed9e88d92cc841458cb746e898e0a8209afc4066f880
SSDEEP

12288:7HOVwIyDpAepQU9O3eckYxzoUvzFv/DzU8/mRmp7Jvn5EUT6o:7Hww1AeiUo3echxkUtUxR2Ey6o

Score

10^/10

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2312	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 2312	4336	rundll32.exe	82
PID 4336 wrote to memory of 2312	4336	rundll32.exe	82
PID 4336 wrote to memory of 2312	4336	rundll32.exe	82

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\02bec7916fa848356227d27af53c8dcb88ebe54d051153bcc3f800e1862ec8a2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\02bec7916fa848356227d27af53c8dcb88ebe54d051153bcc3f800e1862ec8a2.dll,#1
  2⤵
  - UAC bypass
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2312