00f66290090abad9e0c8a98e659723a29ad621862a54ff7b67dc326b4cf74ae6

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 09:56

Target

00f66290090abad9e0c8a98e659723a29ad621862a54ff7b67dc326b4cf74ae6N.dll
Size

465KB
MD5

c52987ac16d800661b0673db0e88e040
SHA1

8887a9096dd5baa81fc841fd4066978aabc66d66
SHA256

00f66290090abad9e0c8a98e659723a29ad621862a54ff7b67dc326b4cf74ae6
SHA512

5431218a44e0a26337b6ad78f4cf225c735a104751a542cb7d882e69ba711b3001d855199c7b91d6113eca2095257daacbb642cf1e84fa1c11e913f5d401782d
SSDEEP

12288:wPZmBcv4pc/FIz46LEM3b3dEeDCEjqT+PZmpM:whmqec/b65r0EEAZ

Score

10^/10

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

Disable or Modify Tools

Modify Registry

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow	pid	Process
3	2500	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

Processes:

reg.exerundll32.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

Processes:

reg.exe

pid	Process
1780	reg.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.execmd.exe

description	pid	Process	procid_target
PID 1680 wrote to memory of 2500	1680	rundll32.exe	30
PID 1680 wrote to memory of 2500	1680	rundll32.exe	30
PID 1680 wrote to memory of 2500	1680	rundll32.exe	30
PID 1680 wrote to memory of 2500	1680	rundll32.exe	30
PID 1680 wrote to memory of 2500	1680	rundll32.exe	30
PID 1680 wrote to memory of 2500	1680	rundll32.exe	30
PID 1680 wrote to memory of 2500	1680	rundll32.exe	30
PID 2500 wrote to memory of 2496	2500	rundll32.exe	31
PID 2500 wrote to memory of 2496	2500	rundll32.exe	31
PID 2500 wrote to memory of 2496	2500	rundll32.exe	31
PID 2500 wrote to memory of 2496	2500	rundll32.exe	31
PID 2496 wrote to memory of 1780	2496	cmd.exe	33
PID 2496 wrote to memory of 1780	2496	cmd.exe	33
PID 2496 wrote to memory of 1780	2496	cmd.exe	33
PID 2496 wrote to memory of 1780	2496	cmd.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\00f66290090abad9e0c8a98e659723a29ad621862a54ff7b67dc326b4cf74ae6N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\00f66290090abad9e0c8a98e659723a29ad621862a54ff7b67dc326b4cf74ae6N.dll,#1
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1780