00f66290090abad9e0c8a98e659723a29ad621862a54ff7b67dc326b4cf74ae6

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 09:56

Target

00f66290090abad9e0c8a98e659723a29ad621862a54ff7b67dc326b4cf74ae6N.dll
Size

465KB
MD5

c52987ac16d800661b0673db0e88e040
SHA1

8887a9096dd5baa81fc841fd4066978aabc66d66
SHA256

00f66290090abad9e0c8a98e659723a29ad621862a54ff7b67dc326b4cf74ae6
SHA512

5431218a44e0a26337b6ad78f4cf225c735a104751a542cb7d882e69ba711b3001d855199c7b91d6113eca2095257daacbb642cf1e84fa1c11e913f5d401782d
SSDEEP

12288:wPZmBcv4pc/FIz46LEM3b3dEeDCEjqT+PZmpM:whmqec/b65r0EEAZ

Score

10^/10

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

Disable or Modify Tools

Modify Registry

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow	pid	Process
6	376	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

Processes:

rundll32.execmd.exereg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

Processes:

reg.exe

pid	Process
4756	reg.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.execmd.exe

description	pid	Process	procid_target
PID 2248 wrote to memory of 376	2248	rundll32.exe	83
PID 2248 wrote to memory of 376	2248	rundll32.exe	83
PID 2248 wrote to memory of 376	2248	rundll32.exe	83
PID 376 wrote to memory of 3152	376	rundll32.exe	84
PID 376 wrote to memory of 3152	376	rundll32.exe	84
PID 376 wrote to memory of 3152	376	rundll32.exe	84
PID 3152 wrote to memory of 4756	3152	cmd.exe	86
PID 3152 wrote to memory of 4756	3152	cmd.exe	86
PID 3152 wrote to memory of 4756	3152	cmd.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\00f66290090abad9e0c8a98e659723a29ad621862a54ff7b67dc326b4cf74ae6N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\00f66290090abad9e0c8a98e659723a29ad621862a54ff7b67dc326b4cf74ae6N.dll,#1
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4756