Didn't found this retarded piece of crap here, so decided to post it. Yet another encoding trash. What only bring my attention is that it is using custom UACMe v1.9 to elevate itself.
Used methods:
for 32bit - winsat.exe (method 10)
for 64bit - mmc.exe (method 13)
Trash in attach. Uacme embedded in idiotic way, to catch it drop to the %Appdata% - set bp on CreateFile/WriteFile.
Dropper -> drop uacme and copy itself to %appdata% -> launch uacme <mode 32 or 64> path_to_dropper
VT
MD5 8434eea972e516a35f4ac59a7f868453
SHA1 39eff0a248b7f23ee728396968e9279b241d2378
SHA256 92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b
https://www.virustotal.com/en/file/92ac ... /analysis/
Used methods:
for 32bit - winsat.exe (method 10)
for 64bit - mmc.exe (method 13)
Trash in attach. Uacme embedded in idiotic way, to catch it drop to the %Appdata% - set bp on CreateFile/WriteFile.
Dropper -> drop uacme and copy itself to %appdata% -> launch uacme <mode 32 or 64> path_to_dropper
VT
MD5 8434eea972e516a35f4ac59a7f868453
SHA1 39eff0a248b7f23ee728396968e9279b241d2378
SHA256 92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b
https://www.virustotal.com/en/file/92ac ... /analysis/
Attachments
pass: malware
(123.78 KiB) Downloaded 83 times
(123.78 KiB) Downloaded 83 times
Ring0 - the source of inspiration