Page 92 - Cyber Defense eMagazine October 2023
P. 92
Disabling UAC:
Following is the process tree corresponding to execution of RiotGames.exe. It modifies a registry value
called EnableLUA under the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
key. It sets the value to 0, which effectively disables the User Account Control's (UAC) User Interface for
consent prompts.
Disabling UAC can be seen as an attempt by malware to gain greater control over the infected system
without being impeded by UAC prompts. By turning off UAC, the malware can execute certain actions or
install itself without the user's knowledge or consent. This allows the malware to operate with elevated
privileges, making it harder for the user to detect and remove the malware.
It creates folder named “Terminal” in directory “C:\ProgramData” and copies itself with name
“terminal.exe” in the “Terminal” folder and on execution exhibits same behaviour. Both, our sample
“RiotGames.exe” and Terminal.exe” have same hash value.
Cyber Defense eMagazine – October 2023 Edition 92
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.