Disabling UAC:


            Following is the process tree corresponding to execution of RiotGames.exe. It modifies a registry value
            called  EnableLUA  under  the  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
            key. It sets the value to 0, which effectively disables the User Account Control's (UAC) User Interface for
            consent prompts.
















            Disabling UAC can be seen as an attempt by malware to gain greater control over the infected system
            without being impeded by UAC prompts. By turning off UAC, the malware can execute certain actions or
            install itself without the user's knowledge or consent. This allows the malware to operate with elevated
            privileges, making it harder for the user to detect and remove the malware.

            It  creates  folder  named  “Terminal”  in  directory  “C:\ProgramData”  and  copies  itself  with  name
            “terminal.exe”  in  the  “Terminal”  folder  and  on  execution  exhibits  same  behaviour.  Both,  our  sample
            “RiotGames.exe” and Terminal.exe” have same hash value.











            Cyber Defense eMagazine – October 2023 Edition                                                                                                                                                                                                          92
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.