Unidentified 121 Propose Change

unidentified_121 acts as a downloader and reflective PE loader, employing a dual-mode execution strategy based on its privilege level. When executed without administrative rights, it uniquely attempts to bypass User Account Control (UAC) by first patching its own Process Environment Block (PEB) in memory to masquerade as explorer.exe, and then leveraging a specific COM object ({3E5FC7F9-9A51-4367-9063-A120244FBEC7} with the Elevation:Administrator!new: moniker) to relaunch itself with elevated privileges. This initial stage focuses purely on achieving elevation and does not perform C2 communication or direct payload execution itself in the non-elevated state.

Once running with administrative privileges (either initially or after successful elevation), the malware establishes persistence by creating a Scheduled Task named "BlaBlaAgu" using COM, configuring it to run with the highest privileges and repeat every five minutes indefinitely. It actively evades defenses by using PowerShell commands (Add-MpPreference) to add Windows Defender exclusions for its own process and the user's profile directory, reinforcing these exclusions every 60 seconds via a separate thread. Its primary function in this elevated state is to act as a downloader, connecting to its Command and Control (C2) server over TCP port 33334 using a custom protocol encrypted with an RC4-like cipher and the hardcoded key "ALB9SxZBzCqwPFnD"; after a distinct 20-byte client handshake (RC4 Key + integer 444, followed by a 16-byte server response (RC4 Key) for validation), it downloads further encrypted PE payloads and executes them reflectively in its own memory space.

References

There is no Yara-Signature yet.