cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e

Analysis

max time kernel
148s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
Size

580KB
MD5

c9a17796e814fceb15373265c50da812
SHA1

690f31847c732a6534e8179071a37f750d0f0e69
SHA256

cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e
SHA512

05351862a76337a6eb308053fe6f1679bc9d5c8017983cbe771489271f5e19dcf6a259785f7f93e7a79c0fded543ecab2e69bc829e234aa029eb97ac0478f716
SSDEEP

12288:qJupwI3iV2ENXh2mqBMi/n+usQe2dG1p0CCbbQrLY8MkK2W6tt:qPI3Q2yh273v+seqG1p07H8Mkfzt

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
956	bffd.exe
652	bffd.exe
1084	bffd.exe

Loads dropped DLL 16 IoCs

pid	Process
888	regsvr32.exe
1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
956	bffd.exe
956	bffd.exe
956	bffd.exe
1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
652	bffd.exe
652	bffd.exe
652	bffd.exe
1084	bffd.exe
1876	rundll32.exe
1876	rundll32.exe
1876	rundll32.exe
1876	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "Microsoft User"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	\??\PhysicalDrive0	bffd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\14rb.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dlltmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File created	C:\Windows\SysWOW64\-7218-12068	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File created	C:\Windows\SysWOW64\3fc	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\841e.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\bffd.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\8f6.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\a8f.flv	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\4bad.flv	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\f6fu.bmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\a8fd.flv	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File created	C:\Windows\Tasks\ms.job	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\bf14.bmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\14ba.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\6f1u.bmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\a8fd.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\8f6d.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\a34b.flv	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\f6f.bmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1536	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	26
PID 1504 wrote to memory of 1536	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	26
PID 1504 wrote to memory of 1536	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	26
PID 1504 wrote to memory of 1536	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	26
PID 1504 wrote to memory of 1536	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	26
PID 1504 wrote to memory of 1536	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	26
PID 1504 wrote to memory of 1536	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	26
PID 1504 wrote to memory of 1336	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	27
PID 1504 wrote to memory of 1336	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	27
PID 1504 wrote to memory of 1336	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	27
PID 1504 wrote to memory of 1336	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	27
PID 1504 wrote to memory of 1336	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	27
PID 1504 wrote to memory of 1336	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	27
PID 1504 wrote to memory of 1336	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	27
PID 1504 wrote to memory of 112	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	28
PID 1504 wrote to memory of 112	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	28
PID 1504 wrote to memory of 112	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	28
PID 1504 wrote to memory of 112	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	28
PID 1504 wrote to memory of 112	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	28
PID 1504 wrote to memory of 112	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	28
PID 1504 wrote to memory of 112	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	28
PID 1504 wrote to memory of 760	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	29
PID 1504 wrote to memory of 760	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	29
PID 1504 wrote to memory of 760	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	29
PID 1504 wrote to memory of 760	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	29
PID 1504 wrote to memory of 760	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	29
PID 1504 wrote to memory of 760	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	29
PID 1504 wrote to memory of 760	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	29
PID 1504 wrote to memory of 888	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	30
PID 1504 wrote to memory of 888	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	30
PID 1504 wrote to memory of 888	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	30
PID 1504 wrote to memory of 888	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	30
PID 1504 wrote to memory of 888	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	30
PID 1504 wrote to memory of 888	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	30
PID 1504 wrote to memory of 888	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	30
PID 1504 wrote to memory of 956	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	31
PID 1504 wrote to memory of 956	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	31
PID 1504 wrote to memory of 956	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	31
PID 1504 wrote to memory of 956	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	31
PID 1504 wrote to memory of 956	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	31
PID 1504 wrote to memory of 956	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	31
PID 1504 wrote to memory of 956	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	31
PID 1504 wrote to memory of 652	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	33
PID 1504 wrote to memory of 652	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	33
PID 1504 wrote to memory of 652	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	33
PID 1504 wrote to memory of 652	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	33
PID 1504 wrote to memory of 652	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	33
PID 1504 wrote to memory of 652	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	33
PID 1504 wrote to memory of 652	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	33
PID 1504 wrote to memory of 1876	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	36
PID 1504 wrote to memory of 1876	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	36
PID 1504 wrote to memory of 1876	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	36
PID 1504 wrote to memory of 1876	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	36
PID 1504 wrote to memory of 1876	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	36
PID 1504 wrote to memory of 1876	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	36
PID 1504 wrote to memory of 1876	1504	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	36

C:\Users\Admin\AppData\Local\Temp\cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
"C:\Users\Admin\AppData\Local\Temp\cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"
  2⤵
  PID:1536
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"
  2⤵
  PID:1336
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"
  2⤵
  PID:112
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"
  2⤵
  PID:760
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:888
- C:\Windows\SysWOW64\bffd.exe
  C:\Windows\system32\bffd.exe -i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:956
- C:\Windows\SysWOW64\bffd.exe
  C:\Windows\system32\bffd.exe -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:652
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:1876

C:\Windows\SysWOW64\bffd.exe
C:\Windows\SysWOW64\bffd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\841e.dll

Filesize
396KB

MD5
d112316bd2d54ba0815bfc933fa9845e

SHA1
941e20c811a8b3e7f7c4b7c5ef52768ace6b91b9

SHA256
fa4bd625071e635b810279e44056b377ff6160fc1bb0eb2d85e9ff0e0a148324

SHA512
4bf71c4b9d2de824e9bbe3acd607ac9b47dc81687a81e0befd23c0bc6f1aa90608cf46efca0eee4acea62666312eda54acae3346c14c1c58c172aa1fb4fd5f9c

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
c56b48384988654dceefb53c7130d25d

SHA1
81ed8b8ad2dc20591e8b0ebe583db451b49e40b4

SHA256
e2c1b0c26e9df402da7dada74af52cb595b1dd9bab77ef97b7531b77fd0bb43b

SHA512
4aaeb8f872df39f816aac09869fa179fc6854a42369eeff44c273f49982b9e78ab1b6f51efdd5cecc5bad72737388b397b8111d88c3446492e8b5c50b974a1a1

Download Submit
C:\Windows\SysWOW64\bffd.exe

Filesize
136KB

MD5
bb834d331f53329a75673592da84a9c3

SHA1
7e548eaaca041bc79a7705e2e392a4fe302f47ca

SHA256
579b9b162efc24cb53eecfaebc1426b3a04ef82cc7fb5607ef9b872ab559617a

SHA512
47597d81eb1d6336f2d790669d5e3b2e20504dd20d92cbd57b625dcbbd3fee5cd5619209378c338256a216ee8f607ba08606dd9ade335ad22b4af3b4dd429699

Download Submit
C:\Windows\SysWOW64\bffd.exe

Filesize
136KB

MD5
bb834d331f53329a75673592da84a9c3

SHA1
7e548eaaca041bc79a7705e2e392a4fe302f47ca

SHA256
579b9b162efc24cb53eecfaebc1426b3a04ef82cc7fb5607ef9b872ab559617a

SHA512
47597d81eb1d6336f2d790669d5e3b2e20504dd20d92cbd57b625dcbbd3fee5cd5619209378c338256a216ee8f607ba08606dd9ade335ad22b4af3b4dd429699

Download Submit
C:\Windows\SysWOW64\bffd.exe

Filesize
136KB

MD5
bb834d331f53329a75673592da84a9c3

SHA1
7e548eaaca041bc79a7705e2e392a4fe302f47ca

SHA256
579b9b162efc24cb53eecfaebc1426b3a04ef82cc7fb5607ef9b872ab559617a

SHA512
47597d81eb1d6336f2d790669d5e3b2e20504dd20d92cbd57b625dcbbd3fee5cd5619209378c338256a216ee8f607ba08606dd9ade335ad22b4af3b4dd429699

Download Submit
C:\Windows\SysWOW64\bffd.exe

Filesize
136KB

MD5
bb834d331f53329a75673592da84a9c3

SHA1
7e548eaaca041bc79a7705e2e392a4fe302f47ca

SHA256
579b9b162efc24cb53eecfaebc1426b3a04ef82cc7fb5607ef9b872ab559617a

SHA512
47597d81eb1d6336f2d790669d5e3b2e20504dd20d92cbd57b625dcbbd3fee5cd5619209378c338256a216ee8f607ba08606dd9ade335ad22b4af3b4dd429699

Download Submit
\Windows\SysWOW64\841e.dll

Filesize
396KB

MD5
d112316bd2d54ba0815bfc933fa9845e

SHA1
941e20c811a8b3e7f7c4b7c5ef52768ace6b91b9

SHA256
fa4bd625071e635b810279e44056b377ff6160fc1bb0eb2d85e9ff0e0a148324

SHA512
4bf71c4b9d2de824e9bbe3acd607ac9b47dc81687a81e0befd23c0bc6f1aa90608cf46efca0eee4acea62666312eda54acae3346c14c1c58c172aa1fb4fd5f9c

Download Submit
\Windows\SysWOW64\841e.dll

Filesize
396KB

MD5
d112316bd2d54ba0815bfc933fa9845e

SHA1
941e20c811a8b3e7f7c4b7c5ef52768ace6b91b9

SHA256
fa4bd625071e635b810279e44056b377ff6160fc1bb0eb2d85e9ff0e0a148324

SHA512
4bf71c4b9d2de824e9bbe3acd607ac9b47dc81687a81e0befd23c0bc6f1aa90608cf46efca0eee4acea62666312eda54acae3346c14c1c58c172aa1fb4fd5f9c

Download Submit
\Windows\SysWOW64\841e.dll

Filesize
396KB

MD5
d112316bd2d54ba0815bfc933fa9845e

SHA1
941e20c811a8b3e7f7c4b7c5ef52768ace6b91b9

SHA256
fa4bd625071e635b810279e44056b377ff6160fc1bb0eb2d85e9ff0e0a148324

SHA512
4bf71c4b9d2de824e9bbe3acd607ac9b47dc81687a81e0befd23c0bc6f1aa90608cf46efca0eee4acea62666312eda54acae3346c14c1c58c172aa1fb4fd5f9c

Download Submit
\Windows\SysWOW64\841e.dll

Filesize
396KB

MD5
d112316bd2d54ba0815bfc933fa9845e

SHA1
941e20c811a8b3e7f7c4b7c5ef52768ace6b91b9

SHA256
fa4bd625071e635b810279e44056b377ff6160fc1bb0eb2d85e9ff0e0a148324

SHA512
4bf71c4b9d2de824e9bbe3acd607ac9b47dc81687a81e0befd23c0bc6f1aa90608cf46efca0eee4acea62666312eda54acae3346c14c1c58c172aa1fb4fd5f9c

Download Submit
\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
c56b48384988654dceefb53c7130d25d

SHA1
81ed8b8ad2dc20591e8b0ebe583db451b49e40b4

SHA256
e2c1b0c26e9df402da7dada74af52cb595b1dd9bab77ef97b7531b77fd0bb43b

SHA512
4aaeb8f872df39f816aac09869fa179fc6854a42369eeff44c273f49982b9e78ab1b6f51efdd5cecc5bad72737388b397b8111d88c3446492e8b5c50b974a1a1

Download Submit
\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
c56b48384988654dceefb53c7130d25d

SHA1
81ed8b8ad2dc20591e8b0ebe583db451b49e40b4

SHA256
e2c1b0c26e9df402da7dada74af52cb595b1dd9bab77ef97b7531b77fd0bb43b

SHA512
4aaeb8f872df39f816aac09869fa179fc6854a42369eeff44c273f49982b9e78ab1b6f51efdd5cecc5bad72737388b397b8111d88c3446492e8b5c50b974a1a1

Download Submit
\Windows\SysWOW64\bffd.exe

Filesize
136KB

MD5
bb834d331f53329a75673592da84a9c3

SHA1
7e548eaaca041bc79a7705e2e392a4fe302f47ca

SHA256
579b9b162efc24cb53eecfaebc1426b3a04ef82cc7fb5607ef9b872ab559617a

SHA512
47597d81eb1d6336f2d790669d5e3b2e20504dd20d92cbd57b625dcbbd3fee5cd5619209378c338256a216ee8f607ba08606dd9ade335ad22b4af3b4dd429699

Download Submit
\Windows\SysWOW64\bffd.exe

Filesize
136KB

MD5
bb834d331f53329a75673592da84a9c3

SHA1
7e548eaaca041bc79a7705e2e392a4fe302f47ca

SHA256
579b9b162efc24cb53eecfaebc1426b3a04ef82cc7fb5607ef9b872ab559617a

SHA512
47597d81eb1d6336f2d790669d5e3b2e20504dd20d92cbd57b625dcbbd3fee5cd5619209378c338256a216ee8f607ba08606dd9ade335ad22b4af3b4dd429699

Download Submit
\Windows\SysWOW64\bffd.exe

Filesize
136KB

MD5
bb834d331f53329a75673592da84a9c3

SHA1
7e548eaaca041bc79a7705e2e392a4fe302f47ca

SHA256
579b9b162efc24cb53eecfaebc1426b3a04ef82cc7fb5607ef9b872ab559617a

SHA512
47597d81eb1d6336f2d790669d5e3b2e20504dd20d92cbd57b625dcbbd3fee5cd5619209378c338256a216ee8f607ba08606dd9ade335ad22b4af3b4dd429699

Download Submit
\Windows\SysWOW64\bffd.exe

Filesize
136KB

MD5
bb834d331f53329a75673592da84a9c3

SHA1
7e548eaaca041bc79a7705e2e392a4fe302f47ca

SHA256
579b9b162efc24cb53eecfaebc1426b3a04ef82cc7fb5607ef9b872ab559617a

SHA512
47597d81eb1d6336f2d790669d5e3b2e20504dd20d92cbd57b625dcbbd3fee5cd5619209378c338256a216ee8f607ba08606dd9ade335ad22b4af3b4dd429699

Download Submit
\Windows\SysWOW64\bffd.exe

Filesize
136KB

MD5
bb834d331f53329a75673592da84a9c3

SHA1
7e548eaaca041bc79a7705e2e392a4fe302f47ca

SHA256
579b9b162efc24cb53eecfaebc1426b3a04ef82cc7fb5607ef9b872ab559617a

SHA512
47597d81eb1d6336f2d790669d5e3b2e20504dd20d92cbd57b625dcbbd3fee5cd5619209378c338256a216ee8f607ba08606dd9ade335ad22b4af3b4dd429699

Download Submit
\Windows\SysWOW64\bffd.exe

Filesize
136KB

MD5
bb834d331f53329a75673592da84a9c3

SHA1
7e548eaaca041bc79a7705e2e392a4fe302f47ca

SHA256
579b9b162efc24cb53eecfaebc1426b3a04ef82cc7fb5607ef9b872ab559617a

SHA512
47597d81eb1d6336f2d790669d5e3b2e20504dd20d92cbd57b625dcbbd3fee5cd5619209378c338256a216ee8f607ba08606dd9ade335ad22b4af3b4dd429699

Download Submit
\Windows\SysWOW64\bffd.exe

Filesize
136KB

MD5
bb834d331f53329a75673592da84a9c3

SHA1
7e548eaaca041bc79a7705e2e392a4fe302f47ca

SHA256
579b9b162efc24cb53eecfaebc1426b3a04ef82cc7fb5607ef9b872ab559617a

SHA512
47597d81eb1d6336f2d790669d5e3b2e20504dd20d92cbd57b625dcbbd3fee5cd5619209378c338256a216ee8f607ba08606dd9ade335ad22b4af3b4dd429699

Download Submit
\Windows\SysWOW64\bffd.exe

Filesize
136KB

MD5
bb834d331f53329a75673592da84a9c3

SHA1
7e548eaaca041bc79a7705e2e392a4fe302f47ca

SHA256
579b9b162efc24cb53eecfaebc1426b3a04ef82cc7fb5607ef9b872ab559617a

SHA512
47597d81eb1d6336f2d790669d5e3b2e20504dd20d92cbd57b625dcbbd3fee5cd5619209378c338256a216ee8f607ba08606dd9ade335ad22b4af3b4dd429699

Download Submit
\Windows\SysWOW64\bffd.exe

Filesize
136KB

MD5
bb834d331f53329a75673592da84a9c3

SHA1
7e548eaaca041bc79a7705e2e392a4fe302f47ca

SHA256
579b9b162efc24cb53eecfaebc1426b3a04ef82cc7fb5607ef9b872ab559617a

SHA512
47597d81eb1d6336f2d790669d5e3b2e20504dd20d92cbd57b625dcbbd3fee5cd5619209378c338256a216ee8f607ba08606dd9ade335ad22b4af3b4dd429699

Download Submit
\Windows\SysWOW64\bffd.exe

Filesize
136KB

MD5
bb834d331f53329a75673592da84a9c3

SHA1
7e548eaaca041bc79a7705e2e392a4fe302f47ca

SHA256
579b9b162efc24cb53eecfaebc1426b3a04ef82cc7fb5607ef9b872ab559617a

SHA512
47597d81eb1d6336f2d790669d5e3b2e20504dd20d92cbd57b625dcbbd3fee5cd5619209378c338256a216ee8f607ba08606dd9ade335ad22b4af3b4dd429699

Download Submit
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download