cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
Size

580KB
MD5

c9a17796e814fceb15373265c50da812
SHA1

690f31847c732a6534e8179071a37f750d0f0e69
SHA256

cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e
SHA512

05351862a76337a6eb308053fe6f1679bc9d5c8017983cbe771489271f5e19dcf6a259785f7f93e7a79c0fded543ecab2e69bc829e234aa029eb97ac0478f716
SSDEEP

12288:qJupwI3iV2ENXh2mqBMi/n+usQe2dG1p0CCbbQrLY8MkK2W6tt:qPI3Q2yh273v+seqG1p07H8Mkfzt

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bffd.exe

Executes dropped EXE 3 IoCs

pid	Process
1344	bffd.exe
896	bffd.exe
4856	bffd.exe

Loads dropped DLL 25 IoCs

pid	Process
1544	regsvr32.exe
4856	bffd.exe
4900	rundll32.exe
4344	rundll32.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe
4856	bffd.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "Microsoft User"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	\??\PhysicalDrive0	bffd.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dlltmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File created	C:\Windows\SysWOW64\047758	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\bffd.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\SysWOW64\841e.dll	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File created	C:\Windows\SysWOW64\-1208-102-56	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bf14.bmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\14ba.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\a34b.flv	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\f6f.bmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\8f6.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\a8f.flv	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\4bad.flv	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\f6fu.bmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\a8fd.flv	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File created	C:\Windows\Tasks\ms.job	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\6f1u.bmp	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\a8fd.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
File opened for modification	C:\Windows\8f6d.exe	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4856	bffd.exe
4856	bffd.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 1568	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	79
PID 4132 wrote to memory of 1568	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	79
PID 4132 wrote to memory of 1568	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	79
PID 4132 wrote to memory of 1192	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	80
PID 4132 wrote to memory of 1192	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	80
PID 4132 wrote to memory of 1192	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	80
PID 4132 wrote to memory of 4952	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	81
PID 4132 wrote to memory of 4952	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	81
PID 4132 wrote to memory of 4952	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	81
PID 4132 wrote to memory of 3112	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	82
PID 4132 wrote to memory of 3112	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	82
PID 4132 wrote to memory of 3112	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	82
PID 4132 wrote to memory of 1544	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	83
PID 4132 wrote to memory of 1544	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	83
PID 4132 wrote to memory of 1544	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	83
PID 4132 wrote to memory of 1344	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	84
PID 4132 wrote to memory of 1344	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	84
PID 4132 wrote to memory of 1344	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	84
PID 4132 wrote to memory of 896	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	86
PID 4132 wrote to memory of 896	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	86
PID 4132 wrote to memory of 896	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	86
PID 4132 wrote to memory of 4900	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	89
PID 4132 wrote to memory of 4900	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	89
PID 4132 wrote to memory of 4900	4132	cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe	89
PID 4856 wrote to memory of 4344	4856	bffd.exe	90
PID 4856 wrote to memory of 4344	4856	bffd.exe	90
PID 4856 wrote to memory of 4344	4856	bffd.exe	90

C:\Users\Admin\AppData\Local\Temp\cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe
"C:\Users\Admin\AppData\Local\Temp\cb5e4b8060b5b4498b77ceb7211634398439828e07de359ee670c6357df2cf5e.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"
  2⤵
  PID:1568
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"
  2⤵
  PID:1192
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"
  2⤵
  PID:4952
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"
  2⤵
  PID:3112
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:1544
- C:\Windows\SysWOW64\bffd.exe
  C:\Windows\system32\bffd.exe -i
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\SysWOW64\bffd.exe
  C:\Windows\system32\bffd.exe -s
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:4900

C:\Windows\SysWOW64\bffd.exe
C:\Windows\SysWOW64\bffd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always
  2⤵
  - Loads dropped DLL
  PID:4344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\841e.dll

Filesize
456KB

MD5
bf59b12bdaffa21ee4e3d8ace8dce850

SHA1
69cfac181d658817e14694c85406830bbd265450

SHA256
0ec39b0ede5f01195beca242d114e62fc49b50dd9d83734a5de4602c7ee05b41

SHA512
644697bd83c99b9737d16fa2742a12200b0d87a995d3758a16ada50fffe2ef68c0f6c87906b918f78ed1f5d86f84aeb948842b9bbe80108b02d852f1a4624266

Download Submit
C:\Windows\SysWOW64\841e.dll

Filesize
456KB

MD5
bf59b12bdaffa21ee4e3d8ace8dce850

SHA1
69cfac181d658817e14694c85406830bbd265450

SHA256
0ec39b0ede5f01195beca242d114e62fc49b50dd9d83734a5de4602c7ee05b41

SHA512
644697bd83c99b9737d16fa2742a12200b0d87a995d3758a16ada50fffe2ef68c0f6c87906b918f78ed1f5d86f84aeb948842b9bbe80108b02d852f1a4624266

Download Submit
C:\Windows\SysWOW64\841e.dll

Filesize
456KB

MD5
bf59b12bdaffa21ee4e3d8ace8dce850

SHA1
69cfac181d658817e14694c85406830bbd265450

SHA256
0ec39b0ede5f01195beca242d114e62fc49b50dd9d83734a5de4602c7ee05b41

SHA512
644697bd83c99b9737d16fa2742a12200b0d87a995d3758a16ada50fffe2ef68c0f6c87906b918f78ed1f5d86f84aeb948842b9bbe80108b02d852f1a4624266

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
292KB

MD5
01e5b34fc256bc5755d7bb76f2d22c0e

SHA1
4ac33f7860ebb2fd41c41b8a8592847719d512e4

SHA256
d0118b51b782a514fd0fdd9b90c58683f26be8ba3a6cefebca5095451da9eca7

SHA512
a5ac8e5aa308378200f7efad895cedb0929931d24065b1000364801e4ec8c436f55c8ecbfdefa8264cb049071a3fecd169d062470b10e8d14f79ab7c52db5bbb

Download Submit
C:\Windows\SysWOW64\bffd.exe

Filesize
196KB

MD5
4c687eeb02639e052d61d6c4765fcb84

SHA1
875722b04237b5d4d0e59885752caea50c8d1260

SHA256
376e246e01ecf9d24821f0f14cf01d817e2bda0d02c9b36e1996638ac4a9bcb8

SHA512
108c0711824c0996a3b10f52b9baf2de55a2ed50ae9bbb50f12a65a2daf502f4c536993fefd04bedbefb9c10f2f0b3d4fb33a21f764e860c3f87c26ce92b8968

Download Submit
C:\Windows\SysWOW64\bffd.exe

Filesize
196KB

MD5
4c687eeb02639e052d61d6c4765fcb84

SHA1
875722b04237b5d4d0e59885752caea50c8d1260

SHA256
376e246e01ecf9d24821f0f14cf01d817e2bda0d02c9b36e1996638ac4a9bcb8

SHA512
108c0711824c0996a3b10f52b9baf2de55a2ed50ae9bbb50f12a65a2daf502f4c536993fefd04bedbefb9c10f2f0b3d4fb33a21f764e860c3f87c26ce92b8968

Download Submit
C:\Windows\SysWOW64\bffd.exe

Filesize
196KB

MD5
4c687eeb02639e052d61d6c4765fcb84

SHA1
875722b04237b5d4d0e59885752caea50c8d1260

SHA256
376e246e01ecf9d24821f0f14cf01d817e2bda0d02c9b36e1996638ac4a9bcb8

SHA512
108c0711824c0996a3b10f52b9baf2de55a2ed50ae9bbb50f12a65a2daf502f4c536993fefd04bedbefb9c10f2f0b3d4fb33a21f764e860c3f87c26ce92b8968

Download Submit
C:\Windows\SysWOW64\bffd.exe

Filesize
196KB

MD5
4c687eeb02639e052d61d6c4765fcb84

SHA1
875722b04237b5d4d0e59885752caea50c8d1260

SHA256
376e246e01ecf9d24821f0f14cf01d817e2bda0d02c9b36e1996638ac4a9bcb8

SHA512
108c0711824c0996a3b10f52b9baf2de55a2ed50ae9bbb50f12a65a2daf502f4c536993fefd04bedbefb9c10f2f0b3d4fb33a21f764e860c3f87c26ce92b8968

Download Submit