Analysis
-
max time kernel
162s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 22:02
Static task
static1
Behavioral task
behavioral1
Sample
abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe
Resource
win10v2004-20220812-en
General
-
Target
abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe
-
Size
624KB
-
MD5
6fe0cf212a37e4e1c85b230662f2d39e
-
SHA1
b014530384159521949e8245597a0c90a36b0a4a
-
SHA256
abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c
-
SHA512
26f03bcb2079370a3d9d4866bd7f8bc1eb995dbff1c91a238f56d22c594010101ab6aabe35777972a975e0c1b9c42ad3a4ad56dfd4fcd091c9004a1a28f8318b
-
SSDEEP
12288:R9YRw4DJLnJPM+moa2oeAF9T7HH3EXlvd8jVgBG4pB3rHRjev6VE:R9H4DxnFtmKoe2dH0lSjIrHS
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
1m4b.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts 1m4b.exe -
Executes dropped EXE 3 IoCs
Processes:
1m4b.exe1m4b.exe1m4b.exepid process 1084 1m4b.exe 2060 1m4b.exe 3748 1m4b.exe -
Loads dropped DLL 5 IoCs
Processes:
regsvr32.exe1m4b.exerundll32.exepid process 4280 regsvr32.exe 3748 1m4b.exe 1132 rundll32.exe 3748 1m4b.exe 3748 1m4b.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{021F2AD6-75E0-40c8-83E6-67AAE7D7DC05} regsvr32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe1m4b.exe1m4b.exe1m4b.exerundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification \??\PhysicalDrive0 1m4b.exe File opened for modification \??\PhysicalDrive0 1m4b.exe File opened for modification \??\PhysicalDrive0 1m4b.exe File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in System32 directory 49 IoCs
Processes:
abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exerundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\4l14.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\a8m1.exe abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\a3e1.dlltmp abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\4frb.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\akbb.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\fx8f.exe abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\aqab.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\4g1a.dlltmp abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\3l34.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\4bnb.exe abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\fs34.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\1v81.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\aqab.dlltmp abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\3blf.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\14b3.exe abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\a3e1.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\fs34.dlltmp abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\1m4b.exe abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File created C:\Windows\SysWOW64\3366f9 rundll32.exe File opened for modification C:\Windows\SysWOW64\bg4f.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\4ba8.exe abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\qba8.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\aj34.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\aj34.dlltmp abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\blbf.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\3ha1.dlltmp abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\bhbf.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\bg4f.dlltmp abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\mbf1.dlltmp abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\b14b.exe abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\blbf.dlltmp abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\4m4b.exe abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File created C:\Windows\SysWOW64\-68856-75 rundll32.exe File opened for modification C:\Windows\SysWOW64\la34.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\mbf1.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\8qba.dlltmp abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\ba34.exe abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\1v81.dlltmp abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\flb1.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\ar14.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\3ha1.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\l34b.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\qba8.dlltmp abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\8qba.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\bs4b.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\fc4b.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\3gbf.exe abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\fp8f.exe abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\SysWOW64\4g1a.dll abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe -
Drops file in Windows directory 3 IoCs
Processes:
abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exedescription ioc process File opened for modification C:\Windows\4ba8.bmp abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\3343.exe abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe File opened for modification C:\Windows\8f14.flv abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe -
Modifies registry class 46 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFC509E8-F13E-4754-A940-7F79A2D6F1F0} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFC509E8-F13E-4754-A940-7F79A2D6F1F0}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021F2AD6-75E0-40c8-83E6-67AAE7D7DC05}\VersionIndependentProgID\ = "IEHpr.Invoke" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021F2AD6-75E0-40c8-83E6-67AAE7D7DC05}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EBF2FB32-E53C-46BB-A6D7-6AA15B3F399E}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EBF2FB32-E53C-46BB-A6D7-6AA15B3F399E}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\4g1a.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFC509E8-F13E-4754-A940-7F79A2D6F1F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CLSID\ = "{021F2AD6-75E0-40c8-83E6-67AAE7D7DC05}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021F2AD6-75E0-40c8-83E6-67AAE7D7DC05}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFC509E8-F13E-4754-A940-7F79A2D6F1F0}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EBF2FB32-E53C-46BB-A6D7-6AA15B3F399E}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DFC509E8-F13E-4754-A940-7F79A2D6F1F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EBF2FB32-E53C-46BB-A6D7-6AA15B3F399E}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DFC509E8-F13E-4754-A940-7F79A2D6F1F0} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DFC509E8-F13E-4754-A940-7F79A2D6F1F0}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1\ = "Invoke Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CurVer\ = "IEHpr.Invoke.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EBF2FB32-E53C-46BB-A6D7-6AA15B3F399E}\1.0\ = "Flash ocx 2.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EBF2FB32-E53C-46BB-A6D7-6AA15B3F399E}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021F2AD6-75E0-40c8-83E6-67AAE7D7DC05}\TypeLib\ = "{EBF2FB32-E53C-46bb-A6D7-6AA15B3F399E}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DFC509E8-F13E-4754-A940-7F79A2D6F1F0}\TypeLib\ = "{EBF2FB32-E53C-46BB-A6D7-6AA15B3F399E}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFC509E8-F13E-4754-A940-7F79A2D6F1F0}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\ = "Invoke Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021F2AD6-75E0-40c8-83E6-67AAE7D7DC05}\ProgID\ = "IEHpr.Invoke.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021F2AD6-75E0-40c8-83E6-67AAE7D7DC05}\InprocServer32\ = "C:\\Windows\\SysWow64\\4g1a.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EBF2FB32-E53C-46BB-A6D7-6AA15B3F399E}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DFC509E8-F13E-4754-A940-7F79A2D6F1F0}\ = "IInvoke" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021F2AD6-75E0-40c8-83E6-67AAE7D7DC05}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021F2AD6-75E0-40c8-83E6-67AAE7D7DC05}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EBF2FB32-E53C-46BB-A6D7-6AA15B3F399E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021F2AD6-75E0-40c8-83E6-67AAE7D7DC05} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021F2AD6-75E0-40c8-83E6-67AAE7D7DC05}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EBF2FB32-E53C-46BB-A6D7-6AA15B3F399E}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFC509E8-F13E-4754-A940-7F79A2D6F1F0}\ = "IInvoke" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021F2AD6-75E0-40c8-83E6-67AAE7D7DC05}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EBF2FB32-E53C-46BB-A6D7-6AA15B3F399E}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DFC509E8-F13E-4754-A940-7F79A2D6F1F0}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DFC509E8-F13E-4754-A940-7F79A2D6F1F0}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID\ = "{021F2AD6-75E0-40c8-83E6-67AAE7D7DC05}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{021F2AD6-75E0-40c8-83E6-67AAE7D7DC05}\ = "Invoke Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFC509E8-F13E-4754-A940-7F79A2D6F1F0}\TypeLib\ = "{EBF2FB32-E53C-46BB-A6D7-6AA15B3F399E}" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1m4b.exepid process 3748 1m4b.exe 3748 1m4b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exepid process 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe1m4b.exedescription pid process target process PID 728 wrote to memory of 4512 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4512 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4512 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 8 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 8 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 8 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 2688 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 2688 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 2688 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4944 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4944 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4944 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 3092 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 3092 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 3092 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4912 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4912 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4912 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 3292 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 3292 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 3292 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 5096 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 5096 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 5096 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4304 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4304 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4304 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 2136 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 2136 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 2136 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 1220 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 1220 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 1220 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 5000 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 5000 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 5000 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4476 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4476 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4476 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4280 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4280 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 4280 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe regsvr32.exe PID 728 wrote to memory of 1084 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe 1m4b.exe PID 728 wrote to memory of 1084 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe 1m4b.exe PID 728 wrote to memory of 1084 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe 1m4b.exe PID 728 wrote to memory of 2060 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe 1m4b.exe PID 728 wrote to memory of 2060 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe 1m4b.exe PID 728 wrote to memory of 2060 728 abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe 1m4b.exe PID 3748 wrote to memory of 1132 3748 1m4b.exe rundll32.exe PID 3748 wrote to memory of 1132 3748 1m4b.exe rundll32.exe PID 3748 wrote to memory of 1132 3748 1m4b.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe"C:\Users\Admin\AppData\Local\Temp\abe5f67ea2f5d5ec3f34d9a5b79478a8d208fff60730cfc27d4d0789129f4c6c.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\mbf1.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\qba8.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8qba.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\aj34.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a3e1.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a3e1.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\fs34.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\blbf.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\3ha1.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\1v81.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\aqab.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\bg4f.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4g1a.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\4g1a.dll"2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
-
C:\Windows\SysWOW64\1m4b.exeC:\Windows\system32\1m4b.exe -i2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\1m4b.exeC:\Windows\system32\1m4b.exe -s2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\1m4b.exeC:\Windows\SysWOW64\1m4b.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32 C:\Windows\system32\3blf.dll, Always2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\1m4b.exeFilesize
116KB
MD50477a0485c1b3ce2f015a093888e9581
SHA1e7b72e042e6f754f6235fc1b7d7ff75faca95159
SHA25658f1951587a66fe281060fed2c984513a39d0dfe395ead7b620fc4a2e17248ff
SHA5126fe68245126658813123bd62f9cc373243dc657b94d251826c12315851c39dc6b84b65c9331021e1d6b4754e9699d9b14e887aec52fddb02ec574b055d9fbf42
-
C:\Windows\SysWOW64\1m4b.exeFilesize
116KB
MD50477a0485c1b3ce2f015a093888e9581
SHA1e7b72e042e6f754f6235fc1b7d7ff75faca95159
SHA25658f1951587a66fe281060fed2c984513a39d0dfe395ead7b620fc4a2e17248ff
SHA5126fe68245126658813123bd62f9cc373243dc657b94d251826c12315851c39dc6b84b65c9331021e1d6b4754e9699d9b14e887aec52fddb02ec574b055d9fbf42
-
C:\Windows\SysWOW64\1m4b.exeFilesize
116KB
MD50477a0485c1b3ce2f015a093888e9581
SHA1e7b72e042e6f754f6235fc1b7d7ff75faca95159
SHA25658f1951587a66fe281060fed2c984513a39d0dfe395ead7b620fc4a2e17248ff
SHA5126fe68245126658813123bd62f9cc373243dc657b94d251826c12315851c39dc6b84b65c9331021e1d6b4754e9699d9b14e887aec52fddb02ec574b055d9fbf42
-
C:\Windows\SysWOW64\1m4b.exeFilesize
116KB
MD50477a0485c1b3ce2f015a093888e9581
SHA1e7b72e042e6f754f6235fc1b7d7ff75faca95159
SHA25658f1951587a66fe281060fed2c984513a39d0dfe395ead7b620fc4a2e17248ff
SHA5126fe68245126658813123bd62f9cc373243dc657b94d251826c12315851c39dc6b84b65c9331021e1d6b4754e9699d9b14e887aec52fddb02ec574b055d9fbf42
-
C:\Windows\SysWOW64\3blf.dllFilesize
536KB
MD5fc47dd6b070cc2537850bcb19e3fddc7
SHA198952641465316b6e43777ab35d9a4c07ace7b2e
SHA256df4e64253f2818c33cbeff91b59d0461facae1546f82d01a1e30eab5e2a1df5d
SHA5129b0150bf8983fe6dc83b527bbdf9b23f3eea51612e4899365804e1a8c2babdbee37f359c5635f54fb3bff63e5cc730c1bcc18b05ea06100b0350ebf9bc5f7484
-
C:\Windows\SysWOW64\3blf.dllFilesize
536KB
MD5fc47dd6b070cc2537850bcb19e3fddc7
SHA198952641465316b6e43777ab35d9a4c07ace7b2e
SHA256df4e64253f2818c33cbeff91b59d0461facae1546f82d01a1e30eab5e2a1df5d
SHA5129b0150bf8983fe6dc83b527bbdf9b23f3eea51612e4899365804e1a8c2babdbee37f359c5635f54fb3bff63e5cc730c1bcc18b05ea06100b0350ebf9bc5f7484
-
C:\Windows\SysWOW64\4g1a.dllFilesize
64KB
MD5c1f82f029810a10173163063443cd7cd
SHA19634dae3c226c21a1503fc92a3f1c288ad7cb3af
SHA256716189df2400c88824513d07e723d6856fd033bac160758378b9f008f8a2a8e3
SHA512bda5ad15518aa339855c0f88688cd784e7a113cd9466b02c7d7143022ebf243e58402cc900da2bccff2bf37cf61436542ab2ead450bcdafa75cf77b1f53d150a
-
C:\Windows\SysWOW64\4g1a.dllFilesize
64KB
MD5c1f82f029810a10173163063443cd7cd
SHA19634dae3c226c21a1503fc92a3f1c288ad7cb3af
SHA256716189df2400c88824513d07e723d6856fd033bac160758378b9f008f8a2a8e3
SHA512bda5ad15518aa339855c0f88688cd784e7a113cd9466b02c7d7143022ebf243e58402cc900da2bccff2bf37cf61436542ab2ead450bcdafa75cf77b1f53d150a
-
C:\Windows\SysWOW64\4g1a.dllFilesize
64KB
MD5c1f82f029810a10173163063443cd7cd
SHA19634dae3c226c21a1503fc92a3f1c288ad7cb3af
SHA256716189df2400c88824513d07e723d6856fd033bac160758378b9f008f8a2a8e3
SHA512bda5ad15518aa339855c0f88688cd784e7a113cd9466b02c7d7143022ebf243e58402cc900da2bccff2bf37cf61436542ab2ead450bcdafa75cf77b1f53d150a
-
C:\Windows\SysWOW64\4g1a.dllFilesize
64KB
MD5c1f82f029810a10173163063443cd7cd
SHA19634dae3c226c21a1503fc92a3f1c288ad7cb3af
SHA256716189df2400c88824513d07e723d6856fd033bac160758378b9f008f8a2a8e3
SHA512bda5ad15518aa339855c0f88688cd784e7a113cd9466b02c7d7143022ebf243e58402cc900da2bccff2bf37cf61436542ab2ead450bcdafa75cf77b1f53d150a
-
C:\Windows\SysWOW64\4g1a.dllFilesize
64KB
MD5c1f82f029810a10173163063443cd7cd
SHA19634dae3c226c21a1503fc92a3f1c288ad7cb3af
SHA256716189df2400c88824513d07e723d6856fd033bac160758378b9f008f8a2a8e3
SHA512bda5ad15518aa339855c0f88688cd784e7a113cd9466b02c7d7143022ebf243e58402cc900da2bccff2bf37cf61436542ab2ead450bcdafa75cf77b1f53d150a
-
memory/8-133-0x0000000000000000-mapping.dmp
-
memory/1084-148-0x0000000000000000-mapping.dmp
-
memory/1132-155-0x0000000000000000-mapping.dmp
-
memory/1220-142-0x0000000000000000-mapping.dmp
-
memory/2060-151-0x0000000000000000-mapping.dmp
-
memory/2136-141-0x0000000000000000-mapping.dmp
-
memory/2688-134-0x0000000000000000-mapping.dmp
-
memory/3092-136-0x0000000000000000-mapping.dmp
-
memory/3292-138-0x0000000000000000-mapping.dmp
-
memory/4280-145-0x0000000000000000-mapping.dmp
-
memory/4304-140-0x0000000000000000-mapping.dmp
-
memory/4476-144-0x0000000000000000-mapping.dmp
-
memory/4512-132-0x0000000000000000-mapping.dmp
-
memory/4912-137-0x0000000000000000-mapping.dmp
-
memory/4944-135-0x0000000000000000-mapping.dmp
-
memory/5000-143-0x0000000000000000-mapping.dmp
-
memory/5096-139-0x0000000000000000-mapping.dmp