f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14

Analysis

max time kernel
188s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
Size

408KB
MD5

040bd33462681ad3ce089da8595aec23
SHA1

c2a63a19777d096f9fcd9bb6840af713ccec6ab6
SHA256

f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14
SHA512

3a80e49abb90ebac80a7c625eebf5ce4da14064b21bcbca6c9545af3a741caff2708f9e9f9db1e6631e67b0148239692a4d764422c2297f2358918d7919df3b8
SSDEEP

6144:1qvfKnho9Q6qrBWaN9z1Y85ptVHXv60CVfBj9OlJD85Wecro49tW2tjVjYlSC:1qvfKho2J1MMVtcfBAXDDRXVj

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

bffd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts bffd.exe
Executes dropped EXE 3 IoCs

Processes:

bffd.exebffd.exebffd.exe

pid process

32 bffd.exe
3504 bffd.exe
4272 bffd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bffd.exe

pid	process
32	bffd.exe
3504	bffd.exe
4272	bffd.exe

Loads dropped DLL 22 IoCs

Processes:

regsvr32.exebffd.exerundll32.exerundll32.exe

pid	process
3868	regsvr32.exe
4272	bffd.exe
3652	rundll32.exe
5116	rundll32.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe
4272	bffd.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "winhome"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exebffd.exerundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	\??\PhysicalDrive0	bffd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 18 IoCs

Processes:

f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\144d.exe	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File created	C:\Windows\SysWOW64\0a9	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\841e.dll	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\SysWOW64\bffd.exe	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dlltmp	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File created	C:\Windows\SysWOW64\-9210467	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dll	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe

Drops file in Windows directory 13 IoCs

Processes:

f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe

description	ioc	process
File opened for modification	C:\Windows\6f1u.bmp	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\a8fd.exe	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\4bad.flv	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\a8fd.flv	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\bf14.bmp	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\14ba.exe	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\a34b.flv	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\f6f.bmp	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File created	C:\Windows\Tasks\ms.job	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\8f6.exe	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\a8f.flv	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\f6fu.bmp	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
File opened for modification	C:\Windows\8f6d.exe	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe

Modifies registry class 47 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bffd.exe

pid process

4272 bffd.exe
4272 bffd.exe

pid	process
4272	bffd.exe
4272	bffd.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exebffd.exe

description	pid	process	target process
PID 2348 wrote to memory of 4160	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	regsvr32.exe
PID 2348 wrote to memory of 4160	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	regsvr32.exe
PID 2348 wrote to memory of 4160	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	regsvr32.exe
PID 2348 wrote to memory of 4288	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	regsvr32.exe
PID 2348 wrote to memory of 4288	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	regsvr32.exe
PID 2348 wrote to memory of 4288	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	regsvr32.exe
PID 2348 wrote to memory of 1848	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	regsvr32.exe
PID 2348 wrote to memory of 1848	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	regsvr32.exe
PID 2348 wrote to memory of 1848	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	regsvr32.exe
PID 2348 wrote to memory of 2712	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	regsvr32.exe
PID 2348 wrote to memory of 2712	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	regsvr32.exe
PID 2348 wrote to memory of 2712	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	regsvr32.exe
PID 2348 wrote to memory of 3868	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	regsvr32.exe
PID 2348 wrote to memory of 3868	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	regsvr32.exe
PID 2348 wrote to memory of 3868	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	regsvr32.exe
PID 2348 wrote to memory of 32	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	bffd.exe
PID 2348 wrote to memory of 32	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	bffd.exe
PID 2348 wrote to memory of 32	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	bffd.exe
PID 2348 wrote to memory of 3504	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	bffd.exe
PID 2348 wrote to memory of 3504	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	bffd.exe
PID 2348 wrote to memory of 3504	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	bffd.exe
PID 2348 wrote to memory of 3652	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	rundll32.exe
PID 2348 wrote to memory of 3652	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	rundll32.exe
PID 2348 wrote to memory of 3652	2348	f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe	rundll32.exe
PID 4272 wrote to memory of 5116	4272	bffd.exe	rundll32.exe
PID 4272 wrote to memory of 5116	4272	bffd.exe	rundll32.exe
PID 4272 wrote to memory of 5116	4272	bffd.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe
"C:\Users\Admin\AppData\Local\Temp\f23d97561f527b0716c7336612f8c0bbe8a2329190de80432d2c664ba63c0d14.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"
2⤵
PID:4160

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"
2⤵
PID:4288

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"
2⤵
PID:1848

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"
2⤵
PID:2712

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"
2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:3868

C:\Windows\SysWOW64\bffd.exe
C:\Windows\system32\bffd.exe -i
2⤵
- Executes dropped EXE
PID:32

C:\Windows\SysWOW64\bffd.exe
C:\Windows\system32\bffd.exe -s
2⤵
- Executes dropped EXE
PID:3504

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always
2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:3652

C:\Windows\SysWOW64\bffd.exe
C:\Windows\SysWOW64\bffd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always
2⤵
- Loads dropped DLL
PID:5116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\841e.dll

Filesize
221KB

MD5
bd5b718b919b5412de08a8a41b1104be

SHA1
789b402ea0b359cdc8a343b7b0c6e6304a170ef7

SHA256
e1f07bcce239725a32f10e7598e0bb260c58919ee6e3fde584437554e27ab62d

SHA512
e64f68609b2768e7e5dd5203b68d6bed6007aa3758f0c20c5b3c4fa60c977a8b40fa02c5e8700fcd64f2861f101acd075348a3db7108dd524f236a8162f575ac

Download Submit
C:\Windows\SysWOW64\841e.dll

Filesize
221KB

MD5
bd5b718b919b5412de08a8a41b1104be

SHA1
789b402ea0b359cdc8a343b7b0c6e6304a170ef7

SHA256
e1f07bcce239725a32f10e7598e0bb260c58919ee6e3fde584437554e27ab62d

SHA512
e64f68609b2768e7e5dd5203b68d6bed6007aa3758f0c20c5b3c4fa60c977a8b40fa02c5e8700fcd64f2861f101acd075348a3db7108dd524f236a8162f575ac

Download Submit
C:\Windows\SysWOW64\841e.dll

Filesize
221KB

MD5
bd5b718b919b5412de08a8a41b1104be

SHA1
789b402ea0b359cdc8a343b7b0c6e6304a170ef7

SHA256
e1f07bcce239725a32f10e7598e0bb260c58919ee6e3fde584437554e27ab62d

SHA512
e64f68609b2768e7e5dd5203b68d6bed6007aa3758f0c20c5b3c4fa60c977a8b40fa02c5e8700fcd64f2861f101acd075348a3db7108dd524f236a8162f575ac

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
150KB

MD5
f6032399585b642a05f4858a2bccee39

SHA1
c0e4d707b7ace6c86f08b987e9815e525c0464ad

SHA256
c8e679222eb7932d619fc8cc1901336019d58a3891ef3b61a7135f817e75cf7e

SHA512
94a9ce3d5827b9261d6130e465df75796720ce2dd7cd77077a87f555040ecf62f16001313664c8c2316624e47d0a8ad2ba2f9c9218a329c24f5c05f3428d8d76

Download Submit
C:\Windows\SysWOW64\bffd.exe

Filesize
96KB

MD5
5990b489f7459bf4eef5c5e6ffa5e8f4

SHA1
313bd5b9ae73487b9bf139b87a1fd96cebceb891

SHA256
2adf675981114c183f5cae069f4b3b0f4e665d8a48a8ca9ebe4fa170456df533

SHA512
6ce37a3a7fec9e61e8769b120c0adb23620b8cade9a0fc0a78072bc7d3211909d41a77d2e7de3020e744c94888bb78edd55e05c8726ec3a1b35475642c5add09

Download Submit
C:\Windows\SysWOW64\bffd.exe

Filesize
96KB

MD5
5990b489f7459bf4eef5c5e6ffa5e8f4

SHA1
313bd5b9ae73487b9bf139b87a1fd96cebceb891

SHA256
2adf675981114c183f5cae069f4b3b0f4e665d8a48a8ca9ebe4fa170456df533

SHA512
6ce37a3a7fec9e61e8769b120c0adb23620b8cade9a0fc0a78072bc7d3211909d41a77d2e7de3020e744c94888bb78edd55e05c8726ec3a1b35475642c5add09

Download Submit
C:\Windows\SysWOW64\bffd.exe

Filesize
96KB

MD5
5990b489f7459bf4eef5c5e6ffa5e8f4

SHA1
313bd5b9ae73487b9bf139b87a1fd96cebceb891

SHA256
2adf675981114c183f5cae069f4b3b0f4e665d8a48a8ca9ebe4fa170456df533

SHA512
6ce37a3a7fec9e61e8769b120c0adb23620b8cade9a0fc0a78072bc7d3211909d41a77d2e7de3020e744c94888bb78edd55e05c8726ec3a1b35475642c5add09

Download Submit
C:\Windows\SysWOW64\bffd.exe

Filesize
96KB

MD5
5990b489f7459bf4eef5c5e6ffa5e8f4

SHA1
313bd5b9ae73487b9bf139b87a1fd96cebceb891

SHA256
2adf675981114c183f5cae069f4b3b0f4e665d8a48a8ca9ebe4fa170456df533

SHA512
6ce37a3a7fec9e61e8769b120c0adb23620b8cade9a0fc0a78072bc7d3211909d41a77d2e7de3020e744c94888bb78edd55e05c8726ec3a1b35475642c5add09

Download Submit
memory/32-139-0x0000000000000000-mapping.dmp

Download
memory/32-143-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/32-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1848-134-0x0000000000000000-mapping.dmp

Download
memory/2712-135-0x0000000000000000-mapping.dmp

Download
memory/3504-149-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3504-147-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3504-144-0x0000000000000000-mapping.dmp

Download
memory/3652-157-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/3652-180-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/3652-151-0x0000000000000000-mapping.dmp

Download
memory/3868-136-0x0000000000000000-mapping.dmp

Download
memory/4160-132-0x0000000000000000-mapping.dmp

Download
memory/4272-167-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-188-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-175-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-176-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4272-171-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-178-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-179-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-169-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-165-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-182-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-163-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-184-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-185-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-161-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-187-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-173-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-159-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-190-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-191-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-156-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-193-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-194-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-195-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-203-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-197-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-198-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-148-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4272-200-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4272-201-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4288-133-0x0000000000000000-mapping.dmp

Download
memory/5116-154-0x0000000000000000-mapping.dmp

Download