a368e3a61d29ac9632de94d2cba2af05e276abd1a1f40e6cb2dbaf031a5e1092

Analysis

max time kernel
153s
max time network
180s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a368e3a61d29ac9632de94d2cba2af05e276abd1a1f40e6cb2dbaf031a5e1092.dll
Size

476KB
MD5

528e47674cc43c15d7bbbb75e5e34403
SHA1

5b0a30fb58184f584ecf9decf315594e55f372cc
SHA256

a368e3a61d29ac9632de94d2cba2af05e276abd1a1f40e6cb2dbaf031a5e1092
SHA512

1d9999d145e60e0d794c1a1bf8492b8965f9fa78ef684f2479207c6055e6e5300b29bc6ed6c718c30a43681b7288764b5087e8834dade6547c63aa1d609bdc06
SSDEEP

12288:oIx3n4BiTNvjruygK2QR+cRxvcfMRjRTOi48:oIx3JNLrAK7X8fMxRTOi4

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
7	1156	rundll32.exe
9	1156	rundll32.exe
10	1156	rundll32.exe
11	1156	rundll32.exe
12	1156	rundll32.exe
13	1156	rundll32.exe
14	1156	rundll32.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	341d.exe

Executes dropped EXE 4 IoCs

pid	Process
1540	341d.exe
784	341d.exe
880	341d.exe
956	mtv.exe

Loads dropped DLL 29 IoCs

pid	Process
1384	regsvr32.exe
1432	rundll32.exe
1432	rundll32.exe
1432	rundll32.exe
1432	rundll32.exe
880	341d.exe
1432	rundll32.exe
1156	rundll32.exe
1156	rundll32.exe
1156	rundll32.exe
1432	rundll32.exe
1156	rundll32.exe
812	rundll32.exe
812	rundll32.exe
812	rundll32.exe
812	rundll32.exe
880	341d.exe
880	341d.exe
880	341d.exe
880	341d.exe
880	341d.exe
880	341d.exe
880	341d.exe
880	341d.exe
880	341d.exe
880	341d.exe
880	341d.exe
880	341d.exe
880	341d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\plc = "c:\\windows\\system32\\rundll32.exe C:\\Windows\\system32/341e.dll,Always"	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	341d.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\14rb.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\341e.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	rundll32.exe
File created	C:\Windows\SysWOW64\275719-62	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\341d.exe	rundll32.exe
File created	C:\Windows\SysWOW64\058a	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\14ba.exe	rundll32.exe
File opened for modification	C:\Windows\a34b.flv	rundll32.exe
File opened for modification	C:\Windows\8f6.exe	rundll32.exe
File opened for modification	C:\Windows\a8fd.exe	rundll32.exe
File opened for modification	C:\Windows\ba8u.bmp	rundll32.exe
File created	C:\Windows\Tasks\ms.job	rundll32.exe
File opened for modification	C:\Windows\bf14.bmp	rundll32.exe
File opened for modification	C:\Windows\f6f.bmp	rundll32.exe
File opened for modification	C:\Windows\a8f.flv	rundll32.exe
File opened for modification	C:\Windows\6f1u.bmp	rundll32.exe
File opened for modification	C:\Windows\4bad.flv	rundll32.exe
File opened for modification	C:\Windows\ba8d.exe	rundll32.exe
File opened for modification	C:\Windows\ba8d.flv	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID\ = "BHO.FffPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID\ = "BHO.FffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
880	341d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
956	mtv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1432	1552	rundll32.exe	28
PID 1552 wrote to memory of 1432	1552	rundll32.exe	28
PID 1552 wrote to memory of 1432	1552	rundll32.exe	28
PID 1552 wrote to memory of 1432	1552	rundll32.exe	28
PID 1552 wrote to memory of 1432	1552	rundll32.exe	28
PID 1552 wrote to memory of 1432	1552	rundll32.exe	28
PID 1552 wrote to memory of 1432	1552	rundll32.exe	28
PID 1432 wrote to memory of 948	1432	rundll32.exe	29
PID 1432 wrote to memory of 948	1432	rundll32.exe	29
PID 1432 wrote to memory of 948	1432	rundll32.exe	29
PID 1432 wrote to memory of 948	1432	rundll32.exe	29
PID 1432 wrote to memory of 948	1432	rundll32.exe	29
PID 1432 wrote to memory of 948	1432	rundll32.exe	29
PID 1432 wrote to memory of 948	1432	rundll32.exe	29
PID 1432 wrote to memory of 1188	1432	rundll32.exe	30
PID 1432 wrote to memory of 1188	1432	rundll32.exe	30
PID 1432 wrote to memory of 1188	1432	rundll32.exe	30
PID 1432 wrote to memory of 1188	1432	rundll32.exe	30
PID 1432 wrote to memory of 1188	1432	rundll32.exe	30
PID 1432 wrote to memory of 1188	1432	rundll32.exe	30
PID 1432 wrote to memory of 1188	1432	rundll32.exe	30
PID 1432 wrote to memory of 828	1432	rundll32.exe	31
PID 1432 wrote to memory of 828	1432	rundll32.exe	31
PID 1432 wrote to memory of 828	1432	rundll32.exe	31
PID 1432 wrote to memory of 828	1432	rundll32.exe	31
PID 1432 wrote to memory of 828	1432	rundll32.exe	31
PID 1432 wrote to memory of 828	1432	rundll32.exe	31
PID 1432 wrote to memory of 828	1432	rundll32.exe	31
PID 1432 wrote to memory of 1116	1432	rundll32.exe	32
PID 1432 wrote to memory of 1116	1432	rundll32.exe	32
PID 1432 wrote to memory of 1116	1432	rundll32.exe	32
PID 1432 wrote to memory of 1116	1432	rundll32.exe	32
PID 1432 wrote to memory of 1116	1432	rundll32.exe	32
PID 1432 wrote to memory of 1116	1432	rundll32.exe	32
PID 1432 wrote to memory of 1116	1432	rundll32.exe	32
PID 1432 wrote to memory of 1384	1432	rundll32.exe	33
PID 1432 wrote to memory of 1384	1432	rundll32.exe	33
PID 1432 wrote to memory of 1384	1432	rundll32.exe	33
PID 1432 wrote to memory of 1384	1432	rundll32.exe	33
PID 1432 wrote to memory of 1384	1432	rundll32.exe	33
PID 1432 wrote to memory of 1384	1432	rundll32.exe	33
PID 1432 wrote to memory of 1384	1432	rundll32.exe	33
PID 1432 wrote to memory of 1540	1432	rundll32.exe	34
PID 1432 wrote to memory of 1540	1432	rundll32.exe	34
PID 1432 wrote to memory of 1540	1432	rundll32.exe	34
PID 1432 wrote to memory of 1540	1432	rundll32.exe	34
PID 1432 wrote to memory of 784	1432	rundll32.exe	36
PID 1432 wrote to memory of 784	1432	rundll32.exe	36
PID 1432 wrote to memory of 784	1432	rundll32.exe	36
PID 1432 wrote to memory of 784	1432	rundll32.exe	36
PID 880 wrote to memory of 1156	880	341d.exe	39
PID 880 wrote to memory of 1156	880	341d.exe	39
PID 880 wrote to memory of 1156	880	341d.exe	39
PID 880 wrote to memory of 1156	880	341d.exe	39
PID 880 wrote to memory of 1156	880	341d.exe	39
PID 880 wrote to memory of 1156	880	341d.exe	39
PID 880 wrote to memory of 1156	880	341d.exe	39
PID 1432 wrote to memory of 956	1432	rundll32.exe	40
PID 1432 wrote to memory of 956	1432	rundll32.exe	40
PID 1432 wrote to memory of 956	1432	rundll32.exe	40
PID 1432 wrote to memory of 956	1432	rundll32.exe	40
PID 1432 wrote to memory of 812	1432	rundll32.exe	41
PID 1432 wrote to memory of 812	1432	rundll32.exe	41
PID 1432 wrote to memory of 812	1432	rundll32.exe	41

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a368e3a61d29ac9632de94d2cba2af05e276abd1a1f40e6cb2dbaf031a5e1092.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a368e3a61d29ac9632de94d2cba2af05e276abd1a1f40e6cb2dbaf031a5e1092.dll,#1
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a1l8.dll"
    3⤵
    PID:948
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b4cb.dll"
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4f3r.dll"
    3⤵
    PID:828
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b34o.dll"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b34o.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:1384
- - C:\Windows\SysWOW64\341d.exe
    C:\Windows\system32/341d.exe -i
    3⤵
    - Executes dropped EXE
    PID:1540
- - C:\Windows\SysWOW64\341d.exe
    C:\Windows\system32/341d.exe -s
    3⤵
    - Executes dropped EXE
    PID:784
- - C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:956
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll, Always
    3⤵
    - Loads dropped DLL
    PID:812

C:\Windows\SysWOW64\341d.exe
C:\Windows\SysWOW64\341d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll,Always
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:1156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
64KB

MD5
b94bb4d61779d0c280ea8205f5cdca29

SHA1
b57463b21ffba9394ffb6e4c78faeba686aabae2

SHA256
e80585840e6a32ad2aa6c49f79af509588a3e8db0d9cd0da76974a96d616428a

SHA512
e28f0708b798adb0b42aabe9197304782b2aec82dbf3d814a213276e818f65611e80363095a215d54b761526baa0af187293089cb9dde1ebecbb1d713be613a2

Download Submit
C:\Windows\SysWOW64\341d.exe

Filesize
180KB

MD5
37daea4c27505b3cb88a32555562b448

SHA1
2642fb426774188fcf752dd622da6b1d9c6db0a7

SHA256
954515dd4e0cfa72ea666f4d14ac1e3538060bb4daa4f9f006c076281e3ade3a

SHA512
e47b7bcab016db654fdfcb64c0c9ac0c4fd4823b46935b37e9fa318f0391c4d4ae4f99ed67cdb7ccbb2b10eeb8598adc1fe0de53fb94e10006322986a7051c01

Download Submit
C:\Windows\SysWOW64\341d.exe

Filesize
180KB

MD5
37daea4c27505b3cb88a32555562b448

SHA1
2642fb426774188fcf752dd622da6b1d9c6db0a7

SHA256
954515dd4e0cfa72ea666f4d14ac1e3538060bb4daa4f9f006c076281e3ade3a

SHA512
e47b7bcab016db654fdfcb64c0c9ac0c4fd4823b46935b37e9fa318f0391c4d4ae4f99ed67cdb7ccbb2b10eeb8598adc1fe0de53fb94e10006322986a7051c01

Download Submit
C:\Windows\SysWOW64\341d.exe

Filesize
180KB

MD5
37daea4c27505b3cb88a32555562b448

SHA1
2642fb426774188fcf752dd622da6b1d9c6db0a7

SHA256
954515dd4e0cfa72ea666f4d14ac1e3538060bb4daa4f9f006c076281e3ade3a

SHA512
e47b7bcab016db654fdfcb64c0c9ac0c4fd4823b46935b37e9fa318f0391c4d4ae4f99ed67cdb7ccbb2b10eeb8598adc1fe0de53fb94e10006322986a7051c01

Download Submit
C:\Windows\SysWOW64\341e.dll

Filesize
506KB

MD5
de6215ecc813a237db58db73d858049b

SHA1
0b617dde918470b18caa6e6b6dbe43da2a47df5a

SHA256
7ecb421dc6de0154547be6712e04ca89013e56d9df04098247f8fda19b704ede

SHA512
401dd239713c81ac23b5e623d3589cdf401fd403eb1cd6a13bf3d0b61c36758a71ac17abf535db2a9753f076a7a4cf9ebc892295229616bd2d9b790daac3cdfe

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
64KB

MD5
b94bb4d61779d0c280ea8205f5cdca29

SHA1
b57463b21ffba9394ffb6e4c78faeba686aabae2

SHA256
e80585840e6a32ad2aa6c49f79af509588a3e8db0d9cd0da76974a96d616428a

SHA512
e28f0708b798adb0b42aabe9197304782b2aec82dbf3d814a213276e818f65611e80363095a215d54b761526baa0af187293089cb9dde1ebecbb1d713be613a2

Download Submit
\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
64KB

MD5
b94bb4d61779d0c280ea8205f5cdca29

SHA1
b57463b21ffba9394ffb6e4c78faeba686aabae2

SHA256
e80585840e6a32ad2aa6c49f79af509588a3e8db0d9cd0da76974a96d616428a

SHA512
e28f0708b798adb0b42aabe9197304782b2aec82dbf3d814a213276e818f65611e80363095a215d54b761526baa0af187293089cb9dde1ebecbb1d713be613a2

Download Submit
\Windows\SysWOW64\341d.exe

Filesize
180KB

MD5
37daea4c27505b3cb88a32555562b448

SHA1
2642fb426774188fcf752dd622da6b1d9c6db0a7

SHA256
954515dd4e0cfa72ea666f4d14ac1e3538060bb4daa4f9f006c076281e3ade3a

SHA512
e47b7bcab016db654fdfcb64c0c9ac0c4fd4823b46935b37e9fa318f0391c4d4ae4f99ed67cdb7ccbb2b10eeb8598adc1fe0de53fb94e10006322986a7051c01

Download Submit
\Windows\SysWOW64\341d.exe

Filesize
180KB

MD5
37daea4c27505b3cb88a32555562b448

SHA1
2642fb426774188fcf752dd622da6b1d9c6db0a7

SHA256
954515dd4e0cfa72ea666f4d14ac1e3538060bb4daa4f9f006c076281e3ade3a

SHA512
e47b7bcab016db654fdfcb64c0c9ac0c4fd4823b46935b37e9fa318f0391c4d4ae4f99ed67cdb7ccbb2b10eeb8598adc1fe0de53fb94e10006322986a7051c01

Download Submit
\Windows\SysWOW64\341d.exe

Filesize
180KB

MD5
37daea4c27505b3cb88a32555562b448

SHA1
2642fb426774188fcf752dd622da6b1d9c6db0a7

SHA256
954515dd4e0cfa72ea666f4d14ac1e3538060bb4daa4f9f006c076281e3ade3a

SHA512
e47b7bcab016db654fdfcb64c0c9ac0c4fd4823b46935b37e9fa318f0391c4d4ae4f99ed67cdb7ccbb2b10eeb8598adc1fe0de53fb94e10006322986a7051c01

Download Submit
\Windows\SysWOW64\341d.exe

Filesize
180KB

MD5
37daea4c27505b3cb88a32555562b448

SHA1
2642fb426774188fcf752dd622da6b1d9c6db0a7

SHA256
954515dd4e0cfa72ea666f4d14ac1e3538060bb4daa4f9f006c076281e3ade3a

SHA512
e47b7bcab016db654fdfcb64c0c9ac0c4fd4823b46935b37e9fa318f0391c4d4ae4f99ed67cdb7ccbb2b10eeb8598adc1fe0de53fb94e10006322986a7051c01

Download Submit
\Windows\SysWOW64\341e.dll

Filesize
506KB

MD5
de6215ecc813a237db58db73d858049b

SHA1
0b617dde918470b18caa6e6b6dbe43da2a47df5a

SHA256
7ecb421dc6de0154547be6712e04ca89013e56d9df04098247f8fda19b704ede

SHA512
401dd239713c81ac23b5e623d3589cdf401fd403eb1cd6a13bf3d0b61c36758a71ac17abf535db2a9753f076a7a4cf9ebc892295229616bd2d9b790daac3cdfe

Download Submit
\Windows\SysWOW64\341e.dll

Filesize
506KB

MD5
de6215ecc813a237db58db73d858049b

SHA1
0b617dde918470b18caa6e6b6dbe43da2a47df5a

SHA256
7ecb421dc6de0154547be6712e04ca89013e56d9df04098247f8fda19b704ede

SHA512
401dd239713c81ac23b5e623d3589cdf401fd403eb1cd6a13bf3d0b61c36758a71ac17abf535db2a9753f076a7a4cf9ebc892295229616bd2d9b790daac3cdfe

Download Submit
\Windows\SysWOW64\341e.dll

Filesize
506KB

MD5
de6215ecc813a237db58db73d858049b

SHA1
0b617dde918470b18caa6e6b6dbe43da2a47df5a

SHA256
7ecb421dc6de0154547be6712e04ca89013e56d9df04098247f8fda19b704ede

SHA512
401dd239713c81ac23b5e623d3589cdf401fd403eb1cd6a13bf3d0b61c36758a71ac17abf535db2a9753f076a7a4cf9ebc892295229616bd2d9b790daac3cdfe

Download Submit
\Windows\SysWOW64\341e.dll

Filesize
506KB

MD5
de6215ecc813a237db58db73d858049b

SHA1
0b617dde918470b18caa6e6b6dbe43da2a47df5a

SHA256
7ecb421dc6de0154547be6712e04ca89013e56d9df04098247f8fda19b704ede

SHA512
401dd239713c81ac23b5e623d3589cdf401fd403eb1cd6a13bf3d0b61c36758a71ac17abf535db2a9753f076a7a4cf9ebc892295229616bd2d9b790daac3cdfe

Download Submit
\Windows\SysWOW64\341e.dll

Filesize
506KB

MD5
de6215ecc813a237db58db73d858049b

SHA1
0b617dde918470b18caa6e6b6dbe43da2a47df5a

SHA256
7ecb421dc6de0154547be6712e04ca89013e56d9df04098247f8fda19b704ede

SHA512
401dd239713c81ac23b5e623d3589cdf401fd403eb1cd6a13bf3d0b61c36758a71ac17abf535db2a9753f076a7a4cf9ebc892295229616bd2d9b790daac3cdfe

Download Submit
\Windows\SysWOW64\341e.dll

Filesize
506KB

MD5
de6215ecc813a237db58db73d858049b

SHA1
0b617dde918470b18caa6e6b6dbe43da2a47df5a

SHA256
7ecb421dc6de0154547be6712e04ca89013e56d9df04098247f8fda19b704ede

SHA512
401dd239713c81ac23b5e623d3589cdf401fd403eb1cd6a13bf3d0b61c36758a71ac17abf535db2a9753f076a7a4cf9ebc892295229616bd2d9b790daac3cdfe

Download Submit
\Windows\SysWOW64\341e.dll

Filesize
506KB

MD5
de6215ecc813a237db58db73d858049b

SHA1
0b617dde918470b18caa6e6b6dbe43da2a47df5a

SHA256
7ecb421dc6de0154547be6712e04ca89013e56d9df04098247f8fda19b704ede

SHA512
401dd239713c81ac23b5e623d3589cdf401fd403eb1cd6a13bf3d0b61c36758a71ac17abf535db2a9753f076a7a4cf9ebc892295229616bd2d9b790daac3cdfe

Download Submit
\Windows\SysWOW64\341e.dll

Filesize
506KB

MD5
de6215ecc813a237db58db73d858049b

SHA1
0b617dde918470b18caa6e6b6dbe43da2a47df5a

SHA256
7ecb421dc6de0154547be6712e04ca89013e56d9df04098247f8fda19b704ede

SHA512
401dd239713c81ac23b5e623d3589cdf401fd403eb1cd6a13bf3d0b61c36758a71ac17abf535db2a9753f076a7a4cf9ebc892295229616bd2d9b790daac3cdfe

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
160KB

MD5
b57aa350e9883046b8eae31f9a4df00a

SHA1
2f2cc462316c6f5bccb7fadb6bae57006fe29454

SHA256
55e56153b191499576d7945929d72831e9e3c7066237b0dfe6d67aafe60a2915

SHA512
c2c2788f081a957914af91c7bd928cc82f0a5f7eba1f98f148ccd55947c3a2e251ff40f7411960b4ae1b5bfcc5dd275db153b5c9bf5ad1dce13b3a2baecfbc0d

Download Submit
memory/1432-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download