a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a

Analysis

max time kernel
152s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
Size

492KB
MD5

3e03a6828eeeefd4c3ffb3f8cc863663
SHA1

9e6972a5c89121072a6f384ede65e25f454db48d
SHA256

a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a
SHA512

7161251697ea97f0a09010f7b101d2e7ad342db7d934c9aa673714b9c96bdf5344d41ed6bcf93b909d5d209b49a987b12533670f80ea45930d141289d3d34d5a
SSDEEP

12288:PfpgK3nBk1ZxWyPvj36tXm4zBjcyz9V7Sl2aLL6s6OO:P2K3Bk9WyDqXzBjcyV7oKOO

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

bffd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts bffd.exe
Executes dropped EXE 3 IoCs

Processes:

bffd.exebffd.exebffd.exe

pid process

4008 bffd.exe
4680 bffd.exe
3284 bffd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bffd.exe

pid	process
4008	bffd.exe
4680	bffd.exe
3284	bffd.exe

Loads dropped DLL 26 IoCs

Processes:

regsvr32.exebffd.exerundll32.exerundll32.exe

pid	process
2432	regsvr32.exe
3284	bffd.exe
1892	rundll32.exe
4384	rundll32.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe
3284	bffd.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "Microsoft User"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exebffd.exerundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	\??\PhysicalDrive0	bffd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 18 IoCs

Processes:

a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\841e.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\bffd.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File created	C:\Windows\SysWOW64\-701059776	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dlltmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File created	C:\Windows\SysWOW64\085	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe

Drops file in Windows directory 13 IoCs

Processes:

a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe

description	ioc	process
File opened for modification	C:\Windows\a34b.flv	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\f6f.bmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\a8f.flv	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\6f1u.bmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\a8fd.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\4bad.flv	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\bf14.bmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\14ba.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File created	C:\Windows\Tasks\ms.job	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\8f6d.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\a8fd.flv	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\8f6.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\f6fu.bmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe

Modifies registry class 47 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bffd.exe

pid process

3284 bffd.exe
3284 bffd.exe

pid	process
3284	bffd.exe
3284	bffd.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exebffd.exe

description	pid	process	target process
PID 3376 wrote to memory of 2260	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 3376 wrote to memory of 2260	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 3376 wrote to memory of 2260	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 3376 wrote to memory of 4340	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 3376 wrote to memory of 4340	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 3376 wrote to memory of 4340	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 3376 wrote to memory of 4848	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 3376 wrote to memory of 4848	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 3376 wrote to memory of 4848	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 3376 wrote to memory of 4860	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 3376 wrote to memory of 4860	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 3376 wrote to memory of 4860	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 3376 wrote to memory of 2432	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 3376 wrote to memory of 2432	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 3376 wrote to memory of 2432	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 3376 wrote to memory of 4008	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 3376 wrote to memory of 4008	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 3376 wrote to memory of 4008	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 3376 wrote to memory of 4680	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 3376 wrote to memory of 4680	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 3376 wrote to memory of 4680	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 3376 wrote to memory of 1892	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	rundll32.exe
PID 3376 wrote to memory of 1892	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	rundll32.exe
PID 3376 wrote to memory of 1892	3376	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	rundll32.exe
PID 3284 wrote to memory of 4384	3284	bffd.exe	rundll32.exe
PID 3284 wrote to memory of 4384	3284	bffd.exe	rundll32.exe
PID 3284 wrote to memory of 4384	3284	bffd.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
"C:\Users\Admin\AppData\Local\Temp\a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"
2⤵
PID:2260

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"
2⤵
PID:4340

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"
2⤵
PID:4848

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"
2⤵
PID:4860

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"
2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2432

C:\Windows\SysWOW64\bffd.exe
C:\Windows\system32\bffd.exe -i
2⤵
- Executes dropped EXE
PID:4008

C:\Windows\SysWOW64\bffd.exe
C:\Windows\system32\bffd.exe -s
2⤵
- Executes dropped EXE
PID:4680

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always
2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:1892

C:\Windows\SysWOW64\bffd.exe
C:\Windows\SysWOW64\bffd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always
2⤵
- Loads dropped DLL
PID:4384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\841e.dll
Filesize
187KB

MD5
c61bf6cbeddece88d00b253afbed2d48

SHA1
b6193359e321447d7c662ae170df73eaa813aeac

SHA256
be5e5af5179f49386dba583f6096d9bc9b0378610a7536f14960f119775cb716

SHA512
aec6f90b263542fb6ced6696f61195d37420ba5fc6ece4bb0aa14f9d7438f92f36f45b385e98840d3835968de27ceb85cd30cbd548fbce51a5fd3b1eda894a0a

Download Submit
C:\Windows\SysWOW64\841e.dll
Filesize
187KB

MD5
c61bf6cbeddece88d00b253afbed2d48

SHA1
b6193359e321447d7c662ae170df73eaa813aeac

SHA256
be5e5af5179f49386dba583f6096d9bc9b0378610a7536f14960f119775cb716

SHA512
aec6f90b263542fb6ced6696f61195d37420ba5fc6ece4bb0aa14f9d7438f92f36f45b385e98840d3835968de27ceb85cd30cbd548fbce51a5fd3b1eda894a0a

Download Submit
C:\Windows\SysWOW64\841e.dll
Filesize
187KB

MD5
c61bf6cbeddece88d00b253afbed2d48

SHA1
b6193359e321447d7c662ae170df73eaa813aeac

SHA256
be5e5af5179f49386dba583f6096d9bc9b0378610a7536f14960f119775cb716

SHA512
aec6f90b263542fb6ced6696f61195d37420ba5fc6ece4bb0aa14f9d7438f92f36f45b385e98840d3835968de27ceb85cd30cbd548fbce51a5fd3b1eda894a0a

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
65KB

MD5
1420da4322ad02109c9f24e2706e1ae5

SHA1
57ff260400d20d3c4af8646b67616bba970181e0

SHA256
14024014dbc9c0cc383739fd2e333716be2dfde1274625850ebb441a4a478480

SHA512
540d504844a9c92150994266feed890c9b18e0b1d8e370af13f8afe715417dea8e3eb16183e87d405664947fbb212936d822d2e8a83bbe247a39678fc9fcafad

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
143KB

MD5
1095f95dc02c81bfcdb4ebfc34dc1baf

SHA1
bc878f1d3f2cc15a37c60e55e636709de88e09ed

SHA256
3436043d2ab9a753d882a5227406b6869ea0f09a9e6544cc27a64d2772099ac2

SHA512
20c967ce12fd13d932cb1abddfbd752fc0fde44daf1c1857abdf007bb0bcf509fd2e5f864c3d4c6010175de16a0977fcb7ea1804d4fbe3e8b794b2f710afd26c

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
143KB

MD5
1095f95dc02c81bfcdb4ebfc34dc1baf

SHA1
bc878f1d3f2cc15a37c60e55e636709de88e09ed

SHA256
3436043d2ab9a753d882a5227406b6869ea0f09a9e6544cc27a64d2772099ac2

SHA512
20c967ce12fd13d932cb1abddfbd752fc0fde44daf1c1857abdf007bb0bcf509fd2e5f864c3d4c6010175de16a0977fcb7ea1804d4fbe3e8b794b2f710afd26c

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
143KB

MD5
1095f95dc02c81bfcdb4ebfc34dc1baf

SHA1
bc878f1d3f2cc15a37c60e55e636709de88e09ed

SHA256
3436043d2ab9a753d882a5227406b6869ea0f09a9e6544cc27a64d2772099ac2

SHA512
20c967ce12fd13d932cb1abddfbd752fc0fde44daf1c1857abdf007bb0bcf509fd2e5f864c3d4c6010175de16a0977fcb7ea1804d4fbe3e8b794b2f710afd26c

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
143KB

MD5
1095f95dc02c81bfcdb4ebfc34dc1baf

SHA1
bc878f1d3f2cc15a37c60e55e636709de88e09ed

SHA256
3436043d2ab9a753d882a5227406b6869ea0f09a9e6544cc27a64d2772099ac2

SHA512
20c967ce12fd13d932cb1abddfbd752fc0fde44daf1c1857abdf007bb0bcf509fd2e5f864c3d4c6010175de16a0977fcb7ea1804d4fbe3e8b794b2f710afd26c

Download Submit
memory/1892-158-0x0000000010000000-0x00000000100B3000-memory.dmp

Filesize
716KB

Download
memory/1892-151-0x0000000000000000-mapping.dmp

Download
memory/1892-188-0x0000000010000000-0x00000000100B3000-memory.dmp

Filesize
716KB

Download
memory/2260-133-0x0000000000000000-mapping.dmp

Download
memory/2432-137-0x0000000000000000-mapping.dmp

Download
memory/3284-171-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-200-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-212-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-167-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-173-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-165-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-175-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-163-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-177-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-161-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-179-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-159-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-181-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-210-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-183-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-209-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-185-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-186-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3284-207-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-149-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3284-189-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-205-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-191-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-204-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-193-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-202-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-195-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-196-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-197-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-198-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-201-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3284-169-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3376-153-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3376-132-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4008-143-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4008-144-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4008-140-0x0000000000000000-mapping.dmp

Download
memory/4340-134-0x0000000000000000-mapping.dmp

Download
memory/4384-156-0x0000000000000000-mapping.dmp

Download
memory/4680-145-0x0000000000000000-mapping.dmp

Download
memory/4680-148-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4680-150-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4848-135-0x0000000000000000-mapping.dmp

Download
memory/4860-136-0x0000000000000000-mapping.dmp

Download