dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5

Analysis

max time kernel
153s
max time network
77s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
Size

444KB
MD5

d7084520b7f22772ecc0f67883cffe45
SHA1

52a5c68cda267ace9951431e5b85ef6e2a7e5574
SHA256

dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5
SHA512

a4c209870a11dd3312928765dbfc683587632ca2062f7b58fcb651ba4013d72f38f0c15cb924bb15fef7a3e22fc97769ec2ccd9ca0d25373cc670c9e47608b19
SSDEEP

12288:lu1mcjCfQ/Rz/xbTj7poqeLjz9+f8ldbyd8bN20rvtsRgc:81mbfgV/xPj7poqeLX98obyd8bc07twr

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	1080	rundll32.exe
9	1080	rundll32.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bf14a.exe

Executes dropped EXE 3 IoCs

pid	Process
2012	bf14a.exe
1120	bf14a.exe
1812	bf14a.exe

Loads dropped DLL 28 IoCs

pid	Process
1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
2012	bf14a.exe
2012	bf14a.exe
2012	bf14a.exe
1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
1120	bf14a.exe
1120	bf14a.exe
1120	bf14a.exe
812	regsvr32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1812	bf14a.exe
1812	bf14a.exe
1812	bf14a.exe
1812	bf14a.exe
1812	bf14a.exe
1812	bf14a.exe
1812	bf14a.exe
1812	bf14a.exe
1812	bf14a.exe
1812	bf14a.exe
1812	bf14a.exe
1812	bf14a.exe
1812	bf14a.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4CCE8DD5-ECED-4c90-ADB4-C19A50F50D48}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	\??\PhysicalDrive0	bf14a.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\4bfa.dlltmp	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\SysWOW64\dfhry	bf14a.exe
File opened for modification	C:\Windows\SysWOW64\6f11.dll	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\SysWOW64\f1971.exe	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\SysWOW64\6f11.dlltmp	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\SysWOW64\wertt	bf14a.exe
File opened for modification	C:\Windows\SysWOW64\rerwet	bf14a.exe
File created	C:\Windows\SysWOW64\106-645-97	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\197c1.dll	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\SysWOW64\34a.dll	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\SysWOW64\fghjs	bf14a.exe
File opened for modification	C:\Windows\SysWOW64\dfhw	bf14a.exe
File opened for modification	C:\Windows\SysWOW64\4bfa.dll	bf14a.exe
File created	C:\Windows\SysWOW64\08b	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\f61.dll	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\SysWOW64\bf14a.exe	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\SysWOW64\df45	bf14a.exe
File opened for modification	C:\Windows\SysWOW64\	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\SysWOW64\4bfa.dll	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\SysWOW64\f14ba.dll	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\63fd1.txt	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\3fd941.rm	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\8f6a.exe	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\191.bmp	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\9631.exe	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\a8a.bmp	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\f6f1a.txt	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
File opened for modification	C:\Windows\6f197a.rm	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CCE8DD5-ECED-4c90-ADB4-C19A50F50D48}\VersionIndependentProgID\ = "IEHpr.Invoke"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CCE8DD5-ECED-4c90-ADB4-C19A50F50D48}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9CED986-4E7C-45DE-AD4C-CF04018D1677}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID\ = "{4CCE8DD5-ECED-4c90-ADB4-C19A50F50D48}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CCE8DD5-ECED-4c90-ADB4-C19A50F50D48}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CCE8DD5-ECED-4c90-ADB4-C19A50F50D48}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{059485BC-C1F5-4483-B91C-9F933B8B9B98}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{059485BC-C1F5-4483-B91C-9F933B8B9B98}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{059485BC-C1F5-4483-B91C-9F933B8B9B98}\ = "IInvoke"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{059485BC-C1F5-4483-B91C-9F933B8B9B98}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CCE8DD5-ECED-4c90-ADB4-C19A50F50D48}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9CED986-4E7C-45DE-AD4C-CF04018D1677}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9CED986-4E7C-45DE-AD4C-CF04018D1677}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9CED986-4E7C-45DE-AD4C-CF04018D1677}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{059485BC-C1F5-4483-B91C-9F933B8B9B98}\ = "IInvoke"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\ = "Invoke Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CCE8DD5-ECED-4c90-ADB4-C19A50F50D48}\InprocServer32\ = "C:\\Windows\\SysWow64\\4bfa.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CCE8DD5-ECED-4c90-ADB4-C19A50F50D48}\TypeLib\ = "{E9CED986-4E7C-45de-AD4C-CF04018D1677}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9CED986-4E7C-45DE-AD4C-CF04018D1677}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{059485BC-C1F5-4483-B91C-9F933B8B9B98}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{059485BC-C1F5-4483-B91C-9F933B8B9B98}\TypeLib\ = "{E9CED986-4E7C-45DE-AD4C-CF04018D1677}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CCE8DD5-ECED-4c90-ADB4-C19A50F50D48}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{059485BC-C1F5-4483-B91C-9F933B8B9B98}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{059485BC-C1F5-4483-B91C-9F933B8B9B98}\TypeLib\ = "{E9CED986-4E7C-45DE-AD4C-CF04018D1677}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{059485BC-C1F5-4483-B91C-9F933B8B9B98}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CurVer\ = "IEHpr.Invoke.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9CED986-4E7C-45DE-AD4C-CF04018D1677}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\4bfa.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9CED986-4E7C-45DE-AD4C-CF04018D1677}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CCE8DD5-ECED-4c90-ADB4-C19A50F50D48}\ = "Invoke Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CCE8DD5-ECED-4c90-ADB4-C19A50F50D48}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9CED986-4E7C-45DE-AD4C-CF04018D1677}\1.0\ = "Flash ocx 2.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9CED986-4E7C-45DE-AD4C-CF04018D1677}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{059485BC-C1F5-4483-B91C-9F933B8B9B98}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{059485BC-C1F5-4483-B91C-9F933B8B9B98}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CLSID\ = "{4CCE8DD5-ECED-4c90-ADB4-C19A50F50D48}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CCE8DD5-ECED-4c90-ADB4-C19A50F50D48}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CCE8DD5-ECED-4c90-ADB4-C19A50F50D48}\ProgID\ = "IEHpr.Invoke.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9CED986-4E7C-45DE-AD4C-CF04018D1677}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{059485BC-C1F5-4483-B91C-9F933B8B9B98}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{059485BC-C1F5-4483-B91C-9F933B8B9B98}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1\ = "Invoke Class"	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1488	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	27
PID 1368 wrote to memory of 1488	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	27
PID 1368 wrote to memory of 1488	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	27
PID 1368 wrote to memory of 1488	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	27
PID 1368 wrote to memory of 1488	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	27
PID 1368 wrote to memory of 1488	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	27
PID 1368 wrote to memory of 1488	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	27
PID 1368 wrote to memory of 1992	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	28
PID 1368 wrote to memory of 1992	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	28
PID 1368 wrote to memory of 1992	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	28
PID 1368 wrote to memory of 1992	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	28
PID 1368 wrote to memory of 1992	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	28
PID 1368 wrote to memory of 1992	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	28
PID 1368 wrote to memory of 1992	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	28
PID 1368 wrote to memory of 2012	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	29
PID 1368 wrote to memory of 2012	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	29
PID 1368 wrote to memory of 2012	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	29
PID 1368 wrote to memory of 2012	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	29
PID 1368 wrote to memory of 2012	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	29
PID 1368 wrote to memory of 2012	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	29
PID 1368 wrote to memory of 2012	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	29
PID 1368 wrote to memory of 1120	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	31
PID 1368 wrote to memory of 1120	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	31
PID 1368 wrote to memory of 1120	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	31
PID 1368 wrote to memory of 1120	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	31
PID 1368 wrote to memory of 1120	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	31
PID 1368 wrote to memory of 1120	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	31
PID 1368 wrote to memory of 1120	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	31
PID 1812 wrote to memory of 812	1812	bf14a.exe	34
PID 1812 wrote to memory of 812	1812	bf14a.exe	34
PID 1812 wrote to memory of 812	1812	bf14a.exe	34
PID 1812 wrote to memory of 812	1812	bf14a.exe	34
PID 1812 wrote to memory of 812	1812	bf14a.exe	34
PID 1812 wrote to memory of 812	1812	bf14a.exe	34
PID 1812 wrote to memory of 812	1812	bf14a.exe	34
PID 1368 wrote to memory of 1080	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	35
PID 1368 wrote to memory of 1080	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	35
PID 1368 wrote to memory of 1080	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	35
PID 1368 wrote to memory of 1080	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	35
PID 1368 wrote to memory of 1080	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	35
PID 1368 wrote to memory of 1080	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	35
PID 1368 wrote to memory of 1080	1368	dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe	35

C:\Users\Admin\AppData\Local\Temp\dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe
"C:\Users\Admin\AppData\Local\Temp\dff0d2f66e14a867f7c97652e86dd5bc02f72b2171db5fd819b768f276127fa5.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\6f11.dll"
  2⤵
  PID:1488
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4bfa.dll"
  2⤵
  PID:1992
- C:\Windows\SysWOW64\bf14a.exe
  C:\Windows\system32\bf14a.exe -i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2012
- C:\Windows\SysWOW64\bf14a.exe
  C:\Windows\system32\bf14a.exe -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1120
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\34a.dll,Always
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:1080

C:\Windows\SysWOW64\bf14a.exe
C:\Windows\SysWOW64\bf14a.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\4bfa.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\8f6a.exe

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
C:\Windows\SysWOW64\34a.dll

Filesize
844KB

MD5
27c0b312f7f749916b230275415c6f34

SHA1
2c4c4953a47e983f83e903d282b9d420d3ecb1da

SHA256
c0627acd5ad54eca180944d4ce99e54bf01b34cd0066dd99b26489f96b20d5cd

SHA512
515fe32a555ae4817f1277b7a5c03f260ccf9305eb861f470bd309eb060cdcf71fa072d41827c86e6e0c191ed479c73ac41dd677ce51b1cdea283a20afefb186

Download Submit
C:\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
C:\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
C:\Windows\SysWOW64\bf14a.exe

Filesize
108KB

MD5
13058312d7aafccb09e3a6c3008a37a9

SHA1
0532cf41b58752160ff59d96ee7b3e9926630f33

SHA256
bcaa732b79e1270564b6a5e592c438dc3f2152a774f66d13e8b2f370cddb988d

SHA512
cfaba2a7dfccdd5cbd87c416a6c65b66f6328be49beb789f5453985ea36c75b99a707e3a4c5479d3b99abcecd43abaeabe8f58a290f64432deccb17bb4600ae0

Download Submit
C:\Windows\SysWOW64\bf14a.exe

Filesize
108KB

MD5
13058312d7aafccb09e3a6c3008a37a9

SHA1
0532cf41b58752160ff59d96ee7b3e9926630f33

SHA256
bcaa732b79e1270564b6a5e592c438dc3f2152a774f66d13e8b2f370cddb988d

SHA512
cfaba2a7dfccdd5cbd87c416a6c65b66f6328be49beb789f5453985ea36c75b99a707e3a4c5479d3b99abcecd43abaeabe8f58a290f64432deccb17bb4600ae0

Download Submit
C:\Windows\SysWOW64\bf14a.exe

Filesize
108KB

MD5
13058312d7aafccb09e3a6c3008a37a9

SHA1
0532cf41b58752160ff59d96ee7b3e9926630f33

SHA256
bcaa732b79e1270564b6a5e592c438dc3f2152a774f66d13e8b2f370cddb988d

SHA512
cfaba2a7dfccdd5cbd87c416a6c65b66f6328be49beb789f5453985ea36c75b99a707e3a4c5479d3b99abcecd43abaeabe8f58a290f64432deccb17bb4600ae0

Download Submit
C:\Windows\SysWOW64\bf14a.exe

Filesize
108KB

MD5
13058312d7aafccb09e3a6c3008a37a9

SHA1
0532cf41b58752160ff59d96ee7b3e9926630f33

SHA256
bcaa732b79e1270564b6a5e592c438dc3f2152a774f66d13e8b2f370cddb988d

SHA512
cfaba2a7dfccdd5cbd87c416a6c65b66f6328be49beb789f5453985ea36c75b99a707e3a4c5479d3b99abcecd43abaeabe8f58a290f64432deccb17bb4600ae0

Download Submit
\Windows\SysWOW64\34a.dll

Filesize
844KB

MD5
27c0b312f7f749916b230275415c6f34

SHA1
2c4c4953a47e983f83e903d282b9d420d3ecb1da

SHA256
c0627acd5ad54eca180944d4ce99e54bf01b34cd0066dd99b26489f96b20d5cd

SHA512
515fe32a555ae4817f1277b7a5c03f260ccf9305eb861f470bd309eb060cdcf71fa072d41827c86e6e0c191ed479c73ac41dd677ce51b1cdea283a20afefb186

Download Submit
\Windows\SysWOW64\34a.dll

Filesize
844KB

MD5
27c0b312f7f749916b230275415c6f34

SHA1
2c4c4953a47e983f83e903d282b9d420d3ecb1da

SHA256
c0627acd5ad54eca180944d4ce99e54bf01b34cd0066dd99b26489f96b20d5cd

SHA512
515fe32a555ae4817f1277b7a5c03f260ccf9305eb861f470bd309eb060cdcf71fa072d41827c86e6e0c191ed479c73ac41dd677ce51b1cdea283a20afefb186

Download Submit
\Windows\SysWOW64\34a.dll

Filesize
844KB

MD5
27c0b312f7f749916b230275415c6f34

SHA1
2c4c4953a47e983f83e903d282b9d420d3ecb1da

SHA256
c0627acd5ad54eca180944d4ce99e54bf01b34cd0066dd99b26489f96b20d5cd

SHA512
515fe32a555ae4817f1277b7a5c03f260ccf9305eb861f470bd309eb060cdcf71fa072d41827c86e6e0c191ed479c73ac41dd677ce51b1cdea283a20afefb186

Download Submit
\Windows\SysWOW64\34a.dll

Filesize
844KB

MD5
27c0b312f7f749916b230275415c6f34

SHA1
2c4c4953a47e983f83e903d282b9d420d3ecb1da

SHA256
c0627acd5ad54eca180944d4ce99e54bf01b34cd0066dd99b26489f96b20d5cd

SHA512
515fe32a555ae4817f1277b7a5c03f260ccf9305eb861f470bd309eb060cdcf71fa072d41827c86e6e0c191ed479c73ac41dd677ce51b1cdea283a20afefb186

Download Submit
\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
\Windows\SysWOW64\4bfa.dll

Filesize
52KB

MD5
f187e0d2f96ffb8e8e8fd3a31d237e58

SHA1
de8abf844060840e58a426d0c3cfab39b6915d90

SHA256
860a03c78eb08eb79eb527f974dd74c792ba83e276bc3fba65fb8c19e2120450

SHA512
20bbd15ed8d52aad7be0da3ad8222617604e3f379dd29ee97472543fa9b600a3e82a9ecb925a9b1d2b4ebd645a3eb182b90f1c3fb6efd8886bf19ce426426823

Download Submit
\Windows\SysWOW64\bf14a.exe

Filesize
108KB

MD5
13058312d7aafccb09e3a6c3008a37a9

SHA1
0532cf41b58752160ff59d96ee7b3e9926630f33

SHA256
bcaa732b79e1270564b6a5e592c438dc3f2152a774f66d13e8b2f370cddb988d

SHA512
cfaba2a7dfccdd5cbd87c416a6c65b66f6328be49beb789f5453985ea36c75b99a707e3a4c5479d3b99abcecd43abaeabe8f58a290f64432deccb17bb4600ae0

Download Submit
\Windows\SysWOW64\bf14a.exe

Filesize
108KB

MD5
13058312d7aafccb09e3a6c3008a37a9

SHA1
0532cf41b58752160ff59d96ee7b3e9926630f33

SHA256
bcaa732b79e1270564b6a5e592c438dc3f2152a774f66d13e8b2f370cddb988d

SHA512
cfaba2a7dfccdd5cbd87c416a6c65b66f6328be49beb789f5453985ea36c75b99a707e3a4c5479d3b99abcecd43abaeabe8f58a290f64432deccb17bb4600ae0

Download Submit
\Windows\SysWOW64\bf14a.exe

Filesize
108KB

MD5
13058312d7aafccb09e3a6c3008a37a9

SHA1
0532cf41b58752160ff59d96ee7b3e9926630f33

SHA256
bcaa732b79e1270564b6a5e592c438dc3f2152a774f66d13e8b2f370cddb988d

SHA512
cfaba2a7dfccdd5cbd87c416a6c65b66f6328be49beb789f5453985ea36c75b99a707e3a4c5479d3b99abcecd43abaeabe8f58a290f64432deccb17bb4600ae0

Download Submit
\Windows\SysWOW64\bf14a.exe

Filesize
108KB

MD5
13058312d7aafccb09e3a6c3008a37a9

SHA1
0532cf41b58752160ff59d96ee7b3e9926630f33

SHA256
bcaa732b79e1270564b6a5e592c438dc3f2152a774f66d13e8b2f370cddb988d

SHA512
cfaba2a7dfccdd5cbd87c416a6c65b66f6328be49beb789f5453985ea36c75b99a707e3a4c5479d3b99abcecd43abaeabe8f58a290f64432deccb17bb4600ae0

Download Submit
\Windows\SysWOW64\bf14a.exe

Filesize
108KB

MD5
13058312d7aafccb09e3a6c3008a37a9

SHA1
0532cf41b58752160ff59d96ee7b3e9926630f33

SHA256
bcaa732b79e1270564b6a5e592c438dc3f2152a774f66d13e8b2f370cddb988d

SHA512
cfaba2a7dfccdd5cbd87c416a6c65b66f6328be49beb789f5453985ea36c75b99a707e3a4c5479d3b99abcecd43abaeabe8f58a290f64432deccb17bb4600ae0

Download Submit
\Windows\SysWOW64\bf14a.exe

Filesize
108KB

MD5
13058312d7aafccb09e3a6c3008a37a9

SHA1
0532cf41b58752160ff59d96ee7b3e9926630f33

SHA256
bcaa732b79e1270564b6a5e592c438dc3f2152a774f66d13e8b2f370cddb988d

SHA512
cfaba2a7dfccdd5cbd87c416a6c65b66f6328be49beb789f5453985ea36c75b99a707e3a4c5479d3b99abcecd43abaeabe8f58a290f64432deccb17bb4600ae0

Download Submit
\Windows\SysWOW64\bf14a.exe

Filesize
108KB

MD5
13058312d7aafccb09e3a6c3008a37a9

SHA1
0532cf41b58752160ff59d96ee7b3e9926630f33

SHA256
bcaa732b79e1270564b6a5e592c438dc3f2152a774f66d13e8b2f370cddb988d

SHA512
cfaba2a7dfccdd5cbd87c416a6c65b66f6328be49beb789f5453985ea36c75b99a707e3a4c5479d3b99abcecd43abaeabe8f58a290f64432deccb17bb4600ae0

Download Submit
\Windows\SysWOW64\bf14a.exe

Filesize
108KB

MD5
13058312d7aafccb09e3a6c3008a37a9

SHA1
0532cf41b58752160ff59d96ee7b3e9926630f33

SHA256
bcaa732b79e1270564b6a5e592c438dc3f2152a774f66d13e8b2f370cddb988d

SHA512
cfaba2a7dfccdd5cbd87c416a6c65b66f6328be49beb789f5453985ea36c75b99a707e3a4c5479d3b99abcecd43abaeabe8f58a290f64432deccb17bb4600ae0

Download Submit
\Windows\SysWOW64\bf14a.exe

Filesize
108KB

MD5
13058312d7aafccb09e3a6c3008a37a9

SHA1
0532cf41b58752160ff59d96ee7b3e9926630f33

SHA256
bcaa732b79e1270564b6a5e592c438dc3f2152a774f66d13e8b2f370cddb988d

SHA512
cfaba2a7dfccdd5cbd87c416a6c65b66f6328be49beb789f5453985ea36c75b99a707e3a4c5479d3b99abcecd43abaeabe8f58a290f64432deccb17bb4600ae0

Download Submit
\Windows\SysWOW64\bf14a.exe

Filesize
108KB

MD5
13058312d7aafccb09e3a6c3008a37a9

SHA1
0532cf41b58752160ff59d96ee7b3e9926630f33

SHA256
bcaa732b79e1270564b6a5e592c438dc3f2152a774f66d13e8b2f370cddb988d

SHA512
cfaba2a7dfccdd5cbd87c416a6c65b66f6328be49beb789f5453985ea36c75b99a707e3a4c5479d3b99abcecd43abaeabe8f58a290f64432deccb17bb4600ae0

Download Submit
memory/1368-54-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download