Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2023 15:21

General

  • Target

    038876658f0a3d5c1fe4aa0eb01c44cd.exe

  • Size

    436KB

  • MD5

    038876658f0a3d5c1fe4aa0eb01c44cd

  • SHA1

    e5d3f9970a8f5b2ccf554e8ec57115376a44daac

  • SHA256

    e7a0498f63793a1462059c96f5a9c5d32c4edc02390aa2aeca7363293cfa09bc

  • SHA512

    39b01eee490e34dcf4f8397eb8526f070c2193bd208092d6969b203a48233b1afe0834ccf1d8ef47af04aba3e6b2258627e4f676bcebcebb64c5c1f7383e644b

  • SSDEEP

    6144:Y33QGwxkz6bJcnKpK7ZuVU6f+jgwU/I550ab1vjXQoR2izdVUiln9vqqqlgAqwFf:Y33Q9q2bG0VPS26Yiz0iF9PqlgG

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 40 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 18 IoCs
  • Drops file in Windows directory 13 IoCs
  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\038876658f0a3d5c1fe4aa0eb01c44cd.exe
    "C:\Users\Admin\AppData\Local\Temp\038876658f0a3d5c1fe4aa0eb01c44cd.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"
      2⤵
        PID:2896
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"
        2⤵
          PID:2696
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"
          2⤵
            PID:2412
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"
            2⤵
              PID:2732
            • C:\Windows\SysWOW64\regsvr32.exe
              C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"
              2⤵
              • Loads dropped DLL
              • Installs/modifies Browser Helper Object
              • Modifies registry class
              PID:2564
            • C:\Windows\SysWOW64\bffd.exe
              C:\Windows\system32\bffd.exe -i
              2⤵
              • Executes dropped EXE
              PID:1996
            • C:\Windows\SysWOW64\bffd.exe
              C:\Windows\system32\bffd.exe -s
              2⤵
              • Executes dropped EXE
              PID:756
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always
              2⤵
              • Loads dropped DLL
              • Writes to the Master Boot Record (MBR)
              • Drops file in System32 directory
              PID:2604
          • C:\Windows\SysWOW64\bffd.exe
            C:\Windows\SysWOW64\bffd.exe
            1⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Writes to the Master Boot Record (MBR)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:524
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always
              2⤵
              • Loads dropped DLL
              PID:1948

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

            Filesize

            135KB

            MD5

            686b324d345ce2b2aa3c770d8a56a936

            SHA1

            6f95561316bbc163f0b59ecbee85bcc2f6f04f98

            SHA256

            ed4661a26cf098740b2adabadf67ddadf7975c4bd64b031a2e60e5fb822b172d

            SHA512

            d49c24efe2d956683da073d267a21c7019326fb71f19ab1568275ee6892fd2ab12a3cfdb8002561e523b83c258389dcd7bfb8ea7f997be2cc6d150f78d2d442f

          • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

            Filesize

            221KB

            MD5

            2945132fdf029a6099b78845bc636484

            SHA1

            b960eb4d5f60edfe23501e45c8edb2c3a2d38b5c

            SHA256

            b27fd0e9c876510d4bd8b05c4d9deae821c7f937b2385ef730a8a3ccb158b440

            SHA512

            1f4a7fadeb37d3e909587b9f0f25306db111fba1c0e790fafd9d533c1032d0db3cbf3e25acb7de45ef57acc273254357f0f3635f50b01c9446b4475af964c2e5

          • C:\Windows\SysWOW64\841e.dll

            Filesize

            140KB

            MD5

            35a6ff84286ea97086c16ea65c818426

            SHA1

            67f94565e99c84803e7d2ff9f155645c8165a415

            SHA256

            9ea520a24da2288cb37f9016a7e862ab8bfda60a9c23bbfa593b9b62e8524e16

            SHA512

            a27f288e099021a0aac565efc24caeed458d797890647bde8f760e629f0abbcfe0afc862a6d6dcdffad5df45f6fc273bb43f90525460f465604c70676f00e092

          • C:\Windows\SysWOW64\bffd.exe

            Filesize

            64KB

            MD5

            894609201b99dc8368e9fa99aa1193e5

            SHA1

            72a7680d8ae5d07574cf7e8677511c5f9f8e680d

            SHA256

            20c4093f93ec14509a6472affdc2e6fc248a1f25c93b938123667ec63365987b

            SHA512

            f61b0d38f3ec8d39f27f47394c5db264ea6e63e5bd58fcdb9688e5b00e628b11daa30ca10560df1a3014b2d7e1d3e932785b771ea121d1a98f0315c446a4b090

          • \Windows\SysWOW64\841e.dll

            Filesize

            215KB

            MD5

            0479d4afdfbbde884e823fa6ade46b4d

            SHA1

            c7da29988f714d0400b08f64c370a8d9de4afdc5

            SHA256

            6266e62ba6e410e4acf355c4ea48a0f67ae5690a9c09a0bf634dc3c0716e51ab

            SHA512

            5dd50ea2cdc817877b2b842aa82fe41b72fa6002b23c324ca412474aa70813aa2fa1c9dd05cdbeb75f0b2b1811ab573c4b3c4e726b178bbf0b98a02fcaaa43bd

          • \Windows\SysWOW64\841e.dll

            Filesize

            84KB

            MD5

            124b3495b324f4adee96694b36441655

            SHA1

            ac65c5fab91008de7205912a8986bd1c11958f15

            SHA256

            30cdfd7e1120eb17df39a75ee64cf1084babab0ef18c3a6abe5fb63ddc5937c0

            SHA512

            afb548cdf72e0a43a668f35f4c4b8361509672f2663f1f811a4203d5d0c7497fafe7d6d2c25407180aa52989e3b962f949fa59b53bc0df9b6a670ee2268f6b8f

          • \Windows\SysWOW64\841e.dll

            Filesize

            176KB

            MD5

            995775c29986a51b8affd7c1ffeff9a4

            SHA1

            1010576ec1447cac137d5a258bfa18014ad83d04

            SHA256

            ef1178ce76fc4f59ecb197fa50b99a0d83b764847dc2f7e4a1de9140422993e0

            SHA512

            1afd60e44c56839f2fd84fd0f2cf41bd0d4c97d008254b2691c71f1da47c430bc587d2128728cb9d626ecdeebeffc235a496a367c10e91cca524e391f3698b6c

          • \Windows\SysWOW64\841e.dll

            Filesize

            181KB

            MD5

            bf8d9bf80c6fba80ea47cf8790ad198f

            SHA1

            54a18275c584a0e7d171df3da14d79af174b7b84

            SHA256

            675400b986f8ab6a7c9a8730295145c7d34447cd73e14d84f460214eb3089972

            SHA512

            5ae8e773a6f19da7b34af56084b3e8f40ebc81febe5f3420dedc01b9e8dbc4e8e592aa51016cd6ebd3488ecd4b5dcc3262540ab6eabf23227d28905d55160959

          • \Windows\SysWOW64\841e.dll

            Filesize

            96KB

            MD5

            565e96ad8b5567e62dd1fa5b77b8bf28

            SHA1

            8161e226fc0fa450238b453ca01be834a3de47c8

            SHA256

            b4fd690672b000046fe5cd14de6af14f60e4148c4b4622d50b98ec5e43a43289

            SHA512

            4223e667074b05101fcc246aed63f3d8335c9e8b600c3b73eef63dd9080d5858e2c272fbda1227ffd2e7725551aa0d7702a44404ca96fb6fe4c578b5fa1c5205

          • \Windows\SysWOW64\841e.dll

            Filesize

            178KB

            MD5

            6c294d63f218747059765a28d7dc4b8b

            SHA1

            0c8c3cde8f4435978a04b57573bef2d68cc0f6af

            SHA256

            c859f6869d94d1b60f65d282f53616a4025ec06390420f20ade8da7fd278a607

            SHA512

            a5ef242d646502382ff64474a3ba03d3c5cea24e13e0642eb9863cdb59af8246636af15c61219e9b732d58887f4a17098c973ed40824b8c85b0e252667fa3865

          • \Windows\SysWOW64\841e.dll

            Filesize

            99KB

            MD5

            8274b19823476d01c18d0bb0480e5c74

            SHA1

            f4438fd5690b5caca1fba9caddffabc0686d7316

            SHA256

            e8b55a1295fc52077f954c7573685f92519b8f6587648a712f10ac9548c74bfa

            SHA512

            3f188f2ea74ca6b01e3e5cc461a50049bccb080425277d3670f09978bf3decc089ed4ff10a63ba82c30f72d2782ae61843c31a22aa7b63f13b329af56ab27bbf

          • \Windows\SysWOW64\841e.dll

            Filesize

            108KB

            MD5

            cde8f439171be8108173040e64d40016

            SHA1

            0f09b8b178454c74a391958e94a2e2bf12bddc3b

            SHA256

            4f922f189dafa4927cd4efdae8b438e20c1ca5e2ec82ee627c4b608e10abe0cb

            SHA512

            47467bef87852ae78d9096dd7d2fc4bd05a55cdb4210b1a5fc3b7cd6e2365c7be985f6401c796b33606ebc11c1a0282a90ed071d6a0febc0744e62285b13955d

          • \Windows\SysWOW64\8b4o.dll

            Filesize

            103KB

            MD5

            b070163de45b7da89b5f378c9fc944fc

            SHA1

            e3320a62057671599737419eb498cf343856d767

            SHA256

            10f54000f0c6b9d5b8440cf699032a1e647fbdd88b61bb469bae2f4a81e709d6

            SHA512

            83e73eebc0af29bec15a4f12200f6b92234c142438d7565945606d10dc96d0383fbd8cbb1a9cde2f85607ee32bf616d8c16ded71e752e9bd8caa2c2e28d35f69

          • memory/524-129-0x0000000000850000-0x0000000000852000-memory.dmp

            Filesize

            8KB

          • memory/524-133-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-203-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

            Filesize

            8KB

          • memory/524-202-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-199-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/524-198-0x0000000000AE0000-0x0000000000AE2000-memory.dmp

            Filesize

            8KB

          • memory/524-194-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

            Filesize

            8KB

          • memory/524-192-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/524-191-0x0000000000AC0000-0x0000000000AC2000-memory.dmp

            Filesize

            8KB

          • memory/524-188-0x0000000000AB0000-0x0000000000AB2000-memory.dmp

            Filesize

            8KB

          • memory/524-187-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-74-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/524-75-0x0000000000020000-0x0000000000022000-memory.dmp

            Filesize

            8KB

          • memory/524-185-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/524-184-0x0000000000AA0000-0x0000000000AA2000-memory.dmp

            Filesize

            8KB

          • memory/524-182-0x0000000000A60000-0x0000000000A62000-memory.dmp

            Filesize

            8KB

          • memory/524-180-0x0000000000A90000-0x0000000000A92000-memory.dmp

            Filesize

            8KB

          • memory/524-79-0x00000000003F0000-0x00000000003F2000-memory.dmp

            Filesize

            8KB

          • memory/524-179-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-177-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/524-105-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-106-0x00000000005F0000-0x00000000005F2000-memory.dmp

            Filesize

            8KB

          • memory/524-107-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/524-176-0x0000000000A80000-0x0000000000A82000-memory.dmp

            Filesize

            8KB

          • memory/524-110-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-111-0x00000000007C0000-0x00000000007C2000-memory.dmp

            Filesize

            8KB

          • memory/524-113-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-114-0x00000000007D0000-0x00000000007D2000-memory.dmp

            Filesize

            8KB

          • memory/524-115-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/524-172-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-119-0x00000000007E0000-0x00000000007E2000-memory.dmp

            Filesize

            8KB

          • memory/524-118-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-121-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/524-124-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-125-0x0000000000840000-0x0000000000842000-memory.dmp

            Filesize

            8KB

          • memory/524-173-0x0000000000A70000-0x0000000000A72000-memory.dmp

            Filesize

            8KB

          • memory/524-170-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/524-128-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-130-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/524-168-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-134-0x0000000000FA0000-0x0000000000FA2000-memory.dmp

            Filesize

            8KB

          • memory/524-78-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-137-0x0000000000FB0000-0x0000000000FB2000-memory.dmp

            Filesize

            8KB

          • memory/524-136-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-138-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/524-142-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

            Filesize

            8KB

          • memory/524-141-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-145-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

            Filesize

            8KB

          • memory/524-144-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-146-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/524-149-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-150-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

            Filesize

            8KB

          • memory/524-151-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/524-154-0x0000000000740000-0x0000000000742000-memory.dmp

            Filesize

            8KB

          • memory/524-156-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-157-0x0000000000750000-0x0000000000752000-memory.dmp

            Filesize

            8KB

          • memory/524-158-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/524-161-0x0000000000760000-0x0000000000762000-memory.dmp

            Filesize

            8KB

          • memory/524-163-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/524-164-0x0000000000770000-0x0000000000772000-memory.dmp

            Filesize

            8KB

          • memory/524-165-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/524-169-0x0000000000A60000-0x0000000000A62000-memory.dmp

            Filesize

            8KB

          • memory/756-72-0x0000000000030000-0x0000000000032000-memory.dmp

            Filesize

            8KB

          • memory/756-76-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/1948-196-0x0000000010000000-0x00000000100B2000-memory.dmp

            Filesize

            712KB

          • memory/1948-96-0x0000000010000000-0x00000000100B2000-memory.dmp

            Filesize

            712KB

          • memory/1996-63-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/1996-62-0x0000000000030000-0x0000000000032000-memory.dmp

            Filesize

            8KB

          • memory/2124-71-0x0000000000610000-0x000000000062E000-memory.dmp

            Filesize

            120KB

          • memory/2124-61-0x0000000000610000-0x000000000062E000-memory.dmp

            Filesize

            120KB

          • memory/2124-55-0x0000000000610000-0x000000000062E000-memory.dmp

            Filesize

            120KB

          • memory/2564-103-0x0000000000180000-0x0000000000182000-memory.dmp

            Filesize

            8KB

          • memory/2564-45-0x0000000010000000-0x0000000010026000-memory.dmp

            Filesize

            152KB

          • memory/2564-46-0x0000000000180000-0x0000000000182000-memory.dmp

            Filesize

            8KB

          • memory/2604-95-0x0000000010000000-0x00000000100B2000-memory.dmp

            Filesize

            712KB

          • memory/2604-97-0x0000000010000000-0x00000000100B2000-memory.dmp

            Filesize

            712KB

          • memory/2604-100-0x0000000010000000-0x00000000100B2000-memory.dmp

            Filesize

            712KB

          • memory/2604-102-0x0000000010000000-0x00000000100B2000-memory.dmp

            Filesize

            712KB

          • memory/2604-108-0x0000000010000000-0x00000000100B2000-memory.dmp

            Filesize

            712KB

          • memory/2604-101-0x0000000000180000-0x0000000000182000-memory.dmp

            Filesize

            8KB

          • memory/2604-116-0x0000000010000000-0x00000000100B2000-memory.dmp

            Filesize

            712KB

          • memory/2604-92-0x0000000010000000-0x00000000100B2000-memory.dmp

            Filesize

            712KB

          • memory/2604-126-0x0000000010000000-0x00000000100B2000-memory.dmp

            Filesize

            712KB