Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 15:21
Static task
static1
Behavioral task
behavioral1
Sample
038876658f0a3d5c1fe4aa0eb01c44cd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
038876658f0a3d5c1fe4aa0eb01c44cd.exe
Resource
win10v2004-20231215-en
General
-
Target
038876658f0a3d5c1fe4aa0eb01c44cd.exe
-
Size
436KB
-
MD5
038876658f0a3d5c1fe4aa0eb01c44cd
-
SHA1
e5d3f9970a8f5b2ccf554e8ec57115376a44daac
-
SHA256
e7a0498f63793a1462059c96f5a9c5d32c4edc02390aa2aeca7363293cfa09bc
-
SHA512
39b01eee490e34dcf4f8397eb8526f070c2193bd208092d6969b203a48233b1afe0834ccf1d8ef47af04aba3e6b2258627e4f676bcebcebb64c5c1f7383e644b
-
SSDEEP
6144:Y33QGwxkz6bJcnKpK7ZuVU6f+jgwU/I550ab1vjXQoR2izdVUiln9vqqqlgAqwFf:Y33Q9q2bG0VPS26Yiz0iF9PqlgG
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts bffd.exe -
Executes dropped EXE 3 IoCs
pid Process 1996 bffd.exe 756 bffd.exe 524 bffd.exe -
Loads dropped DLL 40 IoCs
pid Process 2564 regsvr32.exe 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 524 bffd.exe 2604 rundll32.exe 1948 rundll32.exe 2604 rundll32.exe 1948 rundll32.exe 2604 rundll32.exe 1948 rundll32.exe 2604 rundll32.exe 1948 rundll32.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe 524 bffd.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "winhome" regsvr32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 bffd.exe File opened for modification \??\PhysicalDrive0 rundll32.exe File opened for modification \??\PhysicalDrive0 038876658f0a3d5c1fe4aa0eb01c44cd.exe -
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\4f3r.dlltmp 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\SysWOW64\1ba4.dll 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\SysWOW64\b3fs.dll 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\SysWOW64\144d.exe 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\SysWOW64\8b4o.dll 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\SysWOW64\bffd.exe 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\SysWOW64\a1l8.dll 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\SysWOW64\a1l8.dlltmp 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\SysWOW64\4f3r.dll 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\SysWOW64\8b4o.dlltmp 038876658f0a3d5c1fe4aa0eb01c44cd.exe File created C:\Windows\SysWOW64\-124-69-124116 rundll32.exe File opened for modification C:\Windows\SysWOW64\3bef.dll 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\SysWOW64\b4cb.dll 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\SysWOW64\34ua.exe 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\SysWOW64\b4cb.dlltmp 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\SysWOW64\841e.dll 038876658f0a3d5c1fe4aa0eb01c44cd.exe File created C:\Windows\SysWOW64\1bd16a rundll32.exe File opened for modification C:\Windows\SysWOW64\14rb.exe 038876658f0a3d5c1fe4aa0eb01c44cd.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\bf14.bmp 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\14ba.exe 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\8f6.exe 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\f6fu.bmp 038876658f0a3d5c1fe4aa0eb01c44cd.exe File created C:\Windows\Tasks\ms.job 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\a34b.flv 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\6f1u.bmp 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\a8fd.exe 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\4bad.flv 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\f6f.bmp 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\a8f.flv 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\8f6d.exe 038876658f0a3d5c1fe4aa0eb01c44cd.exe File opened for modification C:\Windows\a8fd.flv 038876658f0a3d5c1fe4aa0eb01c44cd.exe -
Modifies registry class 47 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID\ = "BHO.FunPlayer.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\ = "BHO 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\AppID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ = "C:\\Windows\\SysWow64\\8b4o.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8b4o.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID\ = "BHO.FunPlayer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ThreadingModel = "apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "CFunPlayer Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 524 bffd.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2896 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 21 PID 2124 wrote to memory of 2896 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 21 PID 2124 wrote to memory of 2896 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 21 PID 2124 wrote to memory of 2896 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 21 PID 2124 wrote to memory of 2896 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 21 PID 2124 wrote to memory of 2896 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 21 PID 2124 wrote to memory of 2896 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 21 PID 2124 wrote to memory of 2696 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 29 PID 2124 wrote to memory of 2696 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 29 PID 2124 wrote to memory of 2696 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 29 PID 2124 wrote to memory of 2696 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 29 PID 2124 wrote to memory of 2696 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 29 PID 2124 wrote to memory of 2696 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 29 PID 2124 wrote to memory of 2696 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 29 PID 2124 wrote to memory of 2412 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 30 PID 2124 wrote to memory of 2412 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 30 PID 2124 wrote to memory of 2412 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 30 PID 2124 wrote to memory of 2412 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 30 PID 2124 wrote to memory of 2412 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 30 PID 2124 wrote to memory of 2412 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 30 PID 2124 wrote to memory of 2412 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 30 PID 2124 wrote to memory of 2732 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 31 PID 2124 wrote to memory of 2732 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 31 PID 2124 wrote to memory of 2732 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 31 PID 2124 wrote to memory of 2732 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 31 PID 2124 wrote to memory of 2732 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 31 PID 2124 wrote to memory of 2732 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 31 PID 2124 wrote to memory of 2732 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 31 PID 2124 wrote to memory of 2564 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 32 PID 2124 wrote to memory of 2564 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 32 PID 2124 wrote to memory of 2564 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 32 PID 2124 wrote to memory of 2564 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 32 PID 2124 wrote to memory of 2564 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 32 PID 2124 wrote to memory of 2564 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 32 PID 2124 wrote to memory of 2564 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 32 PID 2124 wrote to memory of 1996 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 33 PID 2124 wrote to memory of 1996 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 33 PID 2124 wrote to memory of 1996 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 33 PID 2124 wrote to memory of 1996 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 33 PID 2124 wrote to memory of 756 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 37 PID 2124 wrote to memory of 756 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 37 PID 2124 wrote to memory of 756 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 37 PID 2124 wrote to memory of 756 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 37 PID 2124 wrote to memory of 2604 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 38 PID 2124 wrote to memory of 2604 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 38 PID 2124 wrote to memory of 2604 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 38 PID 524 wrote to memory of 1948 524 bffd.exe 39 PID 524 wrote to memory of 1948 524 bffd.exe 39 PID 524 wrote to memory of 1948 524 bffd.exe 39 PID 2124 wrote to memory of 2604 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 38 PID 2124 wrote to memory of 2604 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 38 PID 2124 wrote to memory of 2604 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 38 PID 524 wrote to memory of 1948 524 bffd.exe 39 PID 524 wrote to memory of 1948 524 bffd.exe 39 PID 524 wrote to memory of 1948 524 bffd.exe 39 PID 2124 wrote to memory of 2604 2124 038876658f0a3d5c1fe4aa0eb01c44cd.exe 38 PID 524 wrote to memory of 1948 524 bffd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\038876658f0a3d5c1fe4aa0eb01c44cd.exe"C:\Users\Admin\AppData\Local\Temp\038876658f0a3d5c1fe4aa0eb01c44cd.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"2⤵PID:2896
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"2⤵PID:2696
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"2⤵PID:2412
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"2⤵PID:2732
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2564
-
-
C:\Windows\SysWOW64\bffd.exeC:\Windows\system32\bffd.exe -i2⤵
- Executes dropped EXE
PID:1996
-
-
C:\Windows\SysWOW64\bffd.exeC:\Windows\system32\bffd.exe -s2⤵
- Executes dropped EXE
PID:756
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2604
-
-
C:\Windows\SysWOW64\bffd.exeC:\Windows\SysWOW64\bffd.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always2⤵
- Loads dropped DLL
PID:1948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5686b324d345ce2b2aa3c770d8a56a936
SHA16f95561316bbc163f0b59ecbee85bcc2f6f04f98
SHA256ed4661a26cf098740b2adabadf67ddadf7975c4bd64b031a2e60e5fb822b172d
SHA512d49c24efe2d956683da073d267a21c7019326fb71f19ab1568275ee6892fd2ab12a3cfdb8002561e523b83c258389dcd7bfb8ea7f997be2cc6d150f78d2d442f
-
Filesize
221KB
MD52945132fdf029a6099b78845bc636484
SHA1b960eb4d5f60edfe23501e45c8edb2c3a2d38b5c
SHA256b27fd0e9c876510d4bd8b05c4d9deae821c7f937b2385ef730a8a3ccb158b440
SHA5121f4a7fadeb37d3e909587b9f0f25306db111fba1c0e790fafd9d533c1032d0db3cbf3e25acb7de45ef57acc273254357f0f3635f50b01c9446b4475af964c2e5
-
Filesize
140KB
MD535a6ff84286ea97086c16ea65c818426
SHA167f94565e99c84803e7d2ff9f155645c8165a415
SHA2569ea520a24da2288cb37f9016a7e862ab8bfda60a9c23bbfa593b9b62e8524e16
SHA512a27f288e099021a0aac565efc24caeed458d797890647bde8f760e629f0abbcfe0afc862a6d6dcdffad5df45f6fc273bb43f90525460f465604c70676f00e092
-
Filesize
64KB
MD5894609201b99dc8368e9fa99aa1193e5
SHA172a7680d8ae5d07574cf7e8677511c5f9f8e680d
SHA25620c4093f93ec14509a6472affdc2e6fc248a1f25c93b938123667ec63365987b
SHA512f61b0d38f3ec8d39f27f47394c5db264ea6e63e5bd58fcdb9688e5b00e628b11daa30ca10560df1a3014b2d7e1d3e932785b771ea121d1a98f0315c446a4b090
-
Filesize
215KB
MD50479d4afdfbbde884e823fa6ade46b4d
SHA1c7da29988f714d0400b08f64c370a8d9de4afdc5
SHA2566266e62ba6e410e4acf355c4ea48a0f67ae5690a9c09a0bf634dc3c0716e51ab
SHA5125dd50ea2cdc817877b2b842aa82fe41b72fa6002b23c324ca412474aa70813aa2fa1c9dd05cdbeb75f0b2b1811ab573c4b3c4e726b178bbf0b98a02fcaaa43bd
-
Filesize
84KB
MD5124b3495b324f4adee96694b36441655
SHA1ac65c5fab91008de7205912a8986bd1c11958f15
SHA25630cdfd7e1120eb17df39a75ee64cf1084babab0ef18c3a6abe5fb63ddc5937c0
SHA512afb548cdf72e0a43a668f35f4c4b8361509672f2663f1f811a4203d5d0c7497fafe7d6d2c25407180aa52989e3b962f949fa59b53bc0df9b6a670ee2268f6b8f
-
Filesize
176KB
MD5995775c29986a51b8affd7c1ffeff9a4
SHA11010576ec1447cac137d5a258bfa18014ad83d04
SHA256ef1178ce76fc4f59ecb197fa50b99a0d83b764847dc2f7e4a1de9140422993e0
SHA5121afd60e44c56839f2fd84fd0f2cf41bd0d4c97d008254b2691c71f1da47c430bc587d2128728cb9d626ecdeebeffc235a496a367c10e91cca524e391f3698b6c
-
Filesize
181KB
MD5bf8d9bf80c6fba80ea47cf8790ad198f
SHA154a18275c584a0e7d171df3da14d79af174b7b84
SHA256675400b986f8ab6a7c9a8730295145c7d34447cd73e14d84f460214eb3089972
SHA5125ae8e773a6f19da7b34af56084b3e8f40ebc81febe5f3420dedc01b9e8dbc4e8e592aa51016cd6ebd3488ecd4b5dcc3262540ab6eabf23227d28905d55160959
-
Filesize
96KB
MD5565e96ad8b5567e62dd1fa5b77b8bf28
SHA18161e226fc0fa450238b453ca01be834a3de47c8
SHA256b4fd690672b000046fe5cd14de6af14f60e4148c4b4622d50b98ec5e43a43289
SHA5124223e667074b05101fcc246aed63f3d8335c9e8b600c3b73eef63dd9080d5858e2c272fbda1227ffd2e7725551aa0d7702a44404ca96fb6fe4c578b5fa1c5205
-
Filesize
178KB
MD56c294d63f218747059765a28d7dc4b8b
SHA10c8c3cde8f4435978a04b57573bef2d68cc0f6af
SHA256c859f6869d94d1b60f65d282f53616a4025ec06390420f20ade8da7fd278a607
SHA512a5ef242d646502382ff64474a3ba03d3c5cea24e13e0642eb9863cdb59af8246636af15c61219e9b732d58887f4a17098c973ed40824b8c85b0e252667fa3865
-
Filesize
99KB
MD58274b19823476d01c18d0bb0480e5c74
SHA1f4438fd5690b5caca1fba9caddffabc0686d7316
SHA256e8b55a1295fc52077f954c7573685f92519b8f6587648a712f10ac9548c74bfa
SHA5123f188f2ea74ca6b01e3e5cc461a50049bccb080425277d3670f09978bf3decc089ed4ff10a63ba82c30f72d2782ae61843c31a22aa7b63f13b329af56ab27bbf
-
Filesize
108KB
MD5cde8f439171be8108173040e64d40016
SHA10f09b8b178454c74a391958e94a2e2bf12bddc3b
SHA2564f922f189dafa4927cd4efdae8b438e20c1ca5e2ec82ee627c4b608e10abe0cb
SHA51247467bef87852ae78d9096dd7d2fc4bd05a55cdb4210b1a5fc3b7cd6e2365c7be985f6401c796b33606ebc11c1a0282a90ed071d6a0febc0744e62285b13955d
-
Filesize
103KB
MD5b070163de45b7da89b5f378c9fc944fc
SHA1e3320a62057671599737419eb498cf343856d767
SHA25610f54000f0c6b9d5b8440cf699032a1e647fbdd88b61bb469bae2f4a81e709d6
SHA51283e73eebc0af29bec15a4f12200f6b92234c142438d7565945606d10dc96d0383fbd8cbb1a9cde2f85607ee32bf616d8c16ded71e752e9bd8caa2c2e28d35f69