e054ac1dbbb3fae2c2e4ef8b36886961682233de904826a4786ca4ef75fc1c80

Analysis

max time kernel
205s
max time network
235s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c43e03a681314cccd242c4264c35213.dll
Size

385KB
MD5

1c43e03a681314cccd242c4264c35213
SHA1

a3985f09eae6e908f3bc504d8330b741f96ea42d
SHA256

e054ac1dbbb3fae2c2e4ef8b36886961682233de904826a4786ca4ef75fc1c80
SHA512

02651cc78465111bdf65da9e8c88156e1306959b996ffd78ea28b1f55b871d1ffe6a03b4c32adefb1f21d06f48604734b9c70425fef4f9324b8bbbf2a4367ca2
SSDEEP

12288:5rgz0CvwCzs8pEB0uConlkFstWYgF2uya9q0u:5rgzzzs8pEI5JH2ta0

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	341d.exe

Executes dropped EXE 4 IoCs

pid	Process
1196	341d.exe
2432	341d.exe
1292	341d.exe
1368	mtv.exe

Loads dropped DLL 22 IoCs

pid	Process
2732	regsvr32.exe
2716	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe
1292	341d.exe
2716	rundll32.exe
740	rundll32.exe
740	rundll32.exe
740	rundll32.exe
740	rundll32.exe
1292	341d.exe
2100	rundll32.exe
2100	rundll32.exe
2100	rundll32.exe
2100	rundll32.exe
1292	341d.exe
1292	341d.exe
1292	341d.exe
1292	341d.exe
1292	341d.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{676C542B-BC87-47cf-9EEB-1332C04731F6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{676C542B-BC87-47cf-9EEB-1332C04731F6}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	341d.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	rundll32.exe
File created	C:\Windows\SysWOW64\30-1243542	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\341e.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\341d.exe	rundll32.exe
File created	C:\Windows\SysWOW64\06d6	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bf14.bmp	rundll32.exe
File opened for modification	C:\Windows\8f6.exe	rundll32.exe
File opened for modification	C:\Windows\a8f.flv	rundll32.exe
File opened for modification	C:\Windows\a8fd.exe	rundll32.exe
File created	C:\Windows\Tasks\ms.job	rundll32.exe
File opened for modification	C:\Windows\f6f.bmp	rundll32.exe
File opened for modification	C:\Windows\4bad.flv	rundll32.exe
File opened for modification	C:\Windows\ba8u.bmp	rundll32.exe
File opened for modification	C:\Windows\14ba.exe	rundll32.exe
File opened for modification	C:\Windows\a34b.flv	rundll32.exe
File opened for modification	C:\Windows\6f1u.bmp	rundll32.exe
File opened for modification	C:\Windows\ba8d.exe	rundll32.exe
File opened for modification	C:\Windows\ba8d.flv	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{676C542B-BC87-47cf-9EEB-1332C04731F6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34DBC734-EAC0-401F-98A6-A8D8D715F278}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34DBC734-EAC0-401F-98A6-A8D8D715F278}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34DBC734-EAC0-401F-98A6-A8D8D715F278}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B9537DF-279F-4D6A-8F0C-DE66127E9642}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B9537DF-279F-4D6A-8F0C-DE66127E9642}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B9537DF-279F-4D6A-8F0C-DE66127E9642}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34DBC734-EAC0-401F-98A6-A8D8D715F278}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34DBC734-EAC0-401F-98A6-A8D8D715F278}\ = "IFffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{676C542B-BC87-47cf-9EEB-1332C04731F6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B9537DF-279F-4D6A-8F0C-DE66127E9642}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B9537DF-279F-4D6A-8F0C-DE66127E9642}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B9537DF-279F-4D6A-8F0C-DE66127E9642}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34DBC734-EAC0-401F-98A6-A8D8D715F278}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{676C542B-BC87-47cf-9EEB-1332C04731F6}\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B9537DF-279F-4D6A-8F0C-DE66127E9642}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34DBC734-EAC0-401F-98A6-A8D8D715F278}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34DBC734-EAC0-401F-98A6-A8D8D715F278}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34DBC734-EAC0-401F-98A6-A8D8D715F278}\TypeLib\ = "{0B9537DF-279F-4D6A-8F0C-DE66127E9642}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{676C542B-BC87-47cf-9EEB-1332C04731F6}\VersionIndependentProgID\ = "BHO.FffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34DBC734-EAC0-401F-98A6-A8D8D715F278}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{676C542B-BC87-47cf-9EEB-1332C04731F6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{676C542B-BC87-47cf-9EEB-1332C04731F6}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{676C542B-BC87-47cf-9EEB-1332C04731F6}\InprocServer32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{676C542B-BC87-47cf-9EEB-1332C04731F6}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34DBC734-EAC0-401F-98A6-A8D8D715F278}\TypeLib\ = "{0B9537DF-279F-4D6A-8F0C-DE66127E9642}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{676C542B-BC87-47cf-9EEB-1332C04731F6}\ProgID\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{676C542B-BC87-47cf-9EEB-1332C04731F6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B9537DF-279F-4D6A-8F0C-DE66127E9642}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34DBC734-EAC0-401F-98A6-A8D8D715F278}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{676C542B-BC87-47cf-9EEB-1332C04731F6}\TypeLib\ = "{0B9537DF-279F-4D6A-8F0C-DE66127E9642}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B9537DF-279F-4D6A-8F0C-DE66127E9642}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{676C542B-BC87-47cf-9EEB-1332C04731F6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{676C542B-BC87-47cf-9EEB-1332C04731F6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{676C542B-BC87-47cf-9EEB-1332C04731F6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{676C542B-BC87-47cf-9EEB-1332C04731F6}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B9537DF-279F-4D6A-8F0C-DE66127E9642}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34DBC734-EAC0-401F-98A6-A8D8D715F278}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34DBC734-EAC0-401F-98A6-A8D8D715F278}\TypeLib	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1292	341d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1368	mtv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2716	2736	rundll32.exe	29
PID 2736 wrote to memory of 2716	2736	rundll32.exe	29
PID 2736 wrote to memory of 2716	2736	rundll32.exe	29
PID 2736 wrote to memory of 2716	2736	rundll32.exe	29
PID 2736 wrote to memory of 2716	2736	rundll32.exe	29
PID 2736 wrote to memory of 2716	2736	rundll32.exe	29
PID 2736 wrote to memory of 2716	2736	rundll32.exe	29
PID 2716 wrote to memory of 564	2716	rundll32.exe	30
PID 2716 wrote to memory of 564	2716	rundll32.exe	30
PID 2716 wrote to memory of 564	2716	rundll32.exe	30
PID 2716 wrote to memory of 564	2716	rundll32.exe	30
PID 2716 wrote to memory of 564	2716	rundll32.exe	30
PID 2716 wrote to memory of 564	2716	rundll32.exe	30
PID 2716 wrote to memory of 564	2716	rundll32.exe	30
PID 2716 wrote to memory of 1416	2716	rundll32.exe	31
PID 2716 wrote to memory of 1416	2716	rundll32.exe	31
PID 2716 wrote to memory of 1416	2716	rundll32.exe	31
PID 2716 wrote to memory of 1416	2716	rundll32.exe	31
PID 2716 wrote to memory of 1416	2716	rundll32.exe	31
PID 2716 wrote to memory of 1416	2716	rundll32.exe	31
PID 2716 wrote to memory of 1416	2716	rundll32.exe	31
PID 2716 wrote to memory of 1436	2716	rundll32.exe	32
PID 2716 wrote to memory of 1436	2716	rundll32.exe	32
PID 2716 wrote to memory of 1436	2716	rundll32.exe	32
PID 2716 wrote to memory of 1436	2716	rundll32.exe	32
PID 2716 wrote to memory of 1436	2716	rundll32.exe	32
PID 2716 wrote to memory of 1436	2716	rundll32.exe	32
PID 2716 wrote to memory of 1436	2716	rundll32.exe	32
PID 2716 wrote to memory of 1400	2716	rundll32.exe	33
PID 2716 wrote to memory of 1400	2716	rundll32.exe	33
PID 2716 wrote to memory of 1400	2716	rundll32.exe	33
PID 2716 wrote to memory of 1400	2716	rundll32.exe	33
PID 2716 wrote to memory of 1400	2716	rundll32.exe	33
PID 2716 wrote to memory of 1400	2716	rundll32.exe	33
PID 2716 wrote to memory of 1400	2716	rundll32.exe	33
PID 2716 wrote to memory of 2732	2716	rundll32.exe	34
PID 2716 wrote to memory of 2732	2716	rundll32.exe	34
PID 2716 wrote to memory of 2732	2716	rundll32.exe	34
PID 2716 wrote to memory of 2732	2716	rundll32.exe	34
PID 2716 wrote to memory of 2732	2716	rundll32.exe	34
PID 2716 wrote to memory of 2732	2716	rundll32.exe	34
PID 2716 wrote to memory of 2732	2716	rundll32.exe	34
PID 2716 wrote to memory of 1196	2716	rundll32.exe	35
PID 2716 wrote to memory of 1196	2716	rundll32.exe	35
PID 2716 wrote to memory of 1196	2716	rundll32.exe	35
PID 2716 wrote to memory of 1196	2716	rundll32.exe	35
PID 2716 wrote to memory of 2432	2716	rundll32.exe	37
PID 2716 wrote to memory of 2432	2716	rundll32.exe	37
PID 2716 wrote to memory of 2432	2716	rundll32.exe	37
PID 2716 wrote to memory of 2432	2716	rundll32.exe	37
PID 2716 wrote to memory of 1368	2716	rundll32.exe	40
PID 2716 wrote to memory of 1368	2716	rundll32.exe	40
PID 2716 wrote to memory of 1368	2716	rundll32.exe	40
PID 2716 wrote to memory of 1368	2716	rundll32.exe	40
PID 1292 wrote to memory of 740	1292	341d.exe	41
PID 1292 wrote to memory of 740	1292	341d.exe	41
PID 1292 wrote to memory of 740	1292	341d.exe	41
PID 1292 wrote to memory of 740	1292	341d.exe	41
PID 1292 wrote to memory of 740	1292	341d.exe	41
PID 1292 wrote to memory of 740	1292	341d.exe	41
PID 1292 wrote to memory of 740	1292	341d.exe	41
PID 2716 wrote to memory of 2100	2716	rundll32.exe	42
PID 2716 wrote to memory of 2100	2716	rundll32.exe	42
PID 2716 wrote to memory of 2100	2716	rundll32.exe	42

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c43e03a681314cccd242c4264c35213.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c43e03a681314cccd242c4264c35213.dll,#1
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a1l8.dll"
    3⤵
    PID:564
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b4cb.dll"
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4f3r.dll"
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b34o.dll"
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b34o.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:2732
- - C:\Windows\SysWOW64\341d.exe
    C:\Windows\system32/341d.exe -i
    3⤵
    - Executes dropped EXE
    PID:1196
- - C:\Windows\SysWOW64\341d.exe
    C:\Windows\system32/341d.exe -s
    3⤵
    - Executes dropped EXE
    PID:2432
- - C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1368
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll, Always
    3⤵
    - Loads dropped DLL
    PID:2100

C:\Windows\SysWOW64\341d.exe
C:\Windows\SysWOW64\341d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
147KB

MD5
f9250a0b986d2cb1f19dc79a5e3dc247

SHA1
585eeac48bc4e32c89460db55ab0f86373778e6a

SHA256
b104577d9ab5e8e7f3d12b05342f7a6b772471280898080437ef5e0c97e13a8b

SHA512
1655ae871e903abfaa7cd5997f6c9d35825ae3ae6389f0e92096c36882f5a617e4865f800e4088066313630f8269d9df67ad923d8c81ad2b9343b08222c9b06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
413KB

MD5
1c43d91419b507e7d18f20e4983202a8

SHA1
2c4622aed07895dbc1434608468b99a860499308

SHA256
eb35aef5cab06fe9c89dca28b3a289fe9170dd9365b647681d682c3100ce56eb

SHA512
00e8a80418eb2b1f8dffb2ec058ad0c83b100e8e4a9461a0e5c2d45f4de9e344c1bc4cd145226b4e9ba52a734f173b96c5bda27745e1afbaf7c944c9b7d5d1d2

Download Submit
C:\Windows\SysWOW64\341d.exe

Filesize
19KB

MD5
c4e8649260ac5f2ee1c5e9595903ce32

SHA1
d558fbd28db7c2eaa81541e8232db1342fce96ed

SHA256
bce755b1bbc1559bc71fe0a1f5029472bc11188370c5b7c470c58dd3eaab33e2

SHA512
ac647c89bfc5a6bffe06cb9b294006e19e3e6f11f3a4069e23dc4c198599ee1b95fae81266f29b016897236d005b693d705108ac20924719ad01d930feacb1d8

Download Submit
C:\Windows\Temp\tmp.exe

Filesize
152KB

MD5
f2a36fd5ee40aaa7c8c89f2705e157e0

SHA1
9a67d2ac803bc0a82a55aff0d8201e151ca91377

SHA256
1b3cbb734ffe7ec05fb3e8e46d8b946a0a70517488f71c35a9b309a97211b139

SHA512
644e054915c48a8f99eac3fd3c71253e4521e7a707a3a079aa60f030abcc9947c6b1593959c7d1d5f7be50d73415e3f7ad0d758baee87ce501b4625c2d008182

Download Submit
\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
136KB

MD5
e9ff4b4f11b493df6157d6f797ed6cc2

SHA1
a45e7285f004b90292f7f9e1901e941f49abf05b

SHA256
5ff68b72d7fb719e83a35787ad284a7996d75d6ea2ba9029f5a1f0874d21a450

SHA512
a767fcd44fa3c859a7fd002a95b27609c1b8ed1d659b39396a696c4d19773ca94eb2a77d037f1e0f15c0e49f7a487d96fb0190736077eadd77b90a3ad207c34c

Download Submit
\Windows\SysWOW64\341d.exe

Filesize
128KB

MD5
814685ec680ed6b0734834aff78290a8

SHA1
ccf56eab9da1fc0dc444c8536b73d8e0418b7337

SHA256
6380a0a6c947ab6b0d044da44f3c2a804fe1618c1bd8c1cbe94dd2ad6a307c82

SHA512
a6c64396af3b5f0551ae41b172423bca37ef3a52d87c894c2d010c060daa4b6f7b6a5a71d07b86c3f99c13633b1d0da91f3e56172b0d605cc546ede0a14ef793

Download Submit
\Windows\SysWOW64\341d.exe

Filesize
42KB

MD5
8849fecbe170125dfbc1e629c24839c9

SHA1
0407d06b3d49678f924a8e201e764e2b15c766cc

SHA256
900607bbce2476322e2dc3bea762b70a0676f61356fd9d264e4acaeb7a4b7c8a

SHA512
55e4e8b9e32800cf41e3edacaf5b86293edaa3d5a6c01b4a17e8b2bcf0aff4c03b0dd68e3421b8f2a506fb5007013757106a2467a1307b79c2d61c9f1d09b709

Download Submit
memory/1292-91-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1292-147-0x0000000000F60000-0x0000000000F62000-memory.dmp

Filesize
8KB

Download
memory/1292-153-0x0000000000F80000-0x0000000000F82000-memory.dmp

Filesize
8KB

Download
memory/1292-152-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1292-150-0x0000000000F70000-0x0000000000F72000-memory.dmp

Filesize
8KB

Download
memory/1292-149-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1292-146-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1292-143-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1292-92-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/1292-107-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1292-109-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

Filesize
8KB

Download
memory/1292-144-0x0000000000E10000-0x0000000000E12000-memory.dmp

Filesize
8KB

Download
memory/1292-140-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1292-141-0x0000000000E00000-0x0000000000E02000-memory.dmp

Filesize
8KB

Download
memory/2716-2-0x0000000010000000-0x0000000010079000-memory.dmp

Filesize
484KB

Download
memory/2716-1-0x0000000010000000-0x0000000010079000-memory.dmp

Filesize
484KB

Download
memory/2716-0-0x0000000010000000-0x0000000010079000-memory.dmp

Filesize
484KB

Download
memory/2716-53-0x0000000010000000-0x0000000010079000-memory.dmp

Filesize
484KB

Download
memory/2716-3-0x0000000010000000-0x0000000010079000-memory.dmp

Filesize
484KB

Download
memory/2716-4-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2716-7-0x0000000010000000-0x0000000010079000-memory.dmp

Filesize
484KB

Download
memory/2732-63-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download