e1a5b2392f673f9d652727956690a6f135f5c2d129729a23729bda78f18e32d0

Analysis

max time kernel
147s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48fad24a6419341ce64b063be81e402a.exe
Size

484KB
MD5

48fad24a6419341ce64b063be81e402a
SHA1

aaab00c61a68acaea1f687d3291df88db3092754
SHA256

e1a5b2392f673f9d652727956690a6f135f5c2d129729a23729bda78f18e32d0
SHA512

680d13e3cb49bb3a5712f5f9dff27b9800bdff1287eac9219e5f97061cb99465ff0518c17d268ff31560e089e56525a56c43537d8c06b91738fb343a51e0cd40
SSDEEP

12288:SLdIQpe9G51q7UeRtFB/4zRbqQeg1GNGNrUr8Jyn:SB/sG6waFBARl1mjr8wn

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bffd.exe

Executes dropped EXE 3 IoCs

pid	Process
2600	bffd.exe
2448	bffd.exe
2972	bffd.exe

Loads dropped DLL 42 IoCs

pid	Process
2720	regsvr32.exe
2928	48fad24a6419341ce64b063be81e402a.exe
2928	48fad24a6419341ce64b063be81e402a.exe
2928	48fad24a6419341ce64b063be81e402a.exe
2928	48fad24a6419341ce64b063be81e402a.exe
2972	bffd.exe
768	rundll32.exe
1704	rundll32.exe
768	rundll32.exe
768	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
768	rundll32.exe
1704	rundll32.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe
2972	bffd.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "winhome"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	\??\PhysicalDrive0	bffd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\-128017121	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\bffd.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dll	48fad24a6419341ce64b063be81e402a.exe
File created	C:\Windows\SysWOW64\069	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\841e.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dlltmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	48fad24a6419341ce64b063be81e402a.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\14ba.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\a8f.flv	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\f6f.bmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\8f6.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\a8fd.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\8f6d.exe	48fad24a6419341ce64b063be81e402a.exe
File created	C:\Windows\Tasks\ms.job	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\bf14.bmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\a34b.flv	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\f6fu.bmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\a8fd.flv	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\6f1u.bmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\4bad.flv	48fad24a6419341ce64b063be81e402a.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2972	bffd.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2548	2928	48fad24a6419341ce64b063be81e402a.exe	23
PID 2928 wrote to memory of 2548	2928	48fad24a6419341ce64b063be81e402a.exe	23
PID 2928 wrote to memory of 2548	2928	48fad24a6419341ce64b063be81e402a.exe	23
PID 2928 wrote to memory of 2548	2928	48fad24a6419341ce64b063be81e402a.exe	23
PID 2928 wrote to memory of 2548	2928	48fad24a6419341ce64b063be81e402a.exe	23
PID 2928 wrote to memory of 2548	2928	48fad24a6419341ce64b063be81e402a.exe	23
PID 2928 wrote to memory of 2548	2928	48fad24a6419341ce64b063be81e402a.exe	23
PID 2928 wrote to memory of 2588	2928	48fad24a6419341ce64b063be81e402a.exe	14
PID 2928 wrote to memory of 2588	2928	48fad24a6419341ce64b063be81e402a.exe	14
PID 2928 wrote to memory of 2588	2928	48fad24a6419341ce64b063be81e402a.exe	14
PID 2928 wrote to memory of 2588	2928	48fad24a6419341ce64b063be81e402a.exe	14
PID 2928 wrote to memory of 2588	2928	48fad24a6419341ce64b063be81e402a.exe	14
PID 2928 wrote to memory of 2588	2928	48fad24a6419341ce64b063be81e402a.exe	14
PID 2928 wrote to memory of 2588	2928	48fad24a6419341ce64b063be81e402a.exe	14
PID 2928 wrote to memory of 2632	2928	48fad24a6419341ce64b063be81e402a.exe	22
PID 2928 wrote to memory of 2632	2928	48fad24a6419341ce64b063be81e402a.exe	22
PID 2928 wrote to memory of 2632	2928	48fad24a6419341ce64b063be81e402a.exe	22
PID 2928 wrote to memory of 2632	2928	48fad24a6419341ce64b063be81e402a.exe	22
PID 2928 wrote to memory of 2632	2928	48fad24a6419341ce64b063be81e402a.exe	22
PID 2928 wrote to memory of 2632	2928	48fad24a6419341ce64b063be81e402a.exe	22
PID 2928 wrote to memory of 2632	2928	48fad24a6419341ce64b063be81e402a.exe	22
PID 2928 wrote to memory of 2648	2928	48fad24a6419341ce64b063be81e402a.exe	15
PID 2928 wrote to memory of 2648	2928	48fad24a6419341ce64b063be81e402a.exe	15
PID 2928 wrote to memory of 2648	2928	48fad24a6419341ce64b063be81e402a.exe	15
PID 2928 wrote to memory of 2648	2928	48fad24a6419341ce64b063be81e402a.exe	15
PID 2928 wrote to memory of 2648	2928	48fad24a6419341ce64b063be81e402a.exe	15
PID 2928 wrote to memory of 2648	2928	48fad24a6419341ce64b063be81e402a.exe	15
PID 2928 wrote to memory of 2648	2928	48fad24a6419341ce64b063be81e402a.exe	15
PID 2928 wrote to memory of 2720	2928	48fad24a6419341ce64b063be81e402a.exe	21
PID 2928 wrote to memory of 2720	2928	48fad24a6419341ce64b063be81e402a.exe	21
PID 2928 wrote to memory of 2720	2928	48fad24a6419341ce64b063be81e402a.exe	21
PID 2928 wrote to memory of 2720	2928	48fad24a6419341ce64b063be81e402a.exe	21
PID 2928 wrote to memory of 2720	2928	48fad24a6419341ce64b063be81e402a.exe	21
PID 2928 wrote to memory of 2720	2928	48fad24a6419341ce64b063be81e402a.exe	21
PID 2928 wrote to memory of 2720	2928	48fad24a6419341ce64b063be81e402a.exe	21
PID 2928 wrote to memory of 2600	2928	48fad24a6419341ce64b063be81e402a.exe	20
PID 2928 wrote to memory of 2600	2928	48fad24a6419341ce64b063be81e402a.exe	20
PID 2928 wrote to memory of 2600	2928	48fad24a6419341ce64b063be81e402a.exe	20
PID 2928 wrote to memory of 2600	2928	48fad24a6419341ce64b063be81e402a.exe	20
PID 2928 wrote to memory of 2448	2928	48fad24a6419341ce64b063be81e402a.exe	18
PID 2928 wrote to memory of 2448	2928	48fad24a6419341ce64b063be81e402a.exe	18
PID 2928 wrote to memory of 2448	2928	48fad24a6419341ce64b063be81e402a.exe	18
PID 2928 wrote to memory of 2448	2928	48fad24a6419341ce64b063be81e402a.exe	18
PID 2928 wrote to memory of 768	2928	48fad24a6419341ce64b063be81e402a.exe	25
PID 2928 wrote to memory of 768	2928	48fad24a6419341ce64b063be81e402a.exe	25
PID 2928 wrote to memory of 768	2928	48fad24a6419341ce64b063be81e402a.exe	25
PID 2928 wrote to memory of 768	2928	48fad24a6419341ce64b063be81e402a.exe	25
PID 2928 wrote to memory of 768	2928	48fad24a6419341ce64b063be81e402a.exe	25
PID 2928 wrote to memory of 768	2928	48fad24a6419341ce64b063be81e402a.exe	25
PID 2928 wrote to memory of 768	2928	48fad24a6419341ce64b063be81e402a.exe	25
PID 2972 wrote to memory of 1704	2972	bffd.exe	24
PID 2972 wrote to memory of 1704	2972	bffd.exe	24
PID 2972 wrote to memory of 1704	2972	bffd.exe	24
PID 2972 wrote to memory of 1704	2972	bffd.exe	24
PID 2972 wrote to memory of 1704	2972	bffd.exe	24
PID 2972 wrote to memory of 1704	2972	bffd.exe	24
PID 2972 wrote to memory of 1704	2972	bffd.exe	24

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"
1⤵
PID:2588

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"
1⤵
PID:2648

C:\Windows\SysWOW64\bffd.exe
C:\Windows\SysWOW64\bffd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:1704

C:\Windows\SysWOW64\bffd.exe
C:\Windows\system32\bffd.exe -s
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\SysWOW64\bffd.exe
C:\Windows\system32\bffd.exe -i
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2720

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"
1⤵
PID:2632

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"
1⤵
PID:2548

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always
1⤵
- Loads dropped DLL
PID:768

C:\Users\Admin\AppData\Local\Temp\48fad24a6419341ce64b063be81e402a.exe
"C:\Users\Admin\AppData\Local\Temp\48fad24a6419341ce64b063be81e402a.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
93KB

MD5
39c4557f2a95d55889039e4cc5232b6b

SHA1
3d552e9e1a2ab1d22fac34a6bd5fc30617b1d547

SHA256
c6383b87aa337866e7690d164e69394743fb87cfb9a4b57d961cf5d26f34b92f

SHA512
677e90fa08776c58ddcb0b30c30bcdc2af4899237f1ffda6f7468eedaa94c3840dc20d0e9e557874897127298e183d49b6f6eee0dd958ddbc96b3cb552e627f4

Download Submit
\Windows\SysWOW64\8b4o.dll

Filesize
78KB

MD5
3e420b527dd763583f27979ab5446976

SHA1
ed60be48d6b5b58d17c5a020f21f9a28a3050267

SHA256
916a6fa8c4ad0026a6a24066848b964be1e69e93be893f3a4975fca3b6164f5c

SHA512
ae39db45a712ee8ab4247d72e7436279b653b2ba5648e8f1484b35c029972e5c16ed669d313d46a6850e116c3d3dc343f5d8d127ccea2ae0ae33ee4d70db8b47

Download Submit
\Windows\SysWOW64\bffd.exe

Filesize
144KB

MD5
d8697ac2aa20599dbc9aae3b8d1a0a03

SHA1
a65d142d8225608c3290aa7ca7ffaf831895f2b6

SHA256
2a3ec8cb7b172e15dab26e63d4f24324f704e02d1306df7c754fda0c34e35a40

SHA512
fbe9dde8360ec70c62ee44b1233f69f65f31e3e9777c6ec9a490a6a945f3a58825c12b833718d62529c77fbc21e99e5c8495d59856f677398155d313cafdf6be

Download Submit
memory/768-94-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/1704-100-0x0000000000140000-0x0000000000142000-memory.dmp

Filesize
8KB

Download
memory/1704-122-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/1704-112-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/1704-115-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/1704-96-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/1704-99-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/1704-106-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/1704-97-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/2448-72-0x0000000000030000-0x0000000000032000-memory.dmp

Filesize
8KB

Download
memory/2448-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2448-76-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2600-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2600-61-0x0000000000030000-0x0000000000032000-memory.dmp

Filesize
8KB

Download
memory/2600-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2928-60-0x0000000000390000-0x00000000003AE000-memory.dmp

Filesize
120KB

Download
memory/2928-57-0x0000000000390000-0x00000000003AE000-memory.dmp

Filesize
120KB

Download
memory/2928-70-0x0000000000390000-0x00000000003AE000-memory.dmp

Filesize
120KB

Download
memory/2972-132-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

Filesize
8KB

Download
memory/2972-151-0x0000000000520000-0x0000000000522000-memory.dmp

Filesize
8KB

Download
memory/2972-102-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-108-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2972-107-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-111-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/2972-110-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-103-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/2972-113-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-83-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-116-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download
memory/2972-119-0x00000000007C0000-0x00000000007C2000-memory.dmp

Filesize
8KB

Download
memory/2972-118-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-120-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-123-0x00000000007D0000-0x00000000007D2000-memory.dmp

Filesize
8KB

Download
memory/2972-84-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/2972-126-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/2972-125-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-127-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-130-0x0000000000FB0000-0x0000000000FB2000-memory.dmp

Filesize
8KB

Download
memory/2972-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-133-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-137-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

Filesize
8KB

Download
memory/2972-136-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-139-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

Filesize
8KB

Download
memory/2972-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-143-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

Filesize
8KB

Download
memory/2972-145-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-146-0x0000000001000000-0x0000000001002000-memory.dmp

Filesize
8KB

Download
memory/2972-147-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-150-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-104-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-153-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-154-0x0000000000530000-0x0000000000532000-memory.dmp

Filesize
8KB

Download
memory/2972-155-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-158-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-159-0x0000000000540000-0x0000000000542000-memory.dmp

Filesize
8KB

Download
memory/2972-161-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-162-0x0000000000550000-0x0000000000552000-memory.dmp

Filesize
8KB

Download
memory/2972-163-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-166-0x0000000000680000-0x0000000000682000-memory.dmp

Filesize
8KB

Download
memory/2972-168-0x0000000000690000-0x0000000000692000-memory.dmp

Filesize
8KB

Download
memory/2972-169-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-172-0x00000000006A0000-0x00000000006A2000-memory.dmp

Filesize
8KB

Download
memory/2972-174-0x00000000006B0000-0x00000000006B2000-memory.dmp

Filesize
8KB

Download
memory/2972-175-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-178-0x00000000006C0000-0x00000000006C2000-memory.dmp

Filesize
8KB

Download
memory/2972-75-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2972-180-0x00000000006D0000-0x00000000006D2000-memory.dmp

Filesize
8KB

Download
memory/2972-181-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-184-0x00000000006E0000-0x00000000006E2000-memory.dmp

Filesize
8KB

Download
memory/2972-186-0x00000000006F0000-0x00000000006F2000-memory.dmp

Filesize
8KB

Download
memory/2972-187-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-191-0x0000000000700000-0x0000000000702000-memory.dmp

Filesize
8KB

Download
memory/2972-190-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-192-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-195-0x0000000000710000-0x0000000000712000-memory.dmp

Filesize
8KB

Download
memory/2972-194-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-196-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-197-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-201-0x0000000000720000-0x0000000000722000-memory.dmp

Filesize
8KB

Download
memory/2972-200-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2972-203-0x0000000000730000-0x0000000000732000-memory.dmp

Filesize
8KB

Download