4ff70e12968b0755f9614b87975551aeb47c6d45e7a87d83f370a0324c4ddf58

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8a1f8aadd4147e3edf64c3b918cd82f.exe
Size

500KB
MD5

f8a1f8aadd4147e3edf64c3b918cd82f
SHA1

ce18df2b93cf2b7de5522f85609cc8156d33c7d6
SHA256

4ff70e12968b0755f9614b87975551aeb47c6d45e7a87d83f370a0324c4ddf58
SHA512

b57596af04e277d9aab902ff702629f361be62553b83a7a1cfe3354f5305153e49fb7bdccfa500ed06fd82b398c9f529cf20e05ec005b7c497f3b11cbe204cd1
SSDEEP

12288:DXOqjdBB1SUhySAgRsZOWuw6CCVSKsUtrorfAEyZ8kbn:DpB1dhTs0jcsSKDifBqlb

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	341d.exe

Executes dropped EXE 4 IoCs

pid	Process
2576	341d.exe
3000	341d.exe
392	341d.exe
1828	mtv.exe

Loads dropped DLL 53 IoCs

pid	Process
2728	regsvr32.exe
2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe
2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe
2576	341d.exe
2576	341d.exe
2576	341d.exe
2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe
2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe
3000	341d.exe
3000	341d.exe
3000	341d.exe
392	341d.exe
2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe
2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe
1828	mtv.exe
1828	mtv.exe
1828	mtv.exe
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe
1372	rundll32.exe
1372	rundll32.exe
1372	rundll32.exe
1372	rundll32.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe
392	341d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\plc = "c:\\windows\\system32\\rundll32.exe C:\\Windows\\system32/341e.dll,Always"	f8a1f8aadd4147e3edf64c3b918cd82f.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	\??\PhysicalDrive0	341d.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\SysWOW64\eee	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dll	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\SysWOW64\341e.dll	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\SysWOW64\341d.exe	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File created	C:\Windows\SysWOW64\-1376068	rundll32.exe
File created	C:\Windows\SysWOW64\0a1	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dlltmp	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\f6f.bmp	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\4bad.flv	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\bf14.bmp	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\14ba.exe	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\a34b.flv	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\a8f.flv	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\6f1u.bmp	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\a8fd.exe	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\ba8u.bmp	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\ba8d.flv	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\8f6.exe	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File opened for modification	C:\Windows\ba8d.exe	f8a1f8aadd4147e3edf64c3b918cd82f.exe
File created	C:\Windows\Tasks\ms.job	f8a1f8aadd4147e3edf64c3b918cd82f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID\ = "BHO.FffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
392	341d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1828	mtv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2848	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	28
PID 2288 wrote to memory of 2848	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	28
PID 2288 wrote to memory of 2848	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	28
PID 2288 wrote to memory of 2848	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	28
PID 2288 wrote to memory of 2848	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	28
PID 2288 wrote to memory of 2848	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	28
PID 2288 wrote to memory of 2848	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	28
PID 2288 wrote to memory of 2788	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	29
PID 2288 wrote to memory of 2788	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	29
PID 2288 wrote to memory of 2788	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	29
PID 2288 wrote to memory of 2788	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	29
PID 2288 wrote to memory of 2788	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	29
PID 2288 wrote to memory of 2788	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	29
PID 2288 wrote to memory of 2788	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	29
PID 2288 wrote to memory of 2748	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	30
PID 2288 wrote to memory of 2748	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	30
PID 2288 wrote to memory of 2748	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	30
PID 2288 wrote to memory of 2748	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	30
PID 2288 wrote to memory of 2748	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	30
PID 2288 wrote to memory of 2748	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	30
PID 2288 wrote to memory of 2748	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	30
PID 2288 wrote to memory of 2772	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	31
PID 2288 wrote to memory of 2772	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	31
PID 2288 wrote to memory of 2772	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	31
PID 2288 wrote to memory of 2772	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	31
PID 2288 wrote to memory of 2772	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	31
PID 2288 wrote to memory of 2772	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	31
PID 2288 wrote to memory of 2772	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	31
PID 2288 wrote to memory of 2728	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	32
PID 2288 wrote to memory of 2728	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	32
PID 2288 wrote to memory of 2728	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	32
PID 2288 wrote to memory of 2728	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	32
PID 2288 wrote to memory of 2728	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	32
PID 2288 wrote to memory of 2728	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	32
PID 2288 wrote to memory of 2728	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	32
PID 2288 wrote to memory of 2576	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	33
PID 2288 wrote to memory of 2576	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	33
PID 2288 wrote to memory of 2576	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	33
PID 2288 wrote to memory of 2576	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	33
PID 2288 wrote to memory of 2576	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	33
PID 2288 wrote to memory of 2576	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	33
PID 2288 wrote to memory of 2576	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	33
PID 2288 wrote to memory of 3000	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	35
PID 2288 wrote to memory of 3000	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	35
PID 2288 wrote to memory of 3000	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	35
PID 2288 wrote to memory of 3000	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	35
PID 2288 wrote to memory of 3000	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	35
PID 2288 wrote to memory of 3000	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	35
PID 2288 wrote to memory of 3000	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	35
PID 392 wrote to memory of 2228	392	341d.exe	38
PID 392 wrote to memory of 2228	392	341d.exe	38
PID 392 wrote to memory of 2228	392	341d.exe	38
PID 392 wrote to memory of 2228	392	341d.exe	38
PID 392 wrote to memory of 2228	392	341d.exe	38
PID 392 wrote to memory of 2228	392	341d.exe	38
PID 392 wrote to memory of 2228	392	341d.exe	38
PID 2288 wrote to memory of 1828	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	39
PID 2288 wrote to memory of 1828	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	39
PID 2288 wrote to memory of 1828	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	39
PID 2288 wrote to memory of 1828	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	39
PID 2288 wrote to memory of 1828	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	39
PID 2288 wrote to memory of 1828	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	39
PID 2288 wrote to memory of 1828	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	39
PID 2288 wrote to memory of 1372	2288	f8a1f8aadd4147e3edf64c3b918cd82f.exe	40

C:\Users\Admin\AppData\Local\Temp\f8a1f8aadd4147e3edf64c3b918cd82f.exe
"C:\Users\Admin\AppData\Local\Temp\f8a1f8aadd4147e3edf64c3b918cd82f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a1l8.dll"
  2⤵
  PID:2848
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b4cb.dll"
  2⤵
  PID:2788
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4f3r.dll"
  2⤵
  PID:2748
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b34o.dll"
  2⤵
  PID:2772
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b34o.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2728
- C:\Windows\SysWOW64\341d.exe
  C:\Windows\system32/341d.exe -i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2576
- C:\Windows\SysWOW64\341d.exe
  C:\Windows\system32/341d.exe -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3000
- C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1828
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll, Always
  2⤵
  - Loads dropped DLL
  PID:1372

C:\Windows\SysWOW64\341d.exe
C:\Windows\SysWOW64\341d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
196KB

MD5
4a485e70871de678fa78fd7fa40f32b2

SHA1
59fd642a3c9a0f2ff4a18b17df100fb5b08d427c

SHA256
e154c248a487a5045433a8f76f104427e0bcb14433adaaa1fff6ec71adce03d3

SHA512
26796c39c550f60dde6220e44b10270f54c7c31d4223552188fb69439167224d1448775a4d91337e47eb7100fbca0177d8d6123c08fc011584c7532ee413e1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
128KB

MD5
3da6a64eef6bca9e929bb8f397ceeb87

SHA1
73519e8f6179c381fb7af1b741c398a58550af54

SHA256
468179b6b478bfea6a016480a71afc7d3562cdc337ce0856e65b70c7c7ed1297

SHA512
3e93392a6dcdabeee0aa457657edf433562224133939f6c282c8f6b59ef233168e4c29594d7af386795b742b5d8876b0dc3d1a7a336492c28c60fcad45753d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
462KB

MD5
fcd0f8ab788669f21b828edf22de34ee

SHA1
ac9b448eab80aec0c18993b9ed9a63fbadac77a7

SHA256
b30d51740104bca40d3a7008888b9e7dd2ce8a0da94db0aee59fd8419468f85f

SHA512
6fc5f8568cb7396557baaf88de4870797aec37bf84d3a5a70c40406dba815195681bea60dca72db36ab2420dbb8b717f0fa3b9eab418164b39a05dbb679ad7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
216KB

MD5
0da5741e1dc79a2ba0950acf00218f06

SHA1
828a106633ea9238e79efbe9b7f7e0cc6c109210

SHA256
d789c2dcce4facc89dfeb9e57ed5af494fac8b33c17179ece0d6744aff274a23

SHA512
f63e63d247a0ce0ad068de7508e7305eef24142d2d6778a9ab083d1a50420bb30d4ef370b19d7bc8a876449e3c46ec947e4bc4069a5f57d2ec9d56acd5f81880

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymzq\tmp.exe

Filesize
76KB

MD5
f9f157a82f5062a68c48d8d5e976aa4f

SHA1
0ea8e12138ffb83402ff3fb175bacfc3cfcc8370

SHA256
1aa3b5141f57a6a7186b5602e2235ebb1c91a915d8e0074a7ed1bc67c06a782c

SHA512
c046ecf8a9398c39aff2b5d6b317952d317fd198c197795099b05ab62a37a3051368159169de3b7fbd41d327eecdc479416587d931942a33ff614acb679fa146

Download Submit