e81a4de91012529f67d65116b5690b6a50aa287beb32054c69d479ad1f85c0a8

Analysis

max time kernel
151s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 19:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

020711333fb8898672a822c9af9694b9.exe
Size

412KB
MD5

020711333fb8898672a822c9af9694b9
SHA1

9e933fbb03338c72640a8ebf817513be5c40b895
SHA256

e81a4de91012529f67d65116b5690b6a50aa287beb32054c69d479ad1f85c0a8
SHA512

17842a4477db9c0971a28a76b6b4c4868654c9859d1e40de5a9da9e9b68f0705f14d29cc38073fdc1442e2dbbb676de6893b7991a37c9025c5ee402d38ea8d97
SSDEEP

12288:v33Q9q2bGVy/GSX3B9SiGf5NuiVMDsSWzDIw:v3bcGUXxng56tw

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bffd.exe

Executes dropped EXE 3 IoCs

pid	Process
2620	bffd.exe
2152	bffd.exe
2664	bffd.exe

Loads dropped DLL 42 IoCs

pid	Process
2740	regsvr32.exe
2408	020711333fb8898672a822c9af9694b9.exe
2408	020711333fb8898672a822c9af9694b9.exe
2408	020711333fb8898672a822c9af9694b9.exe
2408	020711333fb8898672a822c9af9694b9.exe
2664	bffd.exe
2792	rundll32.exe
2492	rundll32.exe
2792	rundll32.exe
2492	rundll32.exe
2792	rundll32.exe
2492	rundll32.exe
2792	rundll32.exe
2492	rundll32.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe
2664	bffd.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "winhome"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	020711333fb8898672a822c9af9694b9.exe
File opened for modification	\??\PhysicalDrive0	bffd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\34ua.exe	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dll	020711333fb8898672a822c9af9694b9.exe
File created	C:\Windows\SysWOW64\19110-102-92	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\SysWOW64\bffd.exe	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dlltmp	020711333fb8898672a822c9af9694b9.exe
File created	C:\Windows\SysWOW64\033	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\SysWOW64\841e.dll	020711333fb8898672a822c9af9694b9.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\a34b.flv	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\a8fd.exe	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\f6fu.bmp	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\8f6d.exe	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\a8fd.flv	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\bf14.bmp	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\f6f.bmp	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\6f1u.bmp	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\4bad.flv	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\14ba.exe	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\8f6.exe	020711333fb8898672a822c9af9694b9.exe
File opened for modification	C:\Windows\a8f.flv	020711333fb8898672a822c9af9694b9.exe
File created	C:\Windows\Tasks\ms.job	020711333fb8898672a822c9af9694b9.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2664	bffd.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2684	2408	020711333fb8898672a822c9af9694b9.exe	28
PID 2408 wrote to memory of 2684	2408	020711333fb8898672a822c9af9694b9.exe	28
PID 2408 wrote to memory of 2684	2408	020711333fb8898672a822c9af9694b9.exe	28
PID 2408 wrote to memory of 2684	2408	020711333fb8898672a822c9af9694b9.exe	28
PID 2408 wrote to memory of 2684	2408	020711333fb8898672a822c9af9694b9.exe	28
PID 2408 wrote to memory of 2684	2408	020711333fb8898672a822c9af9694b9.exe	28
PID 2408 wrote to memory of 2684	2408	020711333fb8898672a822c9af9694b9.exe	28
PID 2408 wrote to memory of 3004	2408	020711333fb8898672a822c9af9694b9.exe	29
PID 2408 wrote to memory of 3004	2408	020711333fb8898672a822c9af9694b9.exe	29
PID 2408 wrote to memory of 3004	2408	020711333fb8898672a822c9af9694b9.exe	29
PID 2408 wrote to memory of 3004	2408	020711333fb8898672a822c9af9694b9.exe	29
PID 2408 wrote to memory of 3004	2408	020711333fb8898672a822c9af9694b9.exe	29
PID 2408 wrote to memory of 3004	2408	020711333fb8898672a822c9af9694b9.exe	29
PID 2408 wrote to memory of 3004	2408	020711333fb8898672a822c9af9694b9.exe	29
PID 2408 wrote to memory of 2864	2408	020711333fb8898672a822c9af9694b9.exe	30
PID 2408 wrote to memory of 2864	2408	020711333fb8898672a822c9af9694b9.exe	30
PID 2408 wrote to memory of 2864	2408	020711333fb8898672a822c9af9694b9.exe	30
PID 2408 wrote to memory of 2864	2408	020711333fb8898672a822c9af9694b9.exe	30
PID 2408 wrote to memory of 2864	2408	020711333fb8898672a822c9af9694b9.exe	30
PID 2408 wrote to memory of 2864	2408	020711333fb8898672a822c9af9694b9.exe	30
PID 2408 wrote to memory of 2864	2408	020711333fb8898672a822c9af9694b9.exe	30
PID 2408 wrote to memory of 2772	2408	020711333fb8898672a822c9af9694b9.exe	31
PID 2408 wrote to memory of 2772	2408	020711333fb8898672a822c9af9694b9.exe	31
PID 2408 wrote to memory of 2772	2408	020711333fb8898672a822c9af9694b9.exe	31
PID 2408 wrote to memory of 2772	2408	020711333fb8898672a822c9af9694b9.exe	31
PID 2408 wrote to memory of 2772	2408	020711333fb8898672a822c9af9694b9.exe	31
PID 2408 wrote to memory of 2772	2408	020711333fb8898672a822c9af9694b9.exe	31
PID 2408 wrote to memory of 2772	2408	020711333fb8898672a822c9af9694b9.exe	31
PID 2408 wrote to memory of 2740	2408	020711333fb8898672a822c9af9694b9.exe	32
PID 2408 wrote to memory of 2740	2408	020711333fb8898672a822c9af9694b9.exe	32
PID 2408 wrote to memory of 2740	2408	020711333fb8898672a822c9af9694b9.exe	32
PID 2408 wrote to memory of 2740	2408	020711333fb8898672a822c9af9694b9.exe	32
PID 2408 wrote to memory of 2740	2408	020711333fb8898672a822c9af9694b9.exe	32
PID 2408 wrote to memory of 2740	2408	020711333fb8898672a822c9af9694b9.exe	32
PID 2408 wrote to memory of 2740	2408	020711333fb8898672a822c9af9694b9.exe	32
PID 2408 wrote to memory of 2620	2408	020711333fb8898672a822c9af9694b9.exe	33
PID 2408 wrote to memory of 2620	2408	020711333fb8898672a822c9af9694b9.exe	33
PID 2408 wrote to memory of 2620	2408	020711333fb8898672a822c9af9694b9.exe	33
PID 2408 wrote to memory of 2620	2408	020711333fb8898672a822c9af9694b9.exe	33
PID 2408 wrote to memory of 2152	2408	020711333fb8898672a822c9af9694b9.exe	35
PID 2408 wrote to memory of 2152	2408	020711333fb8898672a822c9af9694b9.exe	35
PID 2408 wrote to memory of 2152	2408	020711333fb8898672a822c9af9694b9.exe	35
PID 2408 wrote to memory of 2152	2408	020711333fb8898672a822c9af9694b9.exe	35
PID 2408 wrote to memory of 2792	2408	020711333fb8898672a822c9af9694b9.exe	38
PID 2408 wrote to memory of 2792	2408	020711333fb8898672a822c9af9694b9.exe	38
PID 2408 wrote to memory of 2792	2408	020711333fb8898672a822c9af9694b9.exe	38
PID 2408 wrote to memory of 2792	2408	020711333fb8898672a822c9af9694b9.exe	38
PID 2664 wrote to memory of 2492	2664	bffd.exe	39
PID 2408 wrote to memory of 2792	2408	020711333fb8898672a822c9af9694b9.exe	38
PID 2408 wrote to memory of 2792	2408	020711333fb8898672a822c9af9694b9.exe	38
PID 2664 wrote to memory of 2492	2664	bffd.exe	39
PID 2664 wrote to memory of 2492	2664	bffd.exe	39
PID 2408 wrote to memory of 2792	2408	020711333fb8898672a822c9af9694b9.exe	38
PID 2664 wrote to memory of 2492	2664	bffd.exe	39
PID 2664 wrote to memory of 2492	2664	bffd.exe	39
PID 2664 wrote to memory of 2492	2664	bffd.exe	39
PID 2664 wrote to memory of 2492	2664	bffd.exe	39

C:\Users\Admin\AppData\Local\Temp\020711333fb8898672a822c9af9694b9.exe
"C:\Users\Admin\AppData\Local\Temp\020711333fb8898672a822c9af9694b9.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"
  2⤵
  PID:2684
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"
  2⤵
  PID:3004
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"
  2⤵
  PID:2864
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"
  2⤵
  PID:2772
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2740
- C:\Windows\SysWOW64\bffd.exe
  C:\Windows\system32\bffd.exe -i
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\SysWOW64\bffd.exe
  C:\Windows\system32\bffd.exe -s
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:2792

C:\Windows\SysWOW64\bffd.exe
C:\Windows\SysWOW64\bffd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always
  2⤵
  - Loads dropped DLL
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
107KB

MD5
bb56a0df447a2ab04d8b533712cc49ff

SHA1
d314606e7bc9a7be270abf471c49063f986ae4e0

SHA256
b41e4384c980eb59cad633786b7cc501f264a7f9227dceb24d4e6077fe3dc81c

SHA512
10dfc02f1f8f3b6ed8877b29cc7262b0456aa379898be1cdc87c2754d5277c05e48b57363d95954dffe331651547c0e735efa9979312ca62816b4aa5cc5ed088

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
277KB

MD5
949088add84afac4cc6658eeb1b06da7

SHA1
f779c1c3027e0475a001e53ca62c93f6105fe699

SHA256
6033af60bc5f4c1f792f0697ce950b02c7265a553a019b6dc5ce3cac9bd06ac0

SHA512
1ca3022b49947a472bc0c41ecd62ab52851b510cc840de3b2527504715e0c6b5c8f3ba5921229086eac30f9f83102bb0c2cbb1d347e9154c0c71b42123e5a0bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
80KB

MD5
9b27be072a2be180fbaf24d558522a71

SHA1
fc9dea0d84c2a3373a227037e98e158041fdcf2d

SHA256
eb8e7ba0eef2671bee8222156e9445422862bbbdda002700c86051ebf2644efb

SHA512
701a7f3a98c926e80f436a661ac4a108467f02f712f86825dbd04171d68b60099c0aa316ad14662d92c4717457cb318fc1476936f722ef6fffd6308947b55910

Download Submit
\Windows\SysWOW64\8b4o.dll

Filesize
64KB

MD5
7bacafa1c7b2ebf7091b09a33b9355b5

SHA1
21d11dad714ebfc6f3d9a8ec3feb193637100fd9

SHA256
4059460cbe5afe0231ca95f871b35427b0c3e9fb6daa7931234f458b31ad9791

SHA512
1547b19f7c02a4c53c1ded4bd3e34df6d3505cd8e6972f231273a833ad03415dd7b9508eb69db419c9a44cfe9cc871d505d96b9d3fbd4b621e68ec1bb517226c

Download Submit
memory/2152-77-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2152-73-0x0000000000030000-0x0000000000032000-memory.dmp

Filesize
8KB

Download
memory/2408-71-0x00000000004A0000-0x00000000004BE000-memory.dmp

Filesize
120KB

Download
memory/2408-60-0x00000000004A0000-0x00000000004BE000-memory.dmp

Filesize
120KB

Download
memory/2408-57-0x00000000004A0000-0x00000000004BE000-memory.dmp

Filesize
120KB

Download
memory/2492-97-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/2620-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2620-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2620-63-0x0000000000030000-0x0000000000032000-memory.dmp

Filesize
8KB

Download
memory/2664-170-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download
memory/2664-147-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

Filesize
8KB

Download
memory/2664-205-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-82-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2664-81-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-203-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-201-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-200-0x0000000000A40000-0x0000000000A42000-memory.dmp

Filesize
8KB

Download
memory/2664-199-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-197-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-75-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-105-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-106-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/2664-107-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-195-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-110-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2664-193-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-113-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-114-0x00000000004A0000-0x00000000004A2000-memory.dmp

Filesize
8KB

Download
memory/2664-194-0x0000000000A30000-0x0000000000A32000-memory.dmp

Filesize
8KB

Download
memory/2664-115-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-118-0x00000000009A0000-0x00000000009A2000-memory.dmp

Filesize
8KB

Download
memory/2664-120-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-121-0x0000000000E40000-0x0000000000E42000-memory.dmp

Filesize
8KB

Download
memory/2664-122-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-125-0x0000000000F90000-0x0000000000F92000-memory.dmp

Filesize
8KB

Download
memory/2664-127-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-131-0x0000000000FA0000-0x0000000000FA2000-memory.dmp

Filesize
8KB

Download
memory/2664-134-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-135-0x0000000000FB0000-0x0000000000FB2000-memory.dmp

Filesize
8KB

Download
memory/2664-136-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-138-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-139-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

Filesize
8KB

Download
memory/2664-143-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

Filesize
8KB

Download
memory/2664-142-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-144-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-146-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-76-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2664-151-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

Filesize
8KB

Download
memory/2664-150-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-152-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-154-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-155-0x0000000000460000-0x0000000000462000-memory.dmp

Filesize
8KB

Download
memory/2664-159-0x0000000000470000-0x0000000000472000-memory.dmp

Filesize
8KB

Download
memory/2664-158-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-160-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-162-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download
memory/2664-165-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-166-0x0000000000490000-0x0000000000492000-memory.dmp

Filesize
8KB

Download
memory/2664-167-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-191-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download
memory/2664-172-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-173-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/2664-174-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-177-0x00000000009E0000-0x00000000009E2000-memory.dmp

Filesize
8KB

Download
memory/2664-179-0x00000000009F0000-0x00000000009F2000-memory.dmp

Filesize
8KB

Download
memory/2664-180-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-183-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2664-184-0x0000000000A00000-0x0000000000A02000-memory.dmp

Filesize
8KB

Download
memory/2664-188-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-187-0x0000000000A10000-0x0000000000A12000-memory.dmp

Filesize
8KB

Download
memory/2664-186-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2740-45-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2740-46-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2740-80-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2792-116-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/2792-111-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/2792-109-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/2792-101-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/2792-98-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/2792-100-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2792-99-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/2792-96-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download