c75ce9d9dc660ddc87b315dd90ee11f70a88ac78cfd82008958f102e9a8c9bc5

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a309596c9bb24df4a97b6a2fb3967bf.dll
Size

472KB
MD5

1a309596c9bb24df4a97b6a2fb3967bf
SHA1

75677094b4b78bbe0e07b5c35f1a371d14cd1d57
SHA256

c75ce9d9dc660ddc87b315dd90ee11f70a88ac78cfd82008958f102e9a8c9bc5
SHA512

6040a5314ee5db4737f07c5ad90edd8d5713a481a5718067d4695b46b1871cddd2735f3059a567cb57de733884d10eff4872f91a6d16cabaf91f1f1be4feaf1b
SSDEEP

12288:gIx3n4BiTNvjrwy15K1Q4e0TsSk7h77wNpTYLb8:gIx3JNLrr5KbQ/7h7S4

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	341d.exe

Executes dropped EXE 4 IoCs

pid	Process
2480	341d.exe
2488	341d.exe
2876	341d.exe
1136	mtv.exe

Loads dropped DLL 45 IoCs

pid	Process
1716	regsvr32.exe
2220	rundll32.exe
2220	rundll32.exe
2220	rundll32.exe
2220	rundll32.exe
2876	341d.exe
2220	rundll32.exe
2220	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
1868	rundll32.exe
1868	rundll32.exe
1868	rundll32.exe
1868	rundll32.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe
2876	341d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\plc = "c:\\windows\\system32\\rundll32.exe C:\\Windows\\system32/341e.dll,Always"	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	341d.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	rundll32.exe
File created	C:\Windows\SysWOW64\05a9	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\341e.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\eee	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\341d.exe	rundll32.exe
File created	C:\Windows\SysWOW64\60-87-29-34	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bf14.bmp	rundll32.exe
File opened for modification	C:\Windows\f6f.bmp	rundll32.exe
File opened for modification	C:\Windows\ba8u.bmp	rundll32.exe
File opened for modification	C:\Windows\8f6.exe	rundll32.exe
File opened for modification	C:\Windows\6f1u.bmp	rundll32.exe
File opened for modification	C:\Windows\a8fd.exe	rundll32.exe
File opened for modification	C:\Windows\ba8d.exe	rundll32.exe
File created	C:\Windows\Tasks\ms.job	rundll32.exe
File opened for modification	C:\Windows\14ba.exe	rundll32.exe
File opened for modification	C:\Windows\a34b.flv	rundll32.exe
File opened for modification	C:\Windows\ba8d.flv	rundll32.exe
File opened for modification	C:\Windows\a8f.flv	rundll32.exe
File opened for modification	C:\Windows\4bad.flv	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID\ = "BHO.FffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2876	341d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1136	mtv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2220	2904	rundll32.exe	26
PID 2904 wrote to memory of 2220	2904	rundll32.exe	26
PID 2904 wrote to memory of 2220	2904	rundll32.exe	26
PID 2904 wrote to memory of 2220	2904	rundll32.exe	26
PID 2904 wrote to memory of 2220	2904	rundll32.exe	26
PID 2904 wrote to memory of 2220	2904	rundll32.exe	26
PID 2904 wrote to memory of 2220	2904	rundll32.exe	26
PID 2220 wrote to memory of 2656	2220	rundll32.exe	16
PID 2220 wrote to memory of 2656	2220	rundll32.exe	16
PID 2220 wrote to memory of 2656	2220	rundll32.exe	16
PID 2220 wrote to memory of 2656	2220	rundll32.exe	16
PID 2220 wrote to memory of 2656	2220	rundll32.exe	16
PID 2220 wrote to memory of 2656	2220	rundll32.exe	16
PID 2220 wrote to memory of 2656	2220	rundll32.exe	16
PID 2220 wrote to memory of 2680	2220	rundll32.exe	25
PID 2220 wrote to memory of 2680	2220	rundll32.exe	25
PID 2220 wrote to memory of 2680	2220	rundll32.exe	25
PID 2220 wrote to memory of 2680	2220	rundll32.exe	25
PID 2220 wrote to memory of 2680	2220	rundll32.exe	25
PID 2220 wrote to memory of 2680	2220	rundll32.exe	25
PID 2220 wrote to memory of 2680	2220	rundll32.exe	25
PID 2220 wrote to memory of 2684	2220	rundll32.exe	17
PID 2220 wrote to memory of 2684	2220	rundll32.exe	17
PID 2220 wrote to memory of 2684	2220	rundll32.exe	17
PID 2220 wrote to memory of 2684	2220	rundll32.exe	17
PID 2220 wrote to memory of 2684	2220	rundll32.exe	17
PID 2220 wrote to memory of 2684	2220	rundll32.exe	17
PID 2220 wrote to memory of 2684	2220	rundll32.exe	17
PID 2220 wrote to memory of 2812	2220	rundll32.exe	18
PID 2220 wrote to memory of 2812	2220	rundll32.exe	18
PID 2220 wrote to memory of 2812	2220	rundll32.exe	18
PID 2220 wrote to memory of 2812	2220	rundll32.exe	18
PID 2220 wrote to memory of 2812	2220	rundll32.exe	18
PID 2220 wrote to memory of 2812	2220	rundll32.exe	18
PID 2220 wrote to memory of 2812	2220	rundll32.exe	18
PID 2220 wrote to memory of 1716	2220	rundll32.exe	24
PID 2220 wrote to memory of 1716	2220	rundll32.exe	24
PID 2220 wrote to memory of 1716	2220	rundll32.exe	24
PID 2220 wrote to memory of 1716	2220	rundll32.exe	24
PID 2220 wrote to memory of 1716	2220	rundll32.exe	24
PID 2220 wrote to memory of 1716	2220	rundll32.exe	24
PID 2220 wrote to memory of 1716	2220	rundll32.exe	24
PID 2220 wrote to memory of 2480	2220	rundll32.exe	23
PID 2220 wrote to memory of 2480	2220	rundll32.exe	23
PID 2220 wrote to memory of 2480	2220	rundll32.exe	23
PID 2220 wrote to memory of 2480	2220	rundll32.exe	23
PID 2220 wrote to memory of 2488	2220	rundll32.exe	22
PID 2220 wrote to memory of 2488	2220	rundll32.exe	22
PID 2220 wrote to memory of 2488	2220	rundll32.exe	22
PID 2220 wrote to memory of 2488	2220	rundll32.exe	22
PID 2876 wrote to memory of 2004	2876	341d.exe	32
PID 2876 wrote to memory of 2004	2876	341d.exe	32
PID 2876 wrote to memory of 2004	2876	341d.exe	32
PID 2876 wrote to memory of 2004	2876	341d.exe	32
PID 2876 wrote to memory of 2004	2876	341d.exe	32
PID 2876 wrote to memory of 2004	2876	341d.exe	32
PID 2876 wrote to memory of 2004	2876	341d.exe	32
PID 2220 wrote to memory of 1136	2220	rundll32.exe	31
PID 2220 wrote to memory of 1136	2220	rundll32.exe	31
PID 2220 wrote to memory of 1136	2220	rundll32.exe	31
PID 2220 wrote to memory of 1136	2220	rundll32.exe	31
PID 2220 wrote to memory of 1868	2220	rundll32.exe	30
PID 2220 wrote to memory of 1868	2220	rundll32.exe	30
PID 2220 wrote to memory of 1868	2220	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a309596c9bb24df4a97b6a2fb3967bf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a309596c9bb24df4a97b6a2fb3967bf.dll,#1
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll, Always
    3⤵
    - Loads dropped DLL
    PID:1868
- - C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1136

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a1l8.dll"
1⤵
PID:2656

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4f3r.dll"
1⤵
PID:2684

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b34o.dll"
1⤵
PID:2812

C:\Windows\SysWOW64\341d.exe
C:\Windows\SysWOW64\341d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:2004

C:\Windows\SysWOW64\341d.exe
C:\Windows\system32/341d.exe -s
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\SysWOW64\341d.exe
C:\Windows\system32/341d.exe -i
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b34o.dll"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1716

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b4cb.dll"
1⤵
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
132KB

MD5
ce7f5d5366daf8d11f5a809cde8a161c

SHA1
dd85e667e5f432acd825f161d780c16871781b75

SHA256
e43e465f3ca6e6d0bf6c81da003381be0ed833340d35f1c506f4c31b657366de

SHA512
ef60bb5e0c83a2b5c7a1e23f1238134d7e90674380627ecb315cd73ec8c422ef754d896b00558e6a22f6725d565b2598f56f65b87b7a296bdd52a9287e5c360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
518KB

MD5
dee62e4124523e503b7163f978418b18

SHA1
048897341e11a6410de9c0792ec8862947f48689

SHA256
718672730b7958115b3ba1a6e0495cb68abc61de1eea51e4506c7ee657399ffd

SHA512
111acd4ec58d8aeba78048a26fb47462e851e6ef4b49812adbe336851bcd3c905583eff56faad84a35dba103a45b47f7240b1867e51f1e253f5625e5840397db

Download Submit
\Windows\SysWOW64\341d.exe

Filesize
224KB

MD5
55d16b4b003aa15cb471c3a7122c93ea

SHA1
88012470fcb89a0db33e476260a2c50dad83b26a

SHA256
2bc7be7374beb9e362929ece68a4a3cfc765aaf66a2547c13429ff85e410deec

SHA512
ce2e7641252abb7e2195f483c21554238a9b828d53297e18fd960aa6801bb86fca5ae41181d9245a1308ee52f7416610e5326ab73fb3b736eb289d53f8e477d1

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
93KB

MD5
8fccf8520fc2e791c9813b7e5b0c6813

SHA1
1e70a05820b67c11501974db4fa2de2ad0e77285

SHA256
931c84789eaafcfb0ba9bfdfa40c32f96cbd3c82b151df3c5120d0ca1f806bc4

SHA512
8c59fd8e56626af5b4da4e1d841376b37e1a5335c9b2a90a1e05570e9a38f92c9f94fc51ee38dfffe06142e10788bb70b004410b8098cbd03a9e848bf284a5ae

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
64KB

MD5
3a8e6be7112772541734e2efa69bc615

SHA1
6080ed57978ef2729033308010632f97fea7f04e

SHA256
58e9fa0890fbb4f5bd2a823f789f403431319faed08d0b4401a40a82679dfe7c

SHA512
5b2ade52e2acf5a19a3a6d1ed4f2d591d6cd7ee429252263aed9e2ebe5eb679f8850bacf4488ce6e987175ba8784e08d4395380f1d12cbb47c98bd545cfdda96

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
51KB

MD5
c4d3e3b8e8a28e114396378825ccac77

SHA1
0eace2f8b14b6200f1234a9853f791909a523c41

SHA256
c4ba4e6c3c9268d104ff556a61f405954c861ff8249b46c1e73a2207f9e5a2c6

SHA512
d05d5c114c303d824b1e182b3becce85782966601bb3c70d15ec536f4592d368cb8ed17a585d93e9780091f21364341151a1c977e43010edd2c2f2a4fec77ae8

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
62KB

MD5
bc6e53c0c0356ebfcdab1d2f31412985

SHA1
37538b4f6b6c23d8124285107484eb90a97993f5

SHA256
0b4d71534aa373d5f33288bf25f4c77c38c6227a59f14741e31e094f66e20c6c

SHA512
e259018475caa0fb5de8a0c41d7fab4a010bce301f2cf1869f5577601539ca6a437ddaf2028c2bfe4a446d40843318b1d39038abb293c954245970c380b950cf

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
92KB

MD5
7e5126f34f7961860db1f2887e3c36af

SHA1
6205e93201b8a60bc93fa01c4cab0351b2d4b7b8

SHA256
0834c73ce20851fd3fa8593037c644e259a8e658c3498283b0058f74dd3d03d2

SHA512
cb4d986dde26f737635d9705daeaa6ab4a23f1f1b935c5a952eb48d308c560b35c8fd1a77b8fe1542d48f81bb81ff095787ae39bfc5d311f4c2b09f387115556

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
3KB

MD5
9f74697f9cb1610655c07e274d436e41

SHA1
e7e658bebfe3e74d2de43c9c1ac7c6f53284f2a8

SHA256
4f921ba30e495aab6c0abd3297798e8ffec048b2b23903cf9e308883cd53cf96

SHA512
bc2e55a0829c6f9a22cc325fadbd409ba5d76d1678d9cde6808b58eba5cb899678190664f6a9d9d6400d5f2906014c3bb69d5feff794959c1efcece6fde75c42

Download Submit