45b9ce71c5eb6d04208767ea10c948deb47131227b53b2140e87ee6a1c0adef6

Analysis

max time kernel
6s
max time network
145s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 00:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

21e94dccbdc122727f14d8b4c4902294.dll
Size

472KB
MD5

21e94dccbdc122727f14d8b4c4902294
SHA1

078ab71a62e194fb70ff07397f340c8079c36420
SHA256

45b9ce71c5eb6d04208767ea10c948deb47131227b53b2140e87ee6a1c0adef6
SHA512

505678a666a4713b94e8f32b9a2444cbaed8c079886ce8a061a1961f815bb289c7813bebbc927f4e3c48efca67ed039c2da12004e7c3693045289f7e6753c30b
SSDEEP

12288:oIx3n4BiTNvjrcyWHNauyasMoG+H5mgHBVcSj5/OAiroWUBF8:oIx3JNLrqNB7sMoG+H5m+Vj01oWUBF

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	341d.exe

Executes dropped EXE 4 IoCs

pid	Process
2488	341d.exe
2496	341d.exe
1648	341d.exe
1576	mtv.exe

Loads dropped DLL 17 IoCs

pid	Process
3008	regsvr32.exe
1216	rundll32.exe
1216	rundll32.exe
1216	rundll32.exe
1216	rundll32.exe
1648	341d.exe
1216	rundll32.exe
1216	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
1648	341d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\plc = "c:\\windows\\system32\\rundll32.exe C:\\Windows\\system32/341e.dll,Always"	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	341d.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	rundll32.exe
File created	C:\Windows\SysWOW64\56-55-57123	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\341e.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\341d.exe	rundll32.exe
File created	C:\Windows\SysWOW64\73a	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\a8f.flv	rundll32.exe
File opened for modification	C:\Windows\a8fd.exe	rundll32.exe
File opened for modification	C:\Windows\f6f.bmp	rundll32.exe
File opened for modification	C:\Windows\6f1u.bmp	rundll32.exe
File opened for modification	C:\Windows\8f6.exe	rundll32.exe
File opened for modification	C:\Windows\ba8d.flv	rundll32.exe
File opened for modification	C:\Windows\ba8u.bmp	rundll32.exe
File opened for modification	C:\Windows\14ba.exe	rundll32.exe
File opened for modification	C:\Windows\a34b.flv	rundll32.exe
File opened for modification	C:\Windows\4bad.flv	rundll32.exe
File opened for modification	C:\Windows\ba8d.exe	rundll32.exe
File created	C:\Windows\Tasks\ms.job	rundll32.exe
File opened for modification	C:\Windows\bf14.bmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID\ = "BHO.FffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1648	341d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1576	mtv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1216	2220	rundll32.exe	28
PID 2220 wrote to memory of 1216	2220	rundll32.exe	28
PID 2220 wrote to memory of 1216	2220	rundll32.exe	28
PID 2220 wrote to memory of 1216	2220	rundll32.exe	28
PID 2220 wrote to memory of 1216	2220	rundll32.exe	28
PID 2220 wrote to memory of 1216	2220	rundll32.exe	28
PID 2220 wrote to memory of 1216	2220	rundll32.exe	28
PID 1216 wrote to memory of 2688	1216	rundll32.exe	29
PID 1216 wrote to memory of 2688	1216	rundll32.exe	29
PID 1216 wrote to memory of 2688	1216	rundll32.exe	29
PID 1216 wrote to memory of 2688	1216	rundll32.exe	29
PID 1216 wrote to memory of 2688	1216	rundll32.exe	29
PID 1216 wrote to memory of 2688	1216	rundll32.exe	29
PID 1216 wrote to memory of 2688	1216	rundll32.exe	29
PID 1216 wrote to memory of 2708	1216	rundll32.exe	38
PID 1216 wrote to memory of 2708	1216	rundll32.exe	38
PID 1216 wrote to memory of 2708	1216	rundll32.exe	38
PID 1216 wrote to memory of 2708	1216	rundll32.exe	38
PID 1216 wrote to memory of 2708	1216	rundll32.exe	38
PID 1216 wrote to memory of 2708	1216	rundll32.exe	38
PID 1216 wrote to memory of 2708	1216	rundll32.exe	38
PID 1216 wrote to memory of 2852	1216	rundll32.exe	37
PID 1216 wrote to memory of 2852	1216	rundll32.exe	37
PID 1216 wrote to memory of 2852	1216	rundll32.exe	37
PID 1216 wrote to memory of 2852	1216	rundll32.exe	37
PID 1216 wrote to memory of 2852	1216	rundll32.exe	37
PID 1216 wrote to memory of 2852	1216	rundll32.exe	37
PID 1216 wrote to memory of 2852	1216	rundll32.exe	37
PID 1216 wrote to memory of 2568	1216	rundll32.exe	30
PID 1216 wrote to memory of 2568	1216	rundll32.exe	30
PID 1216 wrote to memory of 2568	1216	rundll32.exe	30
PID 1216 wrote to memory of 2568	1216	rundll32.exe	30
PID 1216 wrote to memory of 2568	1216	rundll32.exe	30
PID 1216 wrote to memory of 2568	1216	rundll32.exe	30
PID 1216 wrote to memory of 2568	1216	rundll32.exe	30
PID 1216 wrote to memory of 3008	1216	rundll32.exe	36
PID 1216 wrote to memory of 3008	1216	rundll32.exe	36
PID 1216 wrote to memory of 3008	1216	rundll32.exe	36
PID 1216 wrote to memory of 3008	1216	rundll32.exe	36
PID 1216 wrote to memory of 3008	1216	rundll32.exe	36
PID 1216 wrote to memory of 3008	1216	rundll32.exe	36
PID 1216 wrote to memory of 3008	1216	rundll32.exe	36
PID 1216 wrote to memory of 2488	1216	rundll32.exe	35
PID 1216 wrote to memory of 2488	1216	rundll32.exe	35
PID 1216 wrote to memory of 2488	1216	rundll32.exe	35
PID 1216 wrote to memory of 2488	1216	rundll32.exe	35
PID 1216 wrote to memory of 2496	1216	rundll32.exe	32
PID 1216 wrote to memory of 2496	1216	rundll32.exe	32
PID 1216 wrote to memory of 2496	1216	rundll32.exe	32
PID 1216 wrote to memory of 2496	1216	rundll32.exe	32
PID 1648 wrote to memory of 2764	1648	341d.exe	41
PID 1648 wrote to memory of 2764	1648	341d.exe	41
PID 1648 wrote to memory of 2764	1648	341d.exe	41
PID 1648 wrote to memory of 2764	1648	341d.exe	41
PID 1648 wrote to memory of 2764	1648	341d.exe	41
PID 1648 wrote to memory of 2764	1648	341d.exe	41
PID 1648 wrote to memory of 2764	1648	341d.exe	41
PID 1216 wrote to memory of 1576	1216	rundll32.exe	39
PID 1216 wrote to memory of 1576	1216	rundll32.exe	39
PID 1216 wrote to memory of 1576	1216	rundll32.exe	39
PID 1216 wrote to memory of 1576	1216	rundll32.exe	39
PID 1216 wrote to memory of 956	1216	rundll32.exe	40
PID 1216 wrote to memory of 956	1216	rundll32.exe	40
PID 1216 wrote to memory of 956	1216	rundll32.exe	40

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\21e94dccbdc122727f14d8b4c4902294.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\21e94dccbdc122727f14d8b4c4902294.dll,#1
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a1l8.dll"
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b34o.dll"
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\341d.exe
    C:\Windows\system32/341d.exe -s
    3⤵
    - Executes dropped EXE
    PID:2496
- - C:\Windows\SysWOW64\341d.exe
    C:\Windows\system32/341d.exe -i
    3⤵
    - Executes dropped EXE
    PID:2488
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b34o.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:3008
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4f3r.dll"
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b4cb.dll"
    3⤵
    PID:2708
- - C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1576
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll, Always
    3⤵
    - Loads dropped DLL
    PID:956

C:\Windows\SysWOW64\341d.exe
C:\Windows\SysWOW64\341d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
112KB

MD5
3346b0812af7de49725c53e7b6e24259

SHA1
88976efe34e9a1bff95d7becbf711f33d988ad67

SHA256
ecbdad133e1eee5bfd0ca1fde7acc2b5a6b2144f4a48626d18aa6fe61542213b

SHA512
7c370a1e215cfd2e5e2a5826f732f07f976ca09fe2e74e40ce60b644560978a1e4c23829a2d545a4d70e78e7c28cc37ce67e22abade52233f483f588bd9e8572

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
44KB

MD5
4d9604a11d4e6e69c1f34b7ab4b71b1b

SHA1
344e0c7be7c10b1bb48fb60397ead3b3e7059fbd

SHA256
13d1244f3f6f63966e6e11a109c8be93bee687287983fb21799653db10085602

SHA512
ea1c80f4f8b4fedf3fd6ab79ed02b2bd0874fe945d15e26fe5ca9e7870e6af3afb7672ce382960c84a29d6e7d3495c286af2255c24f03b046356472ece9513a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
498KB

MD5
6f06ed54b26ec44409608930a30aae45

SHA1
ff46b9a0dae00227a482d94236719e7025a37cc4

SHA256
88a875523aac75b51a204e813f1fc260e75737d9a7ac54f46ac4d37c77ab4872

SHA512
8359a66675a1ea0c04c93bfde81b210a86c70bf94c2cac52f3ce070233f9f037a354286f6542dd821e98c1b7de72024de668c62f224cc4687462121eff6872cd

Download Submit
C:\Windows\SysWOW64\341d.exe

Filesize
204KB

MD5
40f1a45bf0e7f4122655861f8e9d7abc

SHA1
6176bac1d47cce097c72f0edb96a788b0c6ea3ac

SHA256
3be6d50655e13b96a6ff40a400ce321a6899d9947ab4f24ca249a5e49cb69791

SHA512
faa3ec98b7955ad302b7541f8fcb1a0fc340299ca7bc6991d1f695bf7bfa16972e4e9a935cf92737a64428723d6694bee120da293caa67adb32f48ceb6eb5c53

Download Submit
C:\Windows\SysWOW64\341e.dll

Filesize
92KB

MD5
d5fc026a2842c7e5e23b53e1febf0d19

SHA1
e3e672e4dedadd4702585d15b3c3ae9070bfc648

SHA256
e8f5ace6b333c918d4ab6e484d1b222b7b37c604a3fc9a502f03473a274ac3bc

SHA512
45348deca75f3fb4096ed159fdc8ddcad303a973d816f0c18ef5691b66751d1d0d883d3341930e93fb2c72123347068cf0afbd2d3a403a3dcbb7d696208599c9

Download Submit
\Windows\SysWOW64\341d.exe

Filesize
95KB

MD5
2646d2fdb93d89bf4d74dd06342c94e3

SHA1
55cb8ad99247d05c9c67c627826d0181e0b4a9e1

SHA256
e029916819c06bb3577d478a12e44fc0fbb38b2adb693fb454774af5a023992a

SHA512
a2f11f3e3294363e9797b123d811c6d36e0521803c1b0c875372f06532c1368b6377d118874ff02aa0f2ec853588234a4b553e02d91f978367c1de076686c336

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
24KB

MD5
edc0b8f2d3a050797e314ae960c0ae1b

SHA1
6fdcc11be975b06d56fa27a510549c4eca2663b7

SHA256
3bd06788afa86050ccf5655d51fb075a460b17dfd6bdc7a1221163be458b7830

SHA512
6f1fb1f9e2c4d63850c6bdf117d6c93a36d8d369e88a0d7ddcf837e256ced8816ce773590cf94653704b72bd88547c3c755c92c6420646cceec4aca61810a912

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
93KB

MD5
5533a22750fa8cdabeb9f4984d3fa86f

SHA1
53fe5031bca918cb76d47391eb597e572ec0ff0a

SHA256
92661645f9f76d4fcac9417a7db04e2789c1cfe702d8ff321b6cc7ce41de2a13

SHA512
8535f60a56e44d8d250c8fa289d1a376f7fb7f20e58ba9b4ab0932f02a052b2f8f5a604c10f2c04743aef655fd0c0e25849bd34d3b79736ecd2b225ca1fb3904

Download Submit