45b9ce71c5eb6d04208767ea10c948deb47131227b53b2140e87ee6a1c0adef6

Analysis

max time kernel
1s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 00:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

21e94dccbdc122727f14d8b4c4902294.dll
Size

472KB
MD5

21e94dccbdc122727f14d8b4c4902294
SHA1

078ab71a62e194fb70ff07397f340c8079c36420
SHA256

45b9ce71c5eb6d04208767ea10c948deb47131227b53b2140e87ee6a1c0adef6
SHA512

505678a666a4713b94e8f32b9a2444cbaed8c079886ce8a061a1961f815bb289c7813bebbc927f4e3c48efca67ed039c2da12004e7c3693045289f7e6753c30b
SSDEEP

12288:oIx3n4BiTNvjrcyWHNauyasMoG+H5mgHBVcSj5/OAiroWUBF8:oIx3JNLrqNB7sMoG+H5m+Vj01oWUBF

Score

7^/10

adware bootkit persistence stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2336	341d.exe
4808	341d.exe

Loads dropped DLL 1 IoCs

pid	Process
1152	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\341d.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\341e.dll	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\f6f.bmp	rundll32.exe
File opened for modification	C:\Windows\8f6.exe	rundll32.exe
File opened for modification	C:\Windows\a8fd.exe	rundll32.exe
File created	C:\Windows\Tasks\ms.job	rundll32.exe
File opened for modification	C:\Windows\14ba.exe	rundll32.exe
File opened for modification	C:\Windows\ba8d.exe	rundll32.exe
File opened for modification	C:\Windows\bf14.bmp	rundll32.exe
File opened for modification	C:\Windows\4bad.flv	rundll32.exe
File opened for modification	C:\Windows\a34b.flv	rundll32.exe
File opened for modification	C:\Windows\a8f.flv	rundll32.exe
File opened for modification	C:\Windows\6f1u.bmp	rundll32.exe
File opened for modification	C:\Windows\ba8u.bmp	rundll32.exe
File opened for modification	C:\Windows\ba8d.flv	rundll32.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID\ = "BHO.FffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 1540	4756	rundll32.exe	17
PID 4756 wrote to memory of 1540	4756	rundll32.exe	17
PID 4756 wrote to memory of 1540	4756	rundll32.exe	17
PID 1540 wrote to memory of 3960	1540	rundll32.exe	21
PID 1540 wrote to memory of 3960	1540	rundll32.exe	21
PID 1540 wrote to memory of 3960	1540	rundll32.exe	21
PID 1540 wrote to memory of 3448	1540	rundll32.exe	22
PID 1540 wrote to memory of 3448	1540	rundll32.exe	22
PID 1540 wrote to memory of 3448	1540	rundll32.exe	22
PID 1540 wrote to memory of 2292	1540	rundll32.exe	30
PID 1540 wrote to memory of 2292	1540	rundll32.exe	30
PID 1540 wrote to memory of 2292	1540	rundll32.exe	30
PID 1540 wrote to memory of 2680	1540	rundll32.exe	29
PID 1540 wrote to memory of 2680	1540	rundll32.exe	29
PID 1540 wrote to memory of 2680	1540	rundll32.exe	29
PID 1540 wrote to memory of 1152	1540	rundll32.exe	23
PID 1540 wrote to memory of 1152	1540	rundll32.exe	23
PID 1540 wrote to memory of 1152	1540	rundll32.exe	23
PID 1540 wrote to memory of 2336	1540	rundll32.exe	25
PID 1540 wrote to memory of 2336	1540	rundll32.exe	25
PID 1540 wrote to memory of 2336	1540	rundll32.exe	25
PID 1540 wrote to memory of 4808	1540	rundll32.exe	28
PID 1540 wrote to memory of 4808	1540	rundll32.exe	28
PID 1540 wrote to memory of 4808	1540	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\21e94dccbdc122727f14d8b4c4902294.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\21e94dccbdc122727f14d8b4c4902294.dll,#1
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a1l8.dll"
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b4cb.dll"
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b34o.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:1152
- - C:\Windows\SysWOW64\341d.exe
    C:\Windows\system32/341d.exe -i
    3⤵
    - Executes dropped EXE
    PID:2336
- - C:\Windows\SysWOW64\341d.exe
    C:\Windows\system32/341d.exe -s
    3⤵
    - Executes dropped EXE
    PID:4808
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b34o.dll"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4f3r.dll"
    3⤵
    PID:2292
- - C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll, Always
    3⤵
    PID:4036

C:\Windows\SysWOW64\341d.exe
C:\Windows\SysWOW64\341d.exe
1⤵
PID:3700
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll,Always
  2⤵
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\b34o.dll

Filesize
124KB

MD5
876ca9c0e4de2148850764293449edc2

SHA1
58e895ae06b7014e8ad8908814a840055e6123ee

SHA256
e2808d307d6f46e80df5a642c90107de448703d7c891c0e75d3e6ce7af572e02

SHA512
1c6da3dbc499d078b7021928ef2338a9ce16eb5a05b5290eafac356c76a10184ceb19b0d32590d4313810421c432d613c3e698b5c02fb0b19581ca2ba186e77c

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
93KB

MD5
5533a22750fa8cdabeb9f4984d3fa86f

SHA1
53fe5031bca918cb76d47391eb597e572ec0ff0a

SHA256
92661645f9f76d4fcac9417a7db04e2789c1cfe702d8ff321b6cc7ce41de2a13

SHA512
8535f60a56e44d8d250c8fa289d1a376f7fb7f20e58ba9b4ab0932f02a052b2f8f5a604c10f2c04743aef655fd0c0e25849bd34d3b79736ecd2b225ca1fb3904

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
92KB

MD5
88ff89b801b7d0ef2f57f55e2cd8624f

SHA1
a53d229407397a44a25d95dfddd81f7d8a6a7238

SHA256
ab3a48acff71c9c570418c309b5ff8faaa3a67e6fe69a4f11695a11100b3986a

SHA512
81154b20fe8616299228d716c656f3d749cfa4aa3c8db50e4e6bb4da1196c94ad348356ec91f87108614724f93fb8a40e3ee6344a629d733bfdd077a170df6de

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads