0b210b070bc6069fd281873d5d8c94ab738c6bb5eb4c2ec034752b49c8fe85f6

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17/01/2024, 20:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6385f71bd1dc03384032ca274ab9f23f.exe
Size

492KB
MD5

6385f71bd1dc03384032ca274ab9f23f
SHA1

354a10f22a143a3992cd2396a5796dc0df330340
SHA256

0b210b070bc6069fd281873d5d8c94ab738c6bb5eb4c2ec034752b49c8fe85f6
SHA512

8b7b3677f963a27df6cf772cc96eaf1d5d87b40cc3124ef90c858cb23a7a6cf3655e2aa77168a1f8b80b84e976e6b5be3c35386d6c85278393f37b3d3fa7e083
SSDEEP

12288:tXOqjdBB1SUhySAgRsZOWn0enAAKFoFRBA2qyg++82/Vi1D7:tpB1dhTs0WFA8BKt++8Qk1D7

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	341d.exe

Executes dropped EXE 4 IoCs

pid	Process
2660	341d.exe
2592	341d.exe
3016	341d.exe
1884	mtv.exe

Loads dropped DLL 54 IoCs

pid	Process
2828	regsvr32.exe
2908	6385f71bd1dc03384032ca274ab9f23f.exe
2908	6385f71bd1dc03384032ca274ab9f23f.exe
2660	341d.exe
2660	341d.exe
2660	341d.exe
2908	6385f71bd1dc03384032ca274ab9f23f.exe
2908	6385f71bd1dc03384032ca274ab9f23f.exe
2592	341d.exe
2592	341d.exe
2592	341d.exe
3016	341d.exe
2908	6385f71bd1dc03384032ca274ab9f23f.exe
2908	6385f71bd1dc03384032ca274ab9f23f.exe
1884	mtv.exe
1884	mtv.exe
1884	mtv.exe
2860	rundll32.exe
2860	rundll32.exe
2860	rundll32.exe
2860	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe
3016	341d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\plc = "c:\\windows\\system32\\rundll32.exe C:\\Windows\\system32/341e.dll,Always"	6385f71bd1dc03384032ca274ab9f23f.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	\??\PhysicalDrive0	341d.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\SysWOW64\341e.dll	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	6385f71bd1dc03384032ca274ab9f23f.exe
File created	C:\Windows\SysWOW64\02f	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dll	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dlltmp	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File created	C:\Windows\SysWOW64\Ìõ#44124-82-8	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\SysWOW64\341d.exe	6385f71bd1dc03384032ca274ab9f23f.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\ms.job	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\a34b.flv	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\f6f.bmp	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\6f1u.bmp	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\a8fd.exe	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\4bad.flv	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\ba8d.exe	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\8f6.exe	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\ba8d.flv	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\bf14.bmp	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\14ba.exe	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\a8f.flv	6385f71bd1dc03384032ca274ab9f23f.exe
File opened for modification	C:\Windows\ba8u.bmp	6385f71bd1dc03384032ca274ab9f23f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID\ = "BHO.FffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID\ = "BHO.FffPlayer.1"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3016	341d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1884	mtv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2624	2908	6385f71bd1dc03384032ca274ab9f23f.exe	28
PID 2908 wrote to memory of 2624	2908	6385f71bd1dc03384032ca274ab9f23f.exe	28
PID 2908 wrote to memory of 2624	2908	6385f71bd1dc03384032ca274ab9f23f.exe	28
PID 2908 wrote to memory of 2624	2908	6385f71bd1dc03384032ca274ab9f23f.exe	28
PID 2908 wrote to memory of 2624	2908	6385f71bd1dc03384032ca274ab9f23f.exe	28
PID 2908 wrote to memory of 2624	2908	6385f71bd1dc03384032ca274ab9f23f.exe	28
PID 2908 wrote to memory of 2624	2908	6385f71bd1dc03384032ca274ab9f23f.exe	28
PID 2908 wrote to memory of 2904	2908	6385f71bd1dc03384032ca274ab9f23f.exe	29
PID 2908 wrote to memory of 2904	2908	6385f71bd1dc03384032ca274ab9f23f.exe	29
PID 2908 wrote to memory of 2904	2908	6385f71bd1dc03384032ca274ab9f23f.exe	29
PID 2908 wrote to memory of 2904	2908	6385f71bd1dc03384032ca274ab9f23f.exe	29
PID 2908 wrote to memory of 2904	2908	6385f71bd1dc03384032ca274ab9f23f.exe	29
PID 2908 wrote to memory of 2904	2908	6385f71bd1dc03384032ca274ab9f23f.exe	29
PID 2908 wrote to memory of 2904	2908	6385f71bd1dc03384032ca274ab9f23f.exe	29
PID 2908 wrote to memory of 1920	2908	6385f71bd1dc03384032ca274ab9f23f.exe	30
PID 2908 wrote to memory of 1920	2908	6385f71bd1dc03384032ca274ab9f23f.exe	30
PID 2908 wrote to memory of 1920	2908	6385f71bd1dc03384032ca274ab9f23f.exe	30
PID 2908 wrote to memory of 1920	2908	6385f71bd1dc03384032ca274ab9f23f.exe	30
PID 2908 wrote to memory of 1920	2908	6385f71bd1dc03384032ca274ab9f23f.exe	30
PID 2908 wrote to memory of 1920	2908	6385f71bd1dc03384032ca274ab9f23f.exe	30
PID 2908 wrote to memory of 1920	2908	6385f71bd1dc03384032ca274ab9f23f.exe	30
PID 2908 wrote to memory of 2996	2908	6385f71bd1dc03384032ca274ab9f23f.exe	31
PID 2908 wrote to memory of 2996	2908	6385f71bd1dc03384032ca274ab9f23f.exe	31
PID 2908 wrote to memory of 2996	2908	6385f71bd1dc03384032ca274ab9f23f.exe	31
PID 2908 wrote to memory of 2996	2908	6385f71bd1dc03384032ca274ab9f23f.exe	31
PID 2908 wrote to memory of 2996	2908	6385f71bd1dc03384032ca274ab9f23f.exe	31
PID 2908 wrote to memory of 2996	2908	6385f71bd1dc03384032ca274ab9f23f.exe	31
PID 2908 wrote to memory of 2996	2908	6385f71bd1dc03384032ca274ab9f23f.exe	31
PID 2908 wrote to memory of 2828	2908	6385f71bd1dc03384032ca274ab9f23f.exe	32
PID 2908 wrote to memory of 2828	2908	6385f71bd1dc03384032ca274ab9f23f.exe	32
PID 2908 wrote to memory of 2828	2908	6385f71bd1dc03384032ca274ab9f23f.exe	32
PID 2908 wrote to memory of 2828	2908	6385f71bd1dc03384032ca274ab9f23f.exe	32
PID 2908 wrote to memory of 2828	2908	6385f71bd1dc03384032ca274ab9f23f.exe	32
PID 2908 wrote to memory of 2828	2908	6385f71bd1dc03384032ca274ab9f23f.exe	32
PID 2908 wrote to memory of 2828	2908	6385f71bd1dc03384032ca274ab9f23f.exe	32
PID 2908 wrote to memory of 2660	2908	6385f71bd1dc03384032ca274ab9f23f.exe	33
PID 2908 wrote to memory of 2660	2908	6385f71bd1dc03384032ca274ab9f23f.exe	33
PID 2908 wrote to memory of 2660	2908	6385f71bd1dc03384032ca274ab9f23f.exe	33
PID 2908 wrote to memory of 2660	2908	6385f71bd1dc03384032ca274ab9f23f.exe	33
PID 2908 wrote to memory of 2660	2908	6385f71bd1dc03384032ca274ab9f23f.exe	33
PID 2908 wrote to memory of 2660	2908	6385f71bd1dc03384032ca274ab9f23f.exe	33
PID 2908 wrote to memory of 2660	2908	6385f71bd1dc03384032ca274ab9f23f.exe	33
PID 2908 wrote to memory of 2592	2908	6385f71bd1dc03384032ca274ab9f23f.exe	35
PID 2908 wrote to memory of 2592	2908	6385f71bd1dc03384032ca274ab9f23f.exe	35
PID 2908 wrote to memory of 2592	2908	6385f71bd1dc03384032ca274ab9f23f.exe	35
PID 2908 wrote to memory of 2592	2908	6385f71bd1dc03384032ca274ab9f23f.exe	35
PID 2908 wrote to memory of 2592	2908	6385f71bd1dc03384032ca274ab9f23f.exe	35
PID 2908 wrote to memory of 2592	2908	6385f71bd1dc03384032ca274ab9f23f.exe	35
PID 2908 wrote to memory of 2592	2908	6385f71bd1dc03384032ca274ab9f23f.exe	35
PID 2908 wrote to memory of 1884	2908	6385f71bd1dc03384032ca274ab9f23f.exe	39
PID 2908 wrote to memory of 1884	2908	6385f71bd1dc03384032ca274ab9f23f.exe	39
PID 2908 wrote to memory of 1884	2908	6385f71bd1dc03384032ca274ab9f23f.exe	39
PID 2908 wrote to memory of 1884	2908	6385f71bd1dc03384032ca274ab9f23f.exe	39
PID 2908 wrote to memory of 1884	2908	6385f71bd1dc03384032ca274ab9f23f.exe	39
PID 2908 wrote to memory of 1884	2908	6385f71bd1dc03384032ca274ab9f23f.exe	39
PID 2908 wrote to memory of 1884	2908	6385f71bd1dc03384032ca274ab9f23f.exe	39
PID 3016 wrote to memory of 2860	3016	341d.exe	38
PID 3016 wrote to memory of 2860	3016	341d.exe	38
PID 3016 wrote to memory of 2860	3016	341d.exe	38
PID 3016 wrote to memory of 2860	3016	341d.exe	38
PID 3016 wrote to memory of 2860	3016	341d.exe	38
PID 3016 wrote to memory of 2860	3016	341d.exe	38
PID 3016 wrote to memory of 2860	3016	341d.exe	38
PID 2908 wrote to memory of 588	2908	6385f71bd1dc03384032ca274ab9f23f.exe	40

C:\Users\Admin\AppData\Local\Temp\6385f71bd1dc03384032ca274ab9f23f.exe
"C:\Users\Admin\AppData\Local\Temp\6385f71bd1dc03384032ca274ab9f23f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a1l8.dll"
  2⤵
  PID:2624
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b4cb.dll"
  2⤵
  PID:2904
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4f3r.dll"
  2⤵
  PID:1920
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b34o.dll"
  2⤵
  PID:2996
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b34o.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2828
- C:\Windows\SysWOW64\341d.exe
  C:\Windows\system32/341d.exe -i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2660
- C:\Windows\SysWOW64\341d.exe
  C:\Windows\system32/341d.exe -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1884
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll, Always
  2⤵
  - Loads dropped DLL
  PID:588

C:\Windows\SysWOW64\341d.exe
C:\Windows\SysWOW64\341d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
140KB

MD5
a50feaeffacc9513fa8545166f7bd745

SHA1
50b73050579234822a6daffd607cfb1bfbefb973

SHA256
9c8427353d893195d3a74b3f2e5f746b28b54ba6a08cb11dc94e2d24edeb5493

SHA512
fde201f183985b9a6bfde09fb18782fe34115d5eaab9449ddf9d44c9096634b50cb01621418f5f5aceb8f6f46968eddbf7386c526a34b142b12eaef0f9156011

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
76KB

MD5
3ebcc592ee84567d4b0a100503288e61

SHA1
866d74724560b31f3b47fd874f9f1838daf4f8e3

SHA256
27efdcc9b288ea47f26c4fddc8f9a5b9352b21858d0d66702c84b0464dbcd795

SHA512
b0e1987ee856756bd7f89f367da69ed8966284bde8a7d6aa7d47fdc91a3a049a3130152717e436b2dcf14813c71840293b2a75d7ba974ef7637b4e0a50d85715

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
424KB

MD5
cf195158ebb729769fc6496f89200621

SHA1
34e40124b79e9d892a4c17628a7b7c374c20f220

SHA256
c204a4fcac70a44d143c0271992ab7303430cfd044b832052b3f4c45a5b4df9e

SHA512
79d1c8f40a8f435b594585392cd98213d45240c4b352bc502fad853461e39eb885b4ed591b7b671b1d30409f9a98ea82f1c10baaa4728e98e045e53ef69997e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
220KB

MD5
f46eac0bbc2146b444d68fbbe5216518

SHA1
8a86265fc44b529deaf2a6317790441ac454e213

SHA256
22ecc67d90a89feb5613a406826aea57cc0386c143bbda1e5124344677ab22c5

SHA512
12e108d49a5682102360b900dd7c2908f9f893d63b842387c33339742ce931a67badb913f67d747e95ff7fc81e70c8f63e2cfdf1324e7fa0c04663cb7a0af7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\it8b28\tmp.exe

Filesize
104KB

MD5
4e30ec6cb01a0db0c809dde246a4dd91

SHA1
a4a011b37fb85ba86d969c1a9209ea6566a20936

SHA256
88db888887432c3a64c50077c1c8c02c13794339a82d7328ab2bca2652f208d9

SHA512
809125ae53709ac598a27394259a296a244af3ed7ba20f5b416586312199116e38670e2356eae896c23706c0b18e9217c03e9680c6999a6893a7003b618fe95f

Download Submit
C:\Windows\SysWOW64\341d.exe

Filesize
82KB

MD5
d9e9c122dcdae09aef7d6c2008784cb2

SHA1
91336d818b2c7cb84c8120de4655a55098e3e49e

SHA256
c5b9555c4052b9e4288c37db06dbddb21cbf7898cb9d945e718b164ff9ce3b34

SHA512
6e6735be723ded90dcfd7ec514da6653f8e91576074b5b7ea278e2c06d5f18564d066f6620a82d2311c4228b7fb958aa59b3f23aaa439a16dc312e54f411666d

Download Submit
\Windows\SysWOW64\341d.exe

Filesize
192KB

MD5
e413f0ac8ffc689cd6a34a5fbd5932ad

SHA1
ad17fdf330d2018fcba8d88baf07859c9dd32f38

SHA256
a8333b015a7d08deb307a9a2a3c75a2aa18f83c8e57144691961bf4b86594284

SHA512
a4b1ee7133e0840983b6a1becc91d23148663477ad599db52ff9b51a99cfd064b2d621ca502a86efb7f4a35ed5a7cec2b2478b496d6aabe2d6c0d16746fdd0ec

Download Submit
\Windows\SysWOW64\341d.exe

Filesize
128KB

MD5
01e9cdab0052f60ac77038c48c4b4a86

SHA1
ed4d6cd26540cf35e765fc1d6e97268173e0db0e

SHA256
a73c1db0d4d59253ce275faf5edd1260706f3421c508cd9328dbfd44dca06eae

SHA512
84399167076d341607b7ef01780102c300f06e657362c11b2673287346339940a2f7b2a4882bc74312b8c4269c697d0306a223c00c46ecdbf2ea919f2d481d98

Download Submit