8ccecbcc5fe4670e7c67a7c851f1ac478e2d38c249307b11e77f34dc04e69d73

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 17:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7da18a3e51d54b5ee1de595eb54dc0cf.exe
Size

345KB
MD5

7da18a3e51d54b5ee1de595eb54dc0cf
SHA1

2611914a98da93c30bec53e3714de7d5683ebef3
SHA256

8ccecbcc5fe4670e7c67a7c851f1ac478e2d38c249307b11e77f34dc04e69d73
SHA512

d42bd1fdc7c3ea3247ecbe4ee7ee5f76a89cc790e0082e80767b3a2ee0b136ff49b2af2695675ea2837fdcda5aecf00205586d9e60afb9b66bfbab3797ed986f
SSDEEP

6144:4Ds9+0eSwi5eSqgULb1INQS5muT9EvORYze478pYBh8F1s:7+1LBgUf1IqS5mhOd4opUh8F1

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	a31d.exe

Executes dropped EXE 4 IoCs

pid	Process
2620	a31d.exe
2832	a31d.exe
2440	a31d.exe
2808	mtv.exe

Loads dropped DLL 53 IoCs

pid	Process
2356	regsvr32.exe
2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe
2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe
2620	a31d.exe
2620	a31d.exe
2620	a31d.exe
2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe
2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe
2832	a31d.exe
2832	a31d.exe
2832	a31d.exe
2440	a31d.exe
2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe
2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe
2808	mtv.exe
2808	mtv.exe
2808	mtv.exe
2612	rundll32.exe
2612	rundll32.exe
2612	rundll32.exe
2612	rundll32.exe
1460	rundll32.exe
1460	rundll32.exe
1460	rundll32.exe
1460	rundll32.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe
2440	a31d.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	\??\PhysicalDrive0	a31d.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ab1e.dll	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\3b4o.dll	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\a31d.exe	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\3b4o.dlltmp	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File created	C:\Windows\SysWOW64\üò"9142-83-18	rundll32.exe
File created	C:\Windows\SysWOW64\263f	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\8f6.exe	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\6f1u.bmp	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\ba8d.flv	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\4bad.flv	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File created	C:\Windows\Tasks\ms.job	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\14ba.exe	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\f6f.bmp	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\a8f.flv	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\a8fd.exe	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\ba8d.exe	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\bf14.bmp	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\a34b.flv	7da18a3e51d54b5ee1de595eb54dc0cf.exe
File opened for modification	C:\Windows\ba8u.bmp	7da18a3e51d54b5ee1de595eb54dc0cf.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\ = "CTttPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID\ = "{BA1B62CC-6D79-4901-B6A2-409F98906E9D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\ProgID\ = "BHO.TttPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\VersionIndependentProgID\ = "BHO.TttPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\3b4o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\ = "ITttPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\ = "CTttPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\ = "ITttPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\TypeLib\ = "{F914606B-7622-4364-9FCA-889F50C497D8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\3b4o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\ = "CTttPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID\ = "{BA1B62CC-6D79-4901-B6A2-409F98906E9D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\TypeLib\ = "{F914606B-7622-4364-9FCA-889F50C497D8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer\ = "BHO.TttPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\TypeLib\ = "{F914606B-7622-4364-9FCA-889F50C497D8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2440	a31d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2808	mtv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2084	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	28
PID 2540 wrote to memory of 2084	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	28
PID 2540 wrote to memory of 2084	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	28
PID 2540 wrote to memory of 2084	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	28
PID 2540 wrote to memory of 2084	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	28
PID 2540 wrote to memory of 2084	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	28
PID 2540 wrote to memory of 2084	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	28
PID 2540 wrote to memory of 2600	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	29
PID 2540 wrote to memory of 2600	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	29
PID 2540 wrote to memory of 2600	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	29
PID 2540 wrote to memory of 2600	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	29
PID 2540 wrote to memory of 2600	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	29
PID 2540 wrote to memory of 2600	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	29
PID 2540 wrote to memory of 2600	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	29
PID 2540 wrote to memory of 2868	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	30
PID 2540 wrote to memory of 2868	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	30
PID 2540 wrote to memory of 2868	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	30
PID 2540 wrote to memory of 2868	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	30
PID 2540 wrote to memory of 2868	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	30
PID 2540 wrote to memory of 2868	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	30
PID 2540 wrote to memory of 2868	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	30
PID 2540 wrote to memory of 2944	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	31
PID 2540 wrote to memory of 2944	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	31
PID 2540 wrote to memory of 2944	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	31
PID 2540 wrote to memory of 2944	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	31
PID 2540 wrote to memory of 2944	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	31
PID 2540 wrote to memory of 2944	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	31
PID 2540 wrote to memory of 2944	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	31
PID 2540 wrote to memory of 2356	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	32
PID 2540 wrote to memory of 2356	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	32
PID 2540 wrote to memory of 2356	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	32
PID 2540 wrote to memory of 2356	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	32
PID 2540 wrote to memory of 2356	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	32
PID 2540 wrote to memory of 2356	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	32
PID 2540 wrote to memory of 2356	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	32
PID 2540 wrote to memory of 2620	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	33
PID 2540 wrote to memory of 2620	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	33
PID 2540 wrote to memory of 2620	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	33
PID 2540 wrote to memory of 2620	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	33
PID 2540 wrote to memory of 2620	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	33
PID 2540 wrote to memory of 2620	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	33
PID 2540 wrote to memory of 2620	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	33
PID 2540 wrote to memory of 2832	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	36
PID 2540 wrote to memory of 2832	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	36
PID 2540 wrote to memory of 2832	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	36
PID 2540 wrote to memory of 2832	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	36
PID 2540 wrote to memory of 2832	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	36
PID 2540 wrote to memory of 2832	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	36
PID 2540 wrote to memory of 2832	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	36
PID 2540 wrote to memory of 2808	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	38
PID 2540 wrote to memory of 2808	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	38
PID 2540 wrote to memory of 2808	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	38
PID 2540 wrote to memory of 2808	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	38
PID 2540 wrote to memory of 2808	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	38
PID 2540 wrote to memory of 2808	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	38
PID 2540 wrote to memory of 2808	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	38
PID 2440 wrote to memory of 2612	2440	a31d.exe	39
PID 2440 wrote to memory of 2612	2440	a31d.exe	39
PID 2440 wrote to memory of 2612	2440	a31d.exe	39
PID 2440 wrote to memory of 2612	2440	a31d.exe	39
PID 2440 wrote to memory of 2612	2440	a31d.exe	39
PID 2440 wrote to memory of 2612	2440	a31d.exe	39
PID 2440 wrote to memory of 2612	2440	a31d.exe	39
PID 2540 wrote to memory of 1460	2540	7da18a3e51d54b5ee1de595eb54dc0cf.exe	40

C:\Users\Admin\AppData\Local\Temp\7da18a3e51d54b5ee1de595eb54dc0cf.exe
"C:\Users\Admin\AppData\Local\Temp\7da18a3e51d54b5ee1de595eb54dc0cf.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a1l8.dll"
  2⤵
  PID:2084
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b4cb.dll"
  2⤵
  PID:2600
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4f3r.dll"
  2⤵
  PID:2868
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/3b4o.dll"
  2⤵
  PID:2944
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/3b4o.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2356
- C:\Windows\SysWOW64\a31d.exe
  C:\Windows\system32/a31d.exe -i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2620
- C:\Windows\SysWOW64\a31d.exe
  C:\Windows\system32/a31d.exe -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2808
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/ab1e.dll, Always
  2⤵
  - Loads dropped DLL
  PID:1460

C:\Windows\SysWOW64\a31d.exe
C:\Windows\SysWOW64\a31d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/ab1e.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
123KB

MD5
a226954b80e9342dcba3314ac49b7d59

SHA1
f6ec9a9b241bb8de989d9b2ef32eb4cc8e3b2677

SHA256
24b4fb76ffe540fbb883a701ae906742ea91cf3b4a251e8a9314051cb4617830

SHA512
7c9aa50b90411cfa9939ccf7a6724fb9aaf88eccb712fb4076835210105515a55d0cf6e46bf2a902b6c468787e2cfc2ca8f930715a51e72c35eda829c3a50c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
80KB

MD5
0c63d973fcac01db24792fd79cc6816c

SHA1
f82ba1b0727c6be69e1555d8e338af44deb9194f

SHA256
02a9bdb0e2fc1ec27a75c4a694df6891e2bc5db4536b6b492cd3067e1378c81f

SHA512
f8a6d51078a4368eacfce44cec3d89f73686d1aeae25f2e5a4296d577e81a49d337dbd6cf475dbe079def47384439b4b43a84fb4de63e533bf1503b920183d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
278KB

MD5
b92d26ca6deeba21ceaef6e54110f536

SHA1
1e35d7dc8b86f7aa1cc898f5f9259722459693cf

SHA256
7b8210f5a652746ea0b1f23abedebe3d40b0dd352de67ae466c7ff3a78bb50a0

SHA512
ae20875002a9d059cd1301c7ce59b6a9db1936bd874d8d133e9c594513a180932218cffe879803a8ec3d33d73207115a561fec0bb1ee65314a149082d724877a

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
168KB

MD5
d3d4bc822f3c84161b09c0ff410749d1

SHA1
3d0808c74a71c7d76faa5839c2d23a500b76a7f8

SHA256
8c79dee6fc1b90d78f4e6353c4eab5efffba54167718cbc0961f19d97225dac8

SHA512
461d5f1e646ad9fea74283e97b21116f262ded653abfe405572421d368ea76401e4f72a29301b3f106e83ab932160193f5925809f305d1854425149233887ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kt4yho\tmp.exe

Filesize
112KB

MD5
b6f8c04cee4c3ce832aef1a3de272b31

SHA1
761a15c64b9cff4da1948842f376bb49ce115be1

SHA256
f429367ba2165e78a067388b85a4159c1693e8a94b7a145e2c83fac3920954af

SHA512
b4e6b9b50a1cbf409520d89f9e6d37a85dc7859d5204be94f355dbdc946a5d40e51fa0f8c49367a69507d0b4bd30c05805df4137fb17469349b47a6fcf06e5c4

Download Submit
C:\Windows\SysWOW64\ab1e.dll

Filesize
64KB

MD5
65fa2d4fb296c8b046ad4daf36294256

SHA1
2cea2e17249918dc56016fe6fc9fd4fa1f030e88

SHA256
3ec470c8ac0c6f1aa360b05c2e2d530ff1f3c00e2fc94e3635311a2d0c8bef3c

SHA512
385f9177bc3d953ef4916cc74c2d5f85ff558c32c079913e9bf45f5d6574309fcf4abc9c272167a8cc691895207e8c798ab0709a7b170808d7fcd9efb9f94d7e

Download Submit
memory/1460-143-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/1460-142-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download
memory/1460-140-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download
memory/2356-61-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2356-62-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/2440-165-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-176-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-228-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-229-0x0000000000AE0000-0x0000000000AE2000-memory.dmp

Filesize
8KB

Download
memory/2440-226-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

Filesize
8KB

Download
memory/2440-89-0x00000000004A0000-0x00000000004A2000-memory.dmp

Filesize
8KB

Download
memory/2440-225-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-88-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-222-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-221-0x0000000000AC0000-0x0000000000AC2000-memory.dmp

Filesize
8KB

Download
memory/2440-220-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-145-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-146-0x00000000004B0000-0x00000000004B2000-memory.dmp

Filesize
8KB

Download
memory/2440-217-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-149-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/2440-151-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-152-0x00000000004D0000-0x00000000004D2000-memory.dmp

Filesize
8KB

Download
memory/2440-218-0x0000000000AB0000-0x0000000000AB2000-memory.dmp

Filesize
8KB

Download
memory/2440-155-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-156-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/2440-158-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-159-0x0000000000500000-0x0000000000502000-memory.dmp

Filesize
8KB

Download
memory/2440-214-0x0000000000AA0000-0x0000000000AA2000-memory.dmp

Filesize
8KB

Download
memory/2440-162-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-163-0x00000000007A0000-0x00000000007A2000-memory.dmp

Filesize
8KB

Download
memory/2440-213-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-166-0x00000000007B0000-0x00000000007B2000-memory.dmp

Filesize
8KB

Download
memory/2440-169-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-170-0x00000000007C0000-0x00000000007C2000-memory.dmp

Filesize
8KB

Download
memory/2440-172-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-173-0x0000000000FB0000-0x0000000000FB2000-memory.dmp

Filesize
8KB

Download
memory/2440-211-0x0000000000A90000-0x0000000000A92000-memory.dmp

Filesize
8KB

Download
memory/2440-177-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

Filesize
8KB

Download
memory/2440-179-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-180-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

Filesize
8KB

Download
memory/2440-183-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-184-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

Filesize
8KB

Download
memory/2440-186-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-187-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

Filesize
8KB

Download
memory/2440-190-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-191-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/2440-193-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-194-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2440-197-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-198-0x0000000000290000-0x0000000000292000-memory.dmp

Filesize
8KB

Download
memory/2440-200-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-201-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/2440-204-0x0000000000A70000-0x0000000000A72000-memory.dmp

Filesize
8KB

Download
memory/2440-206-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2440-207-0x0000000000A80000-0x0000000000A82000-memory.dmp

Filesize
8KB

Download
memory/2440-210-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2540-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2540-1-0x0000000000240000-0x00000000002B3000-memory.dmp

Filesize
460KB

Download
memory/2540-139-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/2540-2-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2540-134-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2612-120-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download
memory/2612-161-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download
memory/2612-154-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download
memory/2612-148-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download
memory/2612-123-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2612-122-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download
memory/2612-121-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download