cd7a63b7832ec167c20e80bfa0e5868b76a783fe0ccfd94f9a0c451aa6071848

Analysis

max time kernel
147s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 00:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7e5bdca7a9de1721844c83a9736f4247.exe
Size

532KB
MD5

7e5bdca7a9de1721844c83a9736f4247
SHA1

46275c285cb45b0c86027e70f46efd5bee8de520
SHA256

cd7a63b7832ec167c20e80bfa0e5868b76a783fe0ccfd94f9a0c451aa6071848
SHA512

d94dba5101b7b1bdf70fcd1d22acb7322a035bcc82696f591f58d95784062e7c4c655674b2c1efdf64e072c339239384a876ca7e94764f1322c057d66dbc9751
SSDEEP

12288:hDu9km32xPExY8th3idkuAgul3a9xvqBFHkadO4ceNw3c6RHRkfWdDH:tRm3YP+tRSnAgu89wmadO4ceJ0R5L

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bffd.exe

Executes dropped EXE 3 IoCs

pid	Process
2728	bffd.exe
2464	bffd.exe
2944	bffd.exe

Loads dropped DLL 49 IoCs

pid	Process
2576	regsvr32.exe
2200	7e5bdca7a9de1721844c83a9736f4247.exe
2200	7e5bdca7a9de1721844c83a9736f4247.exe
2728	bffd.exe
2728	bffd.exe
2728	bffd.exe
2200	7e5bdca7a9de1721844c83a9736f4247.exe
2200	7e5bdca7a9de1721844c83a9736f4247.exe
2464	bffd.exe
2464	bffd.exe
2464	bffd.exe
2944	bffd.exe
936	rundll32.exe
2788	rundll32.exe
936	rundll32.exe
2788	rundll32.exe
936	rundll32.exe
936	rundll32.exe
2788	rundll32.exe
2788	rundll32.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe
2944	bffd.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46A35925-FC76-4647-8355-692142C079AF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{46A35925-FC76-4647-8355-692142C079AF}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	\??\PhysicalDrive0	bffd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dll	7e5bdca7a9de1721844c83a9736f4247.exe
File created	C:\Windows\SysWOW64\3dd	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\SysWOW64\bffd.exe	7e5bdca7a9de1721844c83a9736f4247.exe
File created	C:\Windows\SysWOW64\53-98-120-81	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\SysWOW64\841e.dll	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dlltmp	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\14ba.exe	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\a8f.flv	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\6f1u.bmp	7e5bdca7a9de1721844c83a9736f4247.exe
File created	C:\Windows\Tasks\ms.job	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\bf14.bmp	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\a8fd.exe	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\4bad.flv	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\8f6d.exe	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\f6f.bmp	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\8f6.exe	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\a34b.flv	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\f6fu.bmp	7e5bdca7a9de1721844c83a9736f4247.exe
File opened for modification	C:\Windows\a8fd.flv	7e5bdca7a9de1721844c83a9736f4247.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\InprocServer32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\ = "{B38FF7EF-13A6-4FAD-878F-73F280B31691}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\VersionIndependentProgID\ = "BHO.MsnPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ = "IMsnPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\ = "CMsnPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\CLSID\ = "{46A35925-FC76-4647-8355-692142C079AF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\ = "CMsnPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\ProgID\ = "BHO.MsnPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CurVer\ = "BHO.MsnPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\ = "CMsnPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\TypeLib\ = "{B38FF7EF-13A6-4FAD-878F-73F280B31691}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ = "IMsnPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CLSID\ = "{46A35925-FC76-4647-8355-692142C079AF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\ = "{B38FF7EF-13A6-4FAD-878F-73F280B31691}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2944	bffd.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2592	2200	7e5bdca7a9de1721844c83a9736f4247.exe	28
PID 2200 wrote to memory of 2592	2200	7e5bdca7a9de1721844c83a9736f4247.exe	28
PID 2200 wrote to memory of 2592	2200	7e5bdca7a9de1721844c83a9736f4247.exe	28
PID 2200 wrote to memory of 2592	2200	7e5bdca7a9de1721844c83a9736f4247.exe	28
PID 2200 wrote to memory of 2592	2200	7e5bdca7a9de1721844c83a9736f4247.exe	28
PID 2200 wrote to memory of 2592	2200	7e5bdca7a9de1721844c83a9736f4247.exe	28
PID 2200 wrote to memory of 2592	2200	7e5bdca7a9de1721844c83a9736f4247.exe	28
PID 2200 wrote to memory of 2600	2200	7e5bdca7a9de1721844c83a9736f4247.exe	29
PID 2200 wrote to memory of 2600	2200	7e5bdca7a9de1721844c83a9736f4247.exe	29
PID 2200 wrote to memory of 2600	2200	7e5bdca7a9de1721844c83a9736f4247.exe	29
PID 2200 wrote to memory of 2600	2200	7e5bdca7a9de1721844c83a9736f4247.exe	29
PID 2200 wrote to memory of 2600	2200	7e5bdca7a9de1721844c83a9736f4247.exe	29
PID 2200 wrote to memory of 2600	2200	7e5bdca7a9de1721844c83a9736f4247.exe	29
PID 2200 wrote to memory of 2600	2200	7e5bdca7a9de1721844c83a9736f4247.exe	29
PID 2200 wrote to memory of 2652	2200	7e5bdca7a9de1721844c83a9736f4247.exe	31
PID 2200 wrote to memory of 2652	2200	7e5bdca7a9de1721844c83a9736f4247.exe	31
PID 2200 wrote to memory of 2652	2200	7e5bdca7a9de1721844c83a9736f4247.exe	31
PID 2200 wrote to memory of 2652	2200	7e5bdca7a9de1721844c83a9736f4247.exe	31
PID 2200 wrote to memory of 2652	2200	7e5bdca7a9de1721844c83a9736f4247.exe	31
PID 2200 wrote to memory of 2652	2200	7e5bdca7a9de1721844c83a9736f4247.exe	31
PID 2200 wrote to memory of 2652	2200	7e5bdca7a9de1721844c83a9736f4247.exe	31
PID 2200 wrote to memory of 2656	2200	7e5bdca7a9de1721844c83a9736f4247.exe	30
PID 2200 wrote to memory of 2656	2200	7e5bdca7a9de1721844c83a9736f4247.exe	30
PID 2200 wrote to memory of 2656	2200	7e5bdca7a9de1721844c83a9736f4247.exe	30
PID 2200 wrote to memory of 2656	2200	7e5bdca7a9de1721844c83a9736f4247.exe	30
PID 2200 wrote to memory of 2656	2200	7e5bdca7a9de1721844c83a9736f4247.exe	30
PID 2200 wrote to memory of 2656	2200	7e5bdca7a9de1721844c83a9736f4247.exe	30
PID 2200 wrote to memory of 2656	2200	7e5bdca7a9de1721844c83a9736f4247.exe	30
PID 2200 wrote to memory of 2576	2200	7e5bdca7a9de1721844c83a9736f4247.exe	32
PID 2200 wrote to memory of 2576	2200	7e5bdca7a9de1721844c83a9736f4247.exe	32
PID 2200 wrote to memory of 2576	2200	7e5bdca7a9de1721844c83a9736f4247.exe	32
PID 2200 wrote to memory of 2576	2200	7e5bdca7a9de1721844c83a9736f4247.exe	32
PID 2200 wrote to memory of 2576	2200	7e5bdca7a9de1721844c83a9736f4247.exe	32
PID 2200 wrote to memory of 2576	2200	7e5bdca7a9de1721844c83a9736f4247.exe	32
PID 2200 wrote to memory of 2576	2200	7e5bdca7a9de1721844c83a9736f4247.exe	32
PID 2200 wrote to memory of 2728	2200	7e5bdca7a9de1721844c83a9736f4247.exe	33
PID 2200 wrote to memory of 2728	2200	7e5bdca7a9de1721844c83a9736f4247.exe	33
PID 2200 wrote to memory of 2728	2200	7e5bdca7a9de1721844c83a9736f4247.exe	33
PID 2200 wrote to memory of 2728	2200	7e5bdca7a9de1721844c83a9736f4247.exe	33
PID 2200 wrote to memory of 2728	2200	7e5bdca7a9de1721844c83a9736f4247.exe	33
PID 2200 wrote to memory of 2728	2200	7e5bdca7a9de1721844c83a9736f4247.exe	33
PID 2200 wrote to memory of 2728	2200	7e5bdca7a9de1721844c83a9736f4247.exe	33
PID 2200 wrote to memory of 2464	2200	7e5bdca7a9de1721844c83a9736f4247.exe	37
PID 2200 wrote to memory of 2464	2200	7e5bdca7a9de1721844c83a9736f4247.exe	37
PID 2200 wrote to memory of 2464	2200	7e5bdca7a9de1721844c83a9736f4247.exe	37
PID 2200 wrote to memory of 2464	2200	7e5bdca7a9de1721844c83a9736f4247.exe	37
PID 2200 wrote to memory of 2464	2200	7e5bdca7a9de1721844c83a9736f4247.exe	37
PID 2200 wrote to memory of 2464	2200	7e5bdca7a9de1721844c83a9736f4247.exe	37
PID 2200 wrote to memory of 2464	2200	7e5bdca7a9de1721844c83a9736f4247.exe	37
PID 2200 wrote to memory of 936	2200	7e5bdca7a9de1721844c83a9736f4247.exe	38
PID 2200 wrote to memory of 936	2200	7e5bdca7a9de1721844c83a9736f4247.exe	38
PID 2200 wrote to memory of 936	2200	7e5bdca7a9de1721844c83a9736f4247.exe	38
PID 2200 wrote to memory of 936	2200	7e5bdca7a9de1721844c83a9736f4247.exe	38
PID 2200 wrote to memory of 936	2200	7e5bdca7a9de1721844c83a9736f4247.exe	38
PID 2200 wrote to memory of 936	2200	7e5bdca7a9de1721844c83a9736f4247.exe	38
PID 2200 wrote to memory of 936	2200	7e5bdca7a9de1721844c83a9736f4247.exe	38
PID 2944 wrote to memory of 2788	2944	bffd.exe	39
PID 2944 wrote to memory of 2788	2944	bffd.exe	39
PID 2944 wrote to memory of 2788	2944	bffd.exe	39
PID 2944 wrote to memory of 2788	2944	bffd.exe	39
PID 2944 wrote to memory of 2788	2944	bffd.exe	39
PID 2944 wrote to memory of 2788	2944	bffd.exe	39
PID 2944 wrote to memory of 2788	2944	bffd.exe	39

C:\Users\Admin\AppData\Local\Temp\7e5bdca7a9de1721844c83a9736f4247.exe
"C:\Users\Admin\AppData\Local\Temp\7e5bdca7a9de1721844c83a9736f4247.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"
  2⤵
  PID:2592
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"
  2⤵
  PID:2600
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"
  2⤵
  PID:2656
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"
  2⤵
  PID:2652
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2576
- C:\Windows\SysWOW64\bffd.exe
  C:\Windows\system32\bffd.exe -i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2728
- C:\Windows\SysWOW64\bffd.exe
  C:\Windows\system32\bffd.exe -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2464
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always
  2⤵
  - Loads dropped DLL
  PID:936

C:\Windows\SysWOW64\bffd.exe
C:\Windows\SysWOW64\bffd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
120KB

MD5
bdc0424724fbcaa779cca4f81e7666a6

SHA1
6712d6f39f09218f547e6ad61b744708f129e322

SHA256
d3fd4fe333428fa07a083b7f8885aac60405e9e70ecef6a2d2a08863d8be9857

SHA512
46c5b901d59fb3963f19a1e08495dca3c836029315a06d8793a6a92d838a3ea7383f16a81d0aeba80bd72a00b372179aa4333515a86f07ccbf4f54963abfbc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
257KB

MD5
eb26df04292eb535c1c29a6e4a755587

SHA1
a37e222819e059bf695874473e99e09db49fd3c3

SHA256
1299225ac1ce5fee371ea9017ee55359cd3bce5c827db0c22d71db3f6964def6

SHA512
45001759225e06b7300524dd09ef2105a3cd7540466e93e6841c302b570310b4202152e7fa7f82f1658af35401b85260eda2834985e965817ed8d401542c33b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
172KB

MD5
50f6a9caa5c03dce661e579b37b764d5

SHA1
eb6ccac84ce01689aa2a9bc4d97241fbe57041a4

SHA256
edbd4cf1306ac2cf6cad35579ee3dcb00a7450b6dfbd8d330928442dc4c10a6e

SHA512
20e201bd75abc8c1d48b6d2e4aeb0f1111c3f7d5dbc479a718da772679e071ecc7e1b700e1c6918cf5bf5911e1f0d1296e14296236ac9c34c0865db536045f11

Download Submit
C:\Windows\SysWOW64\841e.dll

Filesize
480KB

MD5
bc135d3fe109d845e1214cf27d8440dd

SHA1
6dfdac553856a77a85d95e9a3846f31d9a24e094

SHA256
5dfb0e47fd703915ff84d773c93c43f597046223ba1d038b50ea622b89df6e22

SHA512
695a23f3d2c45f4ac588785e003ff1c2cd079b9193656276fe49b3c492ec9090b86a5da716d53b5952da90f44f5eb6a8014172e4e96c6c4e6ecc582b553292fb

Download Submit