Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29/01/2024, 00:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7e5bdca7a9de1721844c83a9736f4247.exe
Resource
win7-20231129-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
7e5bdca7a9de1721844c83a9736f4247.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
7e5bdca7a9de1721844c83a9736f4247.exe
-
Size
532KB
-
MD5
7e5bdca7a9de1721844c83a9736f4247
-
SHA1
46275c285cb45b0c86027e70f46efd5bee8de520
-
SHA256
cd7a63b7832ec167c20e80bfa0e5868b76a783fe0ccfd94f9a0c451aa6071848
-
SHA512
d94dba5101b7b1bdf70fcd1d22acb7322a035bcc82696f591f58d95784062e7c4c655674b2c1efdf64e072c339239384a876ca7e94764f1322c057d66dbc9751
-
SSDEEP
12288:hDu9km32xPExY8th3idkuAgul3a9xvqBFHkadO4ceNw3c6RHRkfWdDH:tRm3YP+tRSnAgu89wmadO4ceJ0R5L
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts bffd.exe -
Executes dropped EXE 3 IoCs
pid Process 2728 bffd.exe 2464 bffd.exe 2944 bffd.exe -
Loads dropped DLL 49 IoCs
pid Process 2576 regsvr32.exe 2200 7e5bdca7a9de1721844c83a9736f4247.exe 2200 7e5bdca7a9de1721844c83a9736f4247.exe 2728 bffd.exe 2728 bffd.exe 2728 bffd.exe 2200 7e5bdca7a9de1721844c83a9736f4247.exe 2200 7e5bdca7a9de1721844c83a9736f4247.exe 2464 bffd.exe 2464 bffd.exe 2464 bffd.exe 2944 bffd.exe 936 rundll32.exe 2788 rundll32.exe 936 rundll32.exe 2788 rundll32.exe 936 rundll32.exe 936 rundll32.exe 2788 rundll32.exe 2788 rundll32.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe 2944 bffd.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46A35925-FC76-4647-8355-692142C079AF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{46A35925-FC76-4647-8355-692142C079AF}\ regsvr32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification \??\PhysicalDrive0 bffd.exe File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in System32 directory 19 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1ba4.dll 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\SysWOW64\144d.exe 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\SysWOW64\8b4o.dll 7e5bdca7a9de1721844c83a9736f4247.exe File created C:\Windows\SysWOW64\3dd rundll32.exe File opened for modification C:\Windows\SysWOW64\a1l8.dlltmp 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\SysWOW64\b4cb.dlltmp 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\SysWOW64\4f3r.dlltmp 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\SysWOW64\bffd.exe 7e5bdca7a9de1721844c83a9736f4247.exe File created C:\Windows\SysWOW64\53-98-120-81 rundll32.exe File opened for modification C:\Windows\SysWOW64\4f3r.dll 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\SysWOW64\841e.dll 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\SysWOW64\8b4o.dlltmp 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\SysWOW64\3bef.dll 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\SysWOW64\14rb.exe 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\SysWOW64\b4cb.dll 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\SysWOW64\34ua.exe 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\SysWOW64\b3fs.dll 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\SysWOW64\a1l8.dll 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\14ba.exe 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\a8f.flv 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\6f1u.bmp 7e5bdca7a9de1721844c83a9736f4247.exe File created C:\Windows\Tasks\ms.job 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\bf14.bmp 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\a8fd.exe 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\4bad.flv 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\8f6d.exe 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\f6f.bmp 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\8f6.exe 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\a34b.flv 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\f6fu.bmp 7e5bdca7a9de1721844c83a9736f4247.exe File opened for modification C:\Windows\a8fd.flv 7e5bdca7a9de1721844c83a9736f4247.exe -
Modifies registry class 47 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\InprocServer32\ = "C:\\Windows\\SysWow64\\8b4o.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\ = "{B38FF7EF-13A6-4FAD-878F-73F280B31691}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\VersionIndependentProgID\ = "BHO.MsnPlayer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ = "IMsnPlayer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\ = "CMsnPlayer Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\CLSID\ = "{46A35925-FC76-4647-8355-692142C079AF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\ = "CMsnPlayer Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\ProgID\ = "BHO.MsnPlayer.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\InprocServer32\ThreadingModel = "apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\AppID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8b4o.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CurVer\ = "BHO.MsnPlayer.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\ = "CMsnPlayer Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\TypeLib\ = "{B38FF7EF-13A6-4FAD-878F-73F280B31691}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ = "IMsnPlayer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CLSID\ = "{46A35925-FC76-4647-8355-692142C079AF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\ = "BHO 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\ = "{B38FF7EF-13A6-4FAD-878F-73F280B31691}" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2944 bffd.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2592 2200 7e5bdca7a9de1721844c83a9736f4247.exe 28 PID 2200 wrote to memory of 2592 2200 7e5bdca7a9de1721844c83a9736f4247.exe 28 PID 2200 wrote to memory of 2592 2200 7e5bdca7a9de1721844c83a9736f4247.exe 28 PID 2200 wrote to memory of 2592 2200 7e5bdca7a9de1721844c83a9736f4247.exe 28 PID 2200 wrote to memory of 2592 2200 7e5bdca7a9de1721844c83a9736f4247.exe 28 PID 2200 wrote to memory of 2592 2200 7e5bdca7a9de1721844c83a9736f4247.exe 28 PID 2200 wrote to memory of 2592 2200 7e5bdca7a9de1721844c83a9736f4247.exe 28 PID 2200 wrote to memory of 2600 2200 7e5bdca7a9de1721844c83a9736f4247.exe 29 PID 2200 wrote to memory of 2600 2200 7e5bdca7a9de1721844c83a9736f4247.exe 29 PID 2200 wrote to memory of 2600 2200 7e5bdca7a9de1721844c83a9736f4247.exe 29 PID 2200 wrote to memory of 2600 2200 7e5bdca7a9de1721844c83a9736f4247.exe 29 PID 2200 wrote to memory of 2600 2200 7e5bdca7a9de1721844c83a9736f4247.exe 29 PID 2200 wrote to memory of 2600 2200 7e5bdca7a9de1721844c83a9736f4247.exe 29 PID 2200 wrote to memory of 2600 2200 7e5bdca7a9de1721844c83a9736f4247.exe 29 PID 2200 wrote to memory of 2652 2200 7e5bdca7a9de1721844c83a9736f4247.exe 31 PID 2200 wrote to memory of 2652 2200 7e5bdca7a9de1721844c83a9736f4247.exe 31 PID 2200 wrote to memory of 2652 2200 7e5bdca7a9de1721844c83a9736f4247.exe 31 PID 2200 wrote to memory of 2652 2200 7e5bdca7a9de1721844c83a9736f4247.exe 31 PID 2200 wrote to memory of 2652 2200 7e5bdca7a9de1721844c83a9736f4247.exe 31 PID 2200 wrote to memory of 2652 2200 7e5bdca7a9de1721844c83a9736f4247.exe 31 PID 2200 wrote to memory of 2652 2200 7e5bdca7a9de1721844c83a9736f4247.exe 31 PID 2200 wrote to memory of 2656 2200 7e5bdca7a9de1721844c83a9736f4247.exe 30 PID 2200 wrote to memory of 2656 2200 7e5bdca7a9de1721844c83a9736f4247.exe 30 PID 2200 wrote to memory of 2656 2200 7e5bdca7a9de1721844c83a9736f4247.exe 30 PID 2200 wrote to memory of 2656 2200 7e5bdca7a9de1721844c83a9736f4247.exe 30 PID 2200 wrote to memory of 2656 2200 7e5bdca7a9de1721844c83a9736f4247.exe 30 PID 2200 wrote to memory of 2656 2200 7e5bdca7a9de1721844c83a9736f4247.exe 30 PID 2200 wrote to memory of 2656 2200 7e5bdca7a9de1721844c83a9736f4247.exe 30 PID 2200 wrote to memory of 2576 2200 7e5bdca7a9de1721844c83a9736f4247.exe 32 PID 2200 wrote to memory of 2576 2200 7e5bdca7a9de1721844c83a9736f4247.exe 32 PID 2200 wrote to memory of 2576 2200 7e5bdca7a9de1721844c83a9736f4247.exe 32 PID 2200 wrote to memory of 2576 2200 7e5bdca7a9de1721844c83a9736f4247.exe 32 PID 2200 wrote to memory of 2576 2200 7e5bdca7a9de1721844c83a9736f4247.exe 32 PID 2200 wrote to memory of 2576 2200 7e5bdca7a9de1721844c83a9736f4247.exe 32 PID 2200 wrote to memory of 2576 2200 7e5bdca7a9de1721844c83a9736f4247.exe 32 PID 2200 wrote to memory of 2728 2200 7e5bdca7a9de1721844c83a9736f4247.exe 33 PID 2200 wrote to memory of 2728 2200 7e5bdca7a9de1721844c83a9736f4247.exe 33 PID 2200 wrote to memory of 2728 2200 7e5bdca7a9de1721844c83a9736f4247.exe 33 PID 2200 wrote to memory of 2728 2200 7e5bdca7a9de1721844c83a9736f4247.exe 33 PID 2200 wrote to memory of 2728 2200 7e5bdca7a9de1721844c83a9736f4247.exe 33 PID 2200 wrote to memory of 2728 2200 7e5bdca7a9de1721844c83a9736f4247.exe 33 PID 2200 wrote to memory of 2728 2200 7e5bdca7a9de1721844c83a9736f4247.exe 33 PID 2200 wrote to memory of 2464 2200 7e5bdca7a9de1721844c83a9736f4247.exe 37 PID 2200 wrote to memory of 2464 2200 7e5bdca7a9de1721844c83a9736f4247.exe 37 PID 2200 wrote to memory of 2464 2200 7e5bdca7a9de1721844c83a9736f4247.exe 37 PID 2200 wrote to memory of 2464 2200 7e5bdca7a9de1721844c83a9736f4247.exe 37 PID 2200 wrote to memory of 2464 2200 7e5bdca7a9de1721844c83a9736f4247.exe 37 PID 2200 wrote to memory of 2464 2200 7e5bdca7a9de1721844c83a9736f4247.exe 37 PID 2200 wrote to memory of 2464 2200 7e5bdca7a9de1721844c83a9736f4247.exe 37 PID 2200 wrote to memory of 936 2200 7e5bdca7a9de1721844c83a9736f4247.exe 38 PID 2200 wrote to memory of 936 2200 7e5bdca7a9de1721844c83a9736f4247.exe 38 PID 2200 wrote to memory of 936 2200 7e5bdca7a9de1721844c83a9736f4247.exe 38 PID 2200 wrote to memory of 936 2200 7e5bdca7a9de1721844c83a9736f4247.exe 38 PID 2200 wrote to memory of 936 2200 7e5bdca7a9de1721844c83a9736f4247.exe 38 PID 2200 wrote to memory of 936 2200 7e5bdca7a9de1721844c83a9736f4247.exe 38 PID 2200 wrote to memory of 936 2200 7e5bdca7a9de1721844c83a9736f4247.exe 38 PID 2944 wrote to memory of 2788 2944 bffd.exe 39 PID 2944 wrote to memory of 2788 2944 bffd.exe 39 PID 2944 wrote to memory of 2788 2944 bffd.exe 39 PID 2944 wrote to memory of 2788 2944 bffd.exe 39 PID 2944 wrote to memory of 2788 2944 bffd.exe 39 PID 2944 wrote to memory of 2788 2944 bffd.exe 39 PID 2944 wrote to memory of 2788 2944 bffd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e5bdca7a9de1721844c83a9736f4247.exe"C:\Users\Admin\AppData\Local\Temp\7e5bdca7a9de1721844c83a9736f4247.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"2⤵PID:2592
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"2⤵PID:2600
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"2⤵PID:2656
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"2⤵PID:2652
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2576
-
-
C:\Windows\SysWOW64\bffd.exeC:\Windows\system32\bffd.exe -i2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728
-
-
C:\Windows\SysWOW64\bffd.exeC:\Windows\system32\bffd.exe -s2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always2⤵
- Loads dropped DLL
PID:936
-
-
C:\Windows\SysWOW64\bffd.exeC:\Windows\SysWOW64\bffd.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD5bdc0424724fbcaa779cca4f81e7666a6
SHA16712d6f39f09218f547e6ad61b744708f129e322
SHA256d3fd4fe333428fa07a083b7f8885aac60405e9e70ecef6a2d2a08863d8be9857
SHA51246c5b901d59fb3963f19a1e08495dca3c836029315a06d8793a6a92d838a3ea7383f16a81d0aeba80bd72a00b372179aa4333515a86f07ccbf4f54963abfbc6b
-
Filesize
257KB
MD5eb26df04292eb535c1c29a6e4a755587
SHA1a37e222819e059bf695874473e99e09db49fd3c3
SHA2561299225ac1ce5fee371ea9017ee55359cd3bce5c827db0c22d71db3f6964def6
SHA51245001759225e06b7300524dd09ef2105a3cd7540466e93e6841c302b570310b4202152e7fa7f82f1658af35401b85260eda2834985e965817ed8d401542c33b5
-
Filesize
172KB
MD550f6a9caa5c03dce661e579b37b764d5
SHA1eb6ccac84ce01689aa2a9bc4d97241fbe57041a4
SHA256edbd4cf1306ac2cf6cad35579ee3dcb00a7450b6dfbd8d330928442dc4c10a6e
SHA51220e201bd75abc8c1d48b6d2e4aeb0f1111c3f7d5dbc479a718da772679e071ecc7e1b700e1c6918cf5bf5911e1f0d1296e14296236ac9c34c0865db536045f11
-
Filesize
480KB
MD5bc135d3fe109d845e1214cf27d8440dd
SHA16dfdac553856a77a85d95e9a3846f31d9a24e094
SHA2565dfb0e47fd703915ff84d773c93c43f597046223ba1d038b50ea622b89df6e22
SHA512695a23f3d2c45f4ac588785e003ff1c2cd079b9193656276fe49b3c492ec9090b86a5da716d53b5952da90f44f5eb6a8014172e4e96c6c4e6ecc582b553292fb