Overview

overview

8

Static

static

3

a1fdd1e367...b9.exe

windows7-x64

8

a1fdd1e367...b9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-02-2024 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1fdd1e367851bbd91cdde603d10d4b9.exe

  • Size

    552KB

  • MD5

    a1fdd1e367851bbd91cdde603d10d4b9

  • SHA1

    2b0f640b54ea44b7c59b31b7eb0c08e233ee4876

  • SHA256

    883d51c41271cd28a3b20969f14789c13bc5f7971f884013e84fc8d1f54f7304

  • SHA512

    8311f900beb589902ef014d385525a7728bce2154e6d24c9aa8f6ab8a988aa5aea64d10fa6d056f99995ba5f846ceb611df887056d15a27a6a266438433a6496

  • SSDEEP

    12288:2JupwI3iV2ENXh2mqBMDMe8BZqW9vg/ddK32s/QjkOSR2QaY:2PI3Q2yh27M0ZB0d+QjkjQm

Score
8/10
adwarebootkitpersistencestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 48 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 18 IoCs
  • Drops file in Windows directory 13 IoCs
  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1fdd1e367851bbd91cdde603d10d4b9.exe
    "C:\Users\Admin\AppData\Local\Temp\a1fdd1e367851bbd91cdde603d10d4b9.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"
      2⤵
        PID:2564
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"
        2⤵
          PID:2540
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"
          2⤵
            PID:2420
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"
            2⤵
              PID:2824
            • C:\Windows\SysWOW64\regsvr32.exe
              C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"
              2⤵
              • Loads dropped DLL
              • Installs/modifies Browser Helper Object
              • Modifies registry class
              PID:2892
            • C:\Windows\SysWOW64\bffd.exe
              C:\Windows\system32\bffd.exe -i
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2460
            • C:\Windows\SysWOW64\bffd.exe
              C:\Windows\system32\bffd.exe -s
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2488
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always
              2⤵
              • Loads dropped DLL
              • Writes to the Master Boot Record (MBR)
              • Drops file in System32 directory
              PID:472
          • C:\Windows\SysWOW64\bffd.exe
            C:\Windows\SysWOW64\bffd.exe
            1⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Writes to the Master Boot Record (MBR)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2396
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always
              2⤵
              • Loads dropped DLL
              PID:2632

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll
            Filesize

            232KB

            MD5

            64d61fd417c364bee35936e4df51ee9f

            SHA1

            429fcba754a0c39c5da153fd72b451459b08abbc

            SHA256

            c629d5be3611dfbb39565590fb6583059405b31f78ae6e58a644717a809745c7

            SHA512

            f885db1d7923a24c26c18918dc75c0c9f43361cc9d38633c595753e2fb435c434599815a25e3d068709f19392b66977289adae14fe77b29e9abe7869acfe022a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll
            Filesize

            412KB

            MD5

            bf17c7d9010da0d8bc1f21acf3a80e95

            SHA1

            03189303609a2fed6f5e07f45a4477d0af64334b

            SHA256

            63f8092073ab4ac4c2617c39462315134143a17c3bed56ad87dd00a9ec2ac4d2

            SHA512

            3345114b985cd3347eee9cdc749b9560a1f3e1d5f00db2a1d1f7e1962438c13ce2012bea13932debf28c7f637450e6820b2615352c627018fdcd6904ff5aa0a0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe
            Filesize

            120KB

            MD5

            db32ce0a471f00c353b1cb1a650dbae0

            SHA1

            478fa371650158712aba22eefd461238bbc55408

            SHA256

            a917e388e3dd22744a16112ba410281ebc5e6b0010f560cd5f7bbf2388e9e02e

            SHA512

            c0aa83595d4e20c79c9ec72fe6aab0fcb4fe3e3035a74313c0c9edddec9a47fb8858afc1fba33c9d784b7a54550e5652d7256e36abd6c631c5d2a68725f71ae5

            Download Submit

          • \Windows\SysWOW64\8b4o.dll
            Filesize

            62KB

            MD5

            d0d2a8ecfeb237f431dc559af1bfcfbb

            SHA1

            8731a6ea694fa37d19ad329b5832102a1640e131

            SHA256

            57bf8f4606b7bbc38651e2d6523e736eb943d8bf7b9040d14412e34ebe2282f7

            SHA512

            b22b4a2ca527ea48e171212f0e8d2c48ab92b7960cfd85fffaed731f7bb3f3a3ace6f3b003fcc2a017b836ed38b30acce94b18f987d14e6c68b5fd5df96c186f

            Download Submit

          • \Windows\SysWOW64\8b4o.dll
            Filesize

            31KB

            MD5

            dabcecfd3d856e6f1fdbaa38f20c447e

            SHA1

            4137df5f3d4d62f3361fbc940ebcd091a3141853

            SHA256

            ac9390bcb93b0fe2b60071644e7f24d6afa4d4ba8227c80c4477688ae5a1759d

            SHA512

            9f73d87d6aae38615afe3aedc7a3794159234938326c6b9127164b781740b18d98a4521227ae75eb225da16b2ab8f409b1f4886bf9e2e0d663b32be0b9dc7c0b

            Download Submit