3989b8202088fb2e2d453d160754295887c8f0d38a1da8a9899773c669fc0691

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48e38504864efafbfb4026b38e023869_JaffaCakes118.dll
Size

472KB
MD5

48e38504864efafbfb4026b38e023869
SHA1

1c3573fcace183713800633577c04c6ec5fe96d8
SHA256

3989b8202088fb2e2d453d160754295887c8f0d38a1da8a9899773c669fc0691
SHA512

65b4fb6122878a24dffbaf93ebe98f38f520564a404c700912f11651661ec220e3d5f28178687b517dfbbcc24b0cba954682cc975be483bf17ffd4044b1565e3
SSDEEP

12288:0Ix3n4BiTNvjrsynq+xkv9yLF38jS7NbNgNB+hk6vHKX8:0Ix3JNLrBq+xko17NbNGBfc4

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	36bd.exe

Executes dropped EXE 4 IoCs

pid	Process
2732	36bd.exe
2752	36bd.exe
2628	36bd.exe
1456	mtv.exe

Loads dropped DLL 45 IoCs

pid	Process
2816	regsvr32.exe
2368	rundll32.exe
2368	rundll32.exe
2368	rundll32.exe
2368	rundll32.exe
2628	36bd.exe
2368	rundll32.exe
2368	rundll32.exe
1716	rundll32.exe
1716	rundll32.exe
1716	rundll32.exe
1716	rundll32.exe
1868	rundll32.exe
1868	rundll32.exe
1868	rundll32.exe
1868	rundll32.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe
2628	36bd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\plc = "c:\\windows\\system32\\rundll32.exe C:\\Windows\\system32/36be.dll,Always"	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	36bd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\4bl4.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b33d.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\36bd.exe	rundll32.exe
File created	C:\Windows\SysWOW64\1db	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File opened for modification	C:\Windows\SysWOW64\c35s.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\353r.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3ce8.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b3rc.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\353r.dlltmp	rundll32.exe
File created	C:\Windows\SysWOW64\-54-6329111	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\bba6.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\36ud.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\36be.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b33o.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b33o.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\d48.flv	rundll32.exe
File opened for modification	C:\Windows\d48d.exe	rundll32.exe
File created	C:\Windows\Tasks\ms.job	rundll32.exe
File opened for modification	C:\Windows\480.exe	rundll32.exe
File opened for modification	C:\Windows\cd4d.exe	rundll32.exe
File opened for modification	C:\Windows\0acu.bmp	rundll32.exe
File opened for modification	C:\Windows\3cdd.flv	rundll32.exe
File opened for modification	C:\Windows\cd4d.flv	rundll32.exe
File opened for modification	C:\Windows\b5b3.bmp	rundll32.exe
File opened for modification	C:\Windows\b3cd.exe	rundll32.exe
File opened for modification	C:\Windows\436b.flv	rundll32.exe
File opened for modification	C:\Windows\80a.bmp	rundll32.exe
File opened for modification	C:\Windows\cd4u.bmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID\ = "BHO.FffPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b33o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID\ = "BHO.FffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ = "C:\\Windows\\SysWow64\\b33o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2628	36bd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1456	mtv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2368	1724	rundll32.exe	30
PID 1724 wrote to memory of 2368	1724	rundll32.exe	30
PID 1724 wrote to memory of 2368	1724	rundll32.exe	30
PID 1724 wrote to memory of 2368	1724	rundll32.exe	30
PID 1724 wrote to memory of 2368	1724	rundll32.exe	30
PID 1724 wrote to memory of 2368	1724	rundll32.exe	30
PID 1724 wrote to memory of 2368	1724	rundll32.exe	30
PID 2368 wrote to memory of 2756	2368	rundll32.exe	31
PID 2368 wrote to memory of 2756	2368	rundll32.exe	31
PID 2368 wrote to memory of 2756	2368	rundll32.exe	31
PID 2368 wrote to memory of 2756	2368	rundll32.exe	31
PID 2368 wrote to memory of 2756	2368	rundll32.exe	31
PID 2368 wrote to memory of 2756	2368	rundll32.exe	31
PID 2368 wrote to memory of 2756	2368	rundll32.exe	31
PID 2368 wrote to memory of 2744	2368	rundll32.exe	32
PID 2368 wrote to memory of 2744	2368	rundll32.exe	32
PID 2368 wrote to memory of 2744	2368	rundll32.exe	32
PID 2368 wrote to memory of 2744	2368	rundll32.exe	32
PID 2368 wrote to memory of 2744	2368	rundll32.exe	32
PID 2368 wrote to memory of 2744	2368	rundll32.exe	32
PID 2368 wrote to memory of 2744	2368	rundll32.exe	32
PID 2368 wrote to memory of 2772	2368	rundll32.exe	33
PID 2368 wrote to memory of 2772	2368	rundll32.exe	33
PID 2368 wrote to memory of 2772	2368	rundll32.exe	33
PID 2368 wrote to memory of 2772	2368	rundll32.exe	33
PID 2368 wrote to memory of 2772	2368	rundll32.exe	33
PID 2368 wrote to memory of 2772	2368	rundll32.exe	33
PID 2368 wrote to memory of 2772	2368	rundll32.exe	33
PID 2368 wrote to memory of 2860	2368	rundll32.exe	34
PID 2368 wrote to memory of 2860	2368	rundll32.exe	34
PID 2368 wrote to memory of 2860	2368	rundll32.exe	34
PID 2368 wrote to memory of 2860	2368	rundll32.exe	34
PID 2368 wrote to memory of 2860	2368	rundll32.exe	34
PID 2368 wrote to memory of 2860	2368	rundll32.exe	34
PID 2368 wrote to memory of 2860	2368	rundll32.exe	34
PID 2368 wrote to memory of 2816	2368	rundll32.exe	35
PID 2368 wrote to memory of 2816	2368	rundll32.exe	35
PID 2368 wrote to memory of 2816	2368	rundll32.exe	35
PID 2368 wrote to memory of 2816	2368	rundll32.exe	35
PID 2368 wrote to memory of 2816	2368	rundll32.exe	35
PID 2368 wrote to memory of 2816	2368	rundll32.exe	35
PID 2368 wrote to memory of 2816	2368	rundll32.exe	35
PID 2368 wrote to memory of 2732	2368	rundll32.exe	36
PID 2368 wrote to memory of 2732	2368	rundll32.exe	36
PID 2368 wrote to memory of 2732	2368	rundll32.exe	36
PID 2368 wrote to memory of 2732	2368	rundll32.exe	36
PID 2368 wrote to memory of 2752	2368	rundll32.exe	38
PID 2368 wrote to memory of 2752	2368	rundll32.exe	38
PID 2368 wrote to memory of 2752	2368	rundll32.exe	38
PID 2368 wrote to memory of 2752	2368	rundll32.exe	38
PID 2368 wrote to memory of 1456	2368	rundll32.exe	42
PID 2368 wrote to memory of 1456	2368	rundll32.exe	42
PID 2368 wrote to memory of 1456	2368	rundll32.exe	42
PID 2368 wrote to memory of 1456	2368	rundll32.exe	42
PID 2628 wrote to memory of 1716	2628	36bd.exe	41
PID 2628 wrote to memory of 1716	2628	36bd.exe	41
PID 2628 wrote to memory of 1716	2628	36bd.exe	41
PID 2628 wrote to memory of 1716	2628	36bd.exe	41
PID 2628 wrote to memory of 1716	2628	36bd.exe	41
PID 2628 wrote to memory of 1716	2628	36bd.exe	41
PID 2628 wrote to memory of 1716	2628	36bd.exe	41
PID 2368 wrote to memory of 1868	2368	rundll32.exe	43
PID 2368 wrote to memory of 1868	2368	rundll32.exe	43
PID 2368 wrote to memory of 1868	2368	rundll32.exe	43

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\48e38504864efafbfb4026b38e023869_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\48e38504864efafbfb4026b38e023869_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4bl4.dll"
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/c6cb.dll"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/353r.dll"
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b33o.dll"
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b33o.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:2816
- - C:\Windows\SysWOW64\36bd.exe
    C:\Windows\system32/36bd.exe -i
    3⤵
    - Executes dropped EXE
    PID:2732
- - C:\Windows\SysWOW64\36bd.exe
    C:\Windows\system32/36bd.exe -s
    3⤵
    - Executes dropped EXE
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1456
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll, Always
    3⤵
    - Loads dropped DLL
    PID:1868

C:\Windows\SysWOW64\36bd.exe
C:\Windows\SysWOW64\36bd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
124KB

MD5
ca00ce4833c8cf97754b9dc02899a687

SHA1
1935576713471d771ffdc962bb5454b8bb156f0d

SHA256
f95915830756b340f88c23ee784fe24758d1265ff23c69b50e05ddb9003ebc5c

SHA512
ba3e718c2a5ce8633cebb15651bca593eb2b6cabf2135665833966d48b16184cbb6c3e19fb52e33700503e50c2c556c6801042dc06cb6b39c41a3c9cd8397808

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
56KB

MD5
0edefae19573d5344130ecc8cceee7c0

SHA1
d5172fb19a621c2d710c2cb3c803362849f16c63

SHA256
3bb695e16e793b14160976b3fba1e8b3fd3c3309ea0f6827cb3a1d00ccdeb13a

SHA512
ae42f6a5d672889bf06626cb9251ef2acd3a09164f26adeb4af45cf31107dd43f57cc7dd10cdf677d3e1bb543b750460fce76ea623d7075fe5adc0737a5d5865

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
422KB

MD5
65de9967997699777e116a6b976a4cb3

SHA1
58d03337637c4fc6431349be5368fa7ce6e69fe8

SHA256
d1f784ff2b13d592bb9e2c5f2b14b7b6abecf8f4641e4f3f3c86e0619dae94a1

SHA512
d19c9eb3a1a957b7e184c421f53463dc683ebc5f8b269ac4961f0d44fa9332f274830a13968b78be20116e1d2f7e9f37368a8e147669eb6cad857245009e529c

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
128KB

MD5
5b08af21047d74a70b0f0f1e96de7070

SHA1
6e669a84ca6b45bbd6851d3c992ed23ac0c25e45

SHA256
4245b82a34bb58befeb77ed504809d93a686846f38139449599442ddf90e45b9

SHA512
5cf0935e1f12b067dee7dd6bd994010f40b6746409e09ba963b5c79967fc5a53c12e5bbdb86b589a56e5e3e4372c899a783d5e75d61352c1f63de5a1a6953d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nzwgce\tmp.exe

Filesize
64KB

MD5
dbeb2d1c309358f5e5dedb45def69c56

SHA1
b34721bc75ee1377b78aea5639cbcbdb53375330

SHA256
d35343c1428113f8dffdd10ea1445d51ab2d4c3c908f8509bbdf53d4bba07e1a

SHA512
eb1ee5ce6399c68c53e01a0fcb869a52916f8cd769cc008373091de657ef9e2c7fad9786f433c6ac5bd5412367a32762345c8a731a67ef2b47e3e5117cc3f4c5

Download Submit