2d46fe98c5a3e8351983c895b8a9ce15364a9ed872cd11cef0fc839ab1914763

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
Size

468KB
MD5

5a4ac31453f9c83c82ae5d7ed1e2d6b2
SHA1

26fc48d4adf0761894aa8d7d4fb59c84a62e3133
SHA256

2d46fe98c5a3e8351983c895b8a9ce15364a9ed872cd11cef0fc839ab1914763
SHA512

474be6c2644061fe41794598b9719d024178b9a094fb29c016a1f907ccec800950d9b4379b776f070e9b3c521d615f79fc64fc440a7f3b8cca42a6955ff3dd12
SSDEEP

12288:B/3KBaDVuotwC559JYz4aysshaGpPpFOEh1Xpr3IXGTTJEdI:B/3EaDVrwC55gfxsZP+EhFt3IXJi

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b55d.exe

Executes dropped EXE 3 IoCs

pid	Process
2592	b55d.exe
2028	b55d.exe
2108	b55d.exe

Loads dropped DLL 33 IoCs

pid	Process
3156	regsvr32.exe
2108	b55d.exe
4120	rundll32.exe
3868	rundll32.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe
2108	b55d.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\ = "Generic BHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	b55d.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bba6.dll	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dll	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\353r.dll	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\353r.dlltmp	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4b3o.dlltmp	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\3ce8.dll	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b55d.exe	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\-13-9489-7	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dll	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\36ud.exe	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c35s.dll	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\46be.dll	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4b3o.dll	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b3rc.exe	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dlltmp	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dlltmp	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b33d.exe	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\1328	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\80a.bmp	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\80au.bmp	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\480d.exe	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\d48d.exe	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\480.exe	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\0acu.bmp	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\3cdd.flv	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\b5b3.bmp	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\b3cd.exe	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\436b.flv	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\d48.flv	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
File opened for modification	C:\Windows\d48d.flv	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BHO.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\TypeLib\ = "{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\TypeLib\ = "{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\4b3o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\InprocServer32\ = "C:\\Windows\\SysWow64\\4b3o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BHO.DLL\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\TypeLib\ = "{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53738F3D-33DE-4BF3-8F3F-0FDA9BBE7121}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C15134ED-31C1-4b17-B04E-FFFAB993EFA2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D91005B-09EB-43B9-AEB2-31DD4C587447}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{53738F3D-33DE-4bf3-8F3F-0FDA9BBE7121}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{53738F3D-33DE-4bf3-8F3F-0FDA9BBE7121}\ = "BHO"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2108	b55d.exe
2108	b55d.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 3016	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	85
PID 1128 wrote to memory of 3016	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	85
PID 1128 wrote to memory of 3016	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	85
PID 1128 wrote to memory of 2924	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	86
PID 1128 wrote to memory of 2924	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	86
PID 1128 wrote to memory of 2924	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	86
PID 1128 wrote to memory of 4544	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	87
PID 1128 wrote to memory of 4544	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	87
PID 1128 wrote to memory of 4544	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	87
PID 1128 wrote to memory of 4284	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	88
PID 1128 wrote to memory of 4284	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	88
PID 1128 wrote to memory of 4284	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	88
PID 1128 wrote to memory of 3156	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	89
PID 1128 wrote to memory of 3156	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	89
PID 1128 wrote to memory of 3156	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	89
PID 1128 wrote to memory of 2592	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	91
PID 1128 wrote to memory of 2592	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	91
PID 1128 wrote to memory of 2592	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	91
PID 1128 wrote to memory of 2028	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	94
PID 1128 wrote to memory of 2028	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	94
PID 1128 wrote to memory of 2028	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	94
PID 1128 wrote to memory of 4120	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	97
PID 1128 wrote to memory of 4120	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	97
PID 1128 wrote to memory of 4120	1128	5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe	97
PID 2108 wrote to memory of 3868	2108	b55d.exe	98
PID 2108 wrote to memory of 3868	2108	b55d.exe	98
PID 2108 wrote to memory of 3868	2108	b55d.exe	98

C:\Users\Admin\AppData\Local\Temp\5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a4ac31453f9c83c82ae5d7ed1e2d6b2_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4bl4.dll"
  2⤵
  PID:3016
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\c6cb.dll"
  2⤵
  PID:2924
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\353r.dll"
  2⤵
  PID:4544
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4b3o.dll"
  2⤵
  PID:4284
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\4b3o.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:3156
- C:\Windows\SysWOW64\b55d.exe
  C:\Windows\system32\b55d.exe -i
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\SysWOW64\b55d.exe
  C:\Windows\system32\b55d.exe -s
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:4120

C:\Windows\SysWOW64\b55d.exe
C:\Windows\SysWOW64\b55d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll,Always
  2⤵
  - Loads dropped DLL
  PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
380KB

MD5
c0059f061ad4428521f33fb1b6c2936d

SHA1
d5724cf96c42b0046ddd5631708d4c2cec291ad2

SHA256
b9cd0da20c22755083f2d8f9eb99ea521550ee33ccaab3e051b9bd772732ffb5

SHA512
7f2efb5d2824bbf96d8dabde86b78556edaba4767fde2bbba1584952cf19db2c565ea2ae645b774568946fd1dc37fe1c2a6cddfe49722e0c837398f7d32d4959

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
108KB

MD5
3caba4cf956b902928b74c6810e3f386

SHA1
c5b89ae2eb2e6c94503a3bb4f80881dfde7b724c

SHA256
f6f79e8c7268a012e3dbdf6db3e175ba32c1120bebb11607bdcd25fdf61db9a6

SHA512
ef5a884d8f64439bb4d80cb7d96ed1669d5bda45d60cc5ddf2686528e938a5e3e9efa69abca5857e3c23cdcac1d25a63ecc10bef08a6088b674d77bc0776c126

Download Submit
C:\Windows\SysWOW64\4b3o.dll

Filesize
136KB

MD5
cc792f2bc1c0e8ac870ab35317b3aaa7

SHA1
3409e17db6251f4bb34d25b60c8e499f994ca0fb

SHA256
6881df31f804621abc322095950ae48abd0240d5d9c86f6f691b9d4320d91cb9

SHA512
89863f8cac47450c0bf2f3583f700c1461d084f0d694e056d1e3b975921d196b39b93124b7bb443d99bbaa6af3d449d3b1e8fa0e80f126be1324e317bd5b47ca

Download Submit