a4a83823b8e512afcb9b6a621d555cfe48afa6b65d3dfc2fa3e495eed6314b0f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
Size

488KB
MD5

74e4508df91dcca124c3b0d6eb2fab17
SHA1

0e0af57d62b126c4cab4f396aa3f659374b95280
SHA256

a4a83823b8e512afcb9b6a621d555cfe48afa6b65d3dfc2fa3e495eed6314b0f
SHA512

a77dec8840dbe293091416e0e4c6f510801c32fa57e92fd52d66798d9e0be792a4d6e64fdd10cfb554c4ea6e403384f47195a8489b394d4743fd92728c7a8335
SSDEEP

12288:wNSIpoJ3vpAALhchj5m6dCdiIp1gcxZh2uUyqfY45FiDhyaKjK8:wIJ3BAlhj74diIHgYh2u3qt2DhA28

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b55d.exe

Executes dropped EXE 3 IoCs

pid	Process
4492	b55d.exe
848	b55d.exe
3504	b55d.exe

Loads dropped DLL 33 IoCs

pid	Process
1788	regsvr32.exe
3504	b55d.exe
376	rundll32.exe
3828	rundll32.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe
3504	b55d.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46A35925-FC76-4647-8355-692142C079AF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46A35925-FC76-4647-8355-692142C079AF}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	b55d.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\c6cb.dlltmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\353r.dlltmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4b3o.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\36ud.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b55d.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4b3o.dlltmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\2c96	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3ce8.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dlltmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bba6.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c35s.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b33d.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\46be.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b3rc.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\353r.dll	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\72-621-66	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\d48d.flv	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\480.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\3cdd.flv	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\480d.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\d48.flv	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\d48d.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\0acu.bmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\b3cd.exe	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\436b.flv	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\80a.bmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\80au.bmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
File opened for modification	C:\Windows\b5b3.bmp	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b55d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b55d.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\TypeLib\ = "{B38FF7EF-13A6-4FAD-878F-73F280B31691}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ = "IMsnPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\ = "CMsnPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\ = "{B38FF7EF-13A6-4FAD-878F-73F280B31691}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ = "IMsnPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\ = "CMsnPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\CLSID\ = "{46A35925-FC76-4647-8355-692142C079AF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\VersionIndependentProgID\ = "BHO.MsnPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\ = "{B38FF7EF-13A6-4FAD-878F-73F280B31691}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\ = "CMsnPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\InprocServer32\ = "C:\\Windows\\SysWow64\\4b3o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\4b3o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CLSID\ = "{46A35925-FC76-4647-8355-692142C079AF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.MsnPlayer\CurVer\ = "BHO.MsnPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\ProgID\ = "BHO.MsnPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46A35925-FC76-4647-8355-692142C079AF}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B38FF7EF-13A6-4FAD-878F-73F280B31691}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28ED4B1F-7900-4283-8EEC-607C777DDDA5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3504	b55d.exe
3504	b55d.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 2736	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	84
PID 3896 wrote to memory of 2736	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	84
PID 3896 wrote to memory of 2736	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	84
PID 3896 wrote to memory of 932	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	85
PID 3896 wrote to memory of 932	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	85
PID 3896 wrote to memory of 932	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	85
PID 3896 wrote to memory of 820	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	86
PID 3896 wrote to memory of 820	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	86
PID 3896 wrote to memory of 820	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	86
PID 3896 wrote to memory of 1860	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	87
PID 3896 wrote to memory of 1860	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	87
PID 3896 wrote to memory of 1860	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	87
PID 3896 wrote to memory of 1788	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	89
PID 3896 wrote to memory of 1788	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	89
PID 3896 wrote to memory of 1788	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	89
PID 3896 wrote to memory of 4492	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	90
PID 3896 wrote to memory of 4492	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	90
PID 3896 wrote to memory of 4492	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	90
PID 3896 wrote to memory of 848	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	92
PID 3896 wrote to memory of 848	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	92
PID 3896 wrote to memory of 848	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	92
PID 3896 wrote to memory of 376	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	98
PID 3896 wrote to memory of 376	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	98
PID 3896 wrote to memory of 376	3896	74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe	98
PID 3504 wrote to memory of 3828	3504	b55d.exe	99
PID 3504 wrote to memory of 3828	3504	b55d.exe	99
PID 3504 wrote to memory of 3828	3504	b55d.exe	99

C:\Users\Admin\AppData\Local\Temp\74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\74e4508df91dcca124c3b0d6eb2fab17_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4bl4.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2736
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\c6cb.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:932
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\353r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:820
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4b3o.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1860
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\4b3o.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1788
- C:\Windows\SysWOW64\b55d.exe
  C:\Windows\system32\b55d.exe -i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4492
- C:\Windows\SysWOW64\b55d.exe
  C:\Windows\system32\b55d.exe -s
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:376

C:\Windows\SysWOW64\b55d.exe
C:\Windows\SysWOW64\b55d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\46be.dll,Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
192KB

MD5
964b30802e413e95544519d456102fe6

SHA1
494c682b7c35e34599a7e3fbe74a01ce24856112

SHA256
4e43a692b980122d3c3f03467ce9245b4e0ae5f269ef298baf44861dcd79e133

SHA512
d249d6938b9abba23ca16f8ae9afc2cdc9d56c30384b2924ac823a9dcae33353949c978e5975056bd57e4a63d1df47e506b2abf6537f9b95cf178de2154eb3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
456KB

MD5
b517e6b129387e23410d3eb7f1519747

SHA1
e6e15a3f0364aad2e512ae4cdafd36e9a7a7d85b

SHA256
5d596d71f4bac0e6a22c3987dfa2487ad8a4affad25f18be716c3220851b57d2

SHA512
bdf9904991877cdc073adaf9de96bbbf53344648b4df9ee22d71a82cef5ba4696b653b43af839960901a8336e8a655f4cdfc5bceea9f11737d41a7b5992f59e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
168KB

MD5
18395fa4aa374e9885a1119d47ef8c61

SHA1
f661efdbf254ac7094d4e55fd7b96d656dc9cf89

SHA256
085f9f70cda77e1b723eca36534f75e81be79e97f761df486197685b08a75fe8

SHA512
8c3cab660dbc07540cb99c22337f689929d64fd3418d20cf8c7826b1e2574452a90d0fbd27431beb98d41bc4f86db7478115b316c5523d2e3d481f3d1bbf9e43

Download Submit