4e4bc1e6626ef7099dee44942e4350e3b1d327689fbbfe708705950a8be62d96

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75ac95c69ee5b6cd50e2c4903a068f26_JaffaCakes118.dll
Size

476KB
MD5

75ac95c69ee5b6cd50e2c4903a068f26
SHA1

aa80a94ed17869dfe2ec18ee18ef6051f7836805
SHA256

4e4bc1e6626ef7099dee44942e4350e3b1d327689fbbfe708705950a8be62d96
SHA512

b9c30aa22cebfc5a832803db26f42c0607be94afb57d38ad3fcf3c39a2df636f78c93bade1ebf49ca49a0bafc2823f713d729629703683d6ad551f1ef2d721d4
SSDEEP

12288:xFY/nud2glrDhcLrfJ/p/To0vp84nCrMlUDcoSmkq/u:Q/8l/OHJh/UuxCrMDoSmkA

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	36bd.exe

Executes dropped EXE 4 IoCs

pid	Process
2792	36bd.exe
2616	36bd.exe
3016	36bd.exe
1204	mtv.exe

Loads dropped DLL 45 IoCs

pid	Process
2876	regsvr32.exe
2972	rundll32.exe
2972	rundll32.exe
2972	rundll32.exe
2972	rundll32.exe
3016	36bd.exe
2972	rundll32.exe
1996	rundll32.exe
1996	rundll32.exe
1996	rundll32.exe
1996	rundll32.exe
2972	rundll32.exe
1344	rundll32.exe
1344	rundll32.exe
1344	rundll32.exe
1344	rundll32.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe
3016	36bd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\plc = "c:\\windows\\system32\\rundll32.exe C:\\Windows\\system32/36be.dll,Always"	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	36bd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bba6.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\36bd.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b33o.dlltmp	rundll32.exe
File created	C:\Windows\SysWOW64\091	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dll	rundll32.exe
File created	C:\Windows\SysWOW64\-46-80-87-67	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b33o.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b3rc.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\353r.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b33d.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\353r.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3ce8.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\36ud.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\c35s.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\36be.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\b3cd.exe	rundll32.exe
File opened for modification	C:\Windows\480.exe	rundll32.exe
File opened for modification	C:\Windows\cd4d.flv	rundll32.exe
File created	C:\Windows\Tasks\ms.job	rundll32.exe
File opened for modification	C:\Windows\80a.bmp	rundll32.exe
File opened for modification	C:\Windows\d48.flv	rundll32.exe
File opened for modification	C:\Windows\d48d.exe	rundll32.exe
File opened for modification	C:\Windows\cd4d.exe	rundll32.exe
File opened for modification	C:\Windows\b5b3.bmp	rundll32.exe
File opened for modification	C:\Windows\436b.flv	rundll32.exe
File opened for modification	C:\Windows\0acu.bmp	rundll32.exe
File opened for modification	C:\Windows\3cdd.flv	rundll32.exe
File opened for modification	C:\Windows\cd4u.bmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b33o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID\ = "BHO.FffPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ = "C:\\Windows\\SysWow64\\b33o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID\ = "BHO.FffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS\ = "0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3016	36bd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1204	mtv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2972	2328	rundll32.exe	31
PID 2328 wrote to memory of 2972	2328	rundll32.exe	31
PID 2328 wrote to memory of 2972	2328	rundll32.exe	31
PID 2328 wrote to memory of 2972	2328	rundll32.exe	31
PID 2328 wrote to memory of 2972	2328	rundll32.exe	31
PID 2328 wrote to memory of 2972	2328	rundll32.exe	31
PID 2328 wrote to memory of 2972	2328	rundll32.exe	31
PID 2972 wrote to memory of 2932	2972	rundll32.exe	32
PID 2972 wrote to memory of 2932	2972	rundll32.exe	32
PID 2972 wrote to memory of 2932	2972	rundll32.exe	32
PID 2972 wrote to memory of 2932	2972	rundll32.exe	32
PID 2972 wrote to memory of 2932	2972	rundll32.exe	32
PID 2972 wrote to memory of 2932	2972	rundll32.exe	32
PID 2972 wrote to memory of 2932	2972	rundll32.exe	32
PID 2972 wrote to memory of 2708	2972	rundll32.exe	33
PID 2972 wrote to memory of 2708	2972	rundll32.exe	33
PID 2972 wrote to memory of 2708	2972	rundll32.exe	33
PID 2972 wrote to memory of 2708	2972	rundll32.exe	33
PID 2972 wrote to memory of 2708	2972	rundll32.exe	33
PID 2972 wrote to memory of 2708	2972	rundll32.exe	33
PID 2972 wrote to memory of 2708	2972	rundll32.exe	33
PID 2972 wrote to memory of 2664	2972	rundll32.exe	34
PID 2972 wrote to memory of 2664	2972	rundll32.exe	34
PID 2972 wrote to memory of 2664	2972	rundll32.exe	34
PID 2972 wrote to memory of 2664	2972	rundll32.exe	34
PID 2972 wrote to memory of 2664	2972	rundll32.exe	34
PID 2972 wrote to memory of 2664	2972	rundll32.exe	34
PID 2972 wrote to memory of 2664	2972	rundll32.exe	34
PID 2972 wrote to memory of 2680	2972	rundll32.exe	35
PID 2972 wrote to memory of 2680	2972	rundll32.exe	35
PID 2972 wrote to memory of 2680	2972	rundll32.exe	35
PID 2972 wrote to memory of 2680	2972	rundll32.exe	35
PID 2972 wrote to memory of 2680	2972	rundll32.exe	35
PID 2972 wrote to memory of 2680	2972	rundll32.exe	35
PID 2972 wrote to memory of 2680	2972	rundll32.exe	35
PID 2972 wrote to memory of 2876	2972	rundll32.exe	36
PID 2972 wrote to memory of 2876	2972	rundll32.exe	36
PID 2972 wrote to memory of 2876	2972	rundll32.exe	36
PID 2972 wrote to memory of 2876	2972	rundll32.exe	36
PID 2972 wrote to memory of 2876	2972	rundll32.exe	36
PID 2972 wrote to memory of 2876	2972	rundll32.exe	36
PID 2972 wrote to memory of 2876	2972	rundll32.exe	36
PID 2972 wrote to memory of 2792	2972	rundll32.exe	37
PID 2972 wrote to memory of 2792	2972	rundll32.exe	37
PID 2972 wrote to memory of 2792	2972	rundll32.exe	37
PID 2972 wrote to memory of 2792	2972	rundll32.exe	37
PID 2972 wrote to memory of 2616	2972	rundll32.exe	39
PID 2972 wrote to memory of 2616	2972	rundll32.exe	39
PID 2972 wrote to memory of 2616	2972	rundll32.exe	39
PID 2972 wrote to memory of 2616	2972	rundll32.exe	39
PID 3016 wrote to memory of 1996	3016	36bd.exe	42
PID 3016 wrote to memory of 1996	3016	36bd.exe	42
PID 3016 wrote to memory of 1996	3016	36bd.exe	42
PID 3016 wrote to memory of 1996	3016	36bd.exe	42
PID 3016 wrote to memory of 1996	3016	36bd.exe	42
PID 3016 wrote to memory of 1996	3016	36bd.exe	42
PID 3016 wrote to memory of 1996	3016	36bd.exe	42
PID 2972 wrote to memory of 1204	2972	rundll32.exe	43
PID 2972 wrote to memory of 1204	2972	rundll32.exe	43
PID 2972 wrote to memory of 1204	2972	rundll32.exe	43
PID 2972 wrote to memory of 1204	2972	rundll32.exe	43
PID 2972 wrote to memory of 1344	2972	rundll32.exe	44
PID 2972 wrote to memory of 1344	2972	rundll32.exe	44
PID 2972 wrote to memory of 1344	2972	rundll32.exe	44

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\75ac95c69ee5b6cd50e2c4903a068f26_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\75ac95c69ee5b6cd50e2c4903a068f26_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4bl4.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/c6cb.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/353r.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2664
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b33o.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b33o.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2876
- - C:\Windows\SysWOW64\36bd.exe
    C:\Windows\system32/36bd.exe -i
    3⤵
    - Executes dropped EXE
    PID:2792
- - C:\Windows\SysWOW64\36bd.exe
    C:\Windows\system32/36bd.exe -s
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1204
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll, Always
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1344

C:\Windows\SysWOW64\36bd.exe
C:\Windows\SysWOW64\36bd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
124KB

MD5
7aab5729d4ac87fa5fcd76b76300c839

SHA1
6f0d5332dd8df552041a1d90b6717fd11cd81c52

SHA256
1cf290260ae6b4e3fa67678a600be2dcd95b95955329fa7c129c42d6bf96e888

SHA512
379a4d6e4dd5fd0ea309255aa2796d225d8f45730142143c17e0ff0e728dfa039b85fd329f938ac81e6018d1dff1f15dbde998fab5a960bdb39253060421d5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfnw\tmp.exe

Filesize
116KB

MD5
4851b0ca3412021e53572d57001abda5

SHA1
c2df70e48e49e206a8413ec7f96613bf12805903

SHA256
792f9d77400246168093ba6ed5b71acd0bff52f3b211807a7623843fac9d283b

SHA512
7344c68af6f6f431919484f6b17fc9b1a5973d0030a3d62d0bb3df30637fc2f40d75a1fdf3a3f68bd7ea6c1982c4c238f7ebbcd7a07848befe19a837b15bdd74

Download Submit
C:\Windows\SysWOW64\36bd.exe

Filesize
164KB

MD5
ff8d8fd8842cdcc696fb1e3a69fb53cc

SHA1
28dec79c9d7ebef1db99a33acd22d43f684873f4

SHA256
266ac340d111712438cffa3073cf2e64f1e11a052ac9a1cae02c27d2ad95bb30

SHA512
f60e667aca91dceb128e986b5a02cb066d3eaa59e20509210831f2eee4e752466e4216d08adf69016d0f2e16644cac46cec22006b74b3fdecdc7c0c18d89fd1c

Download Submit
\Windows\SysWOW64\36be.dll

Filesize
491KB

MD5
0d594260366695bc3695a316c948f7fb

SHA1
68db8a83768ed89ab343a71dd74069a0d64c463a

SHA256
6fd8d9a14edf10c360c81d96ac29fdc2bd08805402fb452a7937abc10673236e

SHA512
6f0304fce55ffc9867546bb095ae855f9ef46649719cd050b2bf75bd07378d05f98eaf4592695689de205f89ed7ed610c15bc266d1fb4498a4d302b53c1a71df

Download Submit
\Windows\SysWOW64\b33o.dll

Filesize
192KB

MD5
ee3794e1178de6dd216134b84732e8ff

SHA1
b8975b019af515288688460dcfd202acd79cff89

SHA256
81fddcb7c6582d0b2e03349d00633b9a9d74998ee3ec5cd7298f6a63b2b0efd4

SHA512
ad05526f75394bf08e69b9251b29f60c2260c97d22e5aaff3ff433003b493b20f2950d259e57857c7fdc570b21e782c66dad37c916372c2f5f814605ca43fa73

Download Submit