4e4bc1e6626ef7099dee44942e4350e3b1d327689fbbfe708705950a8be62d96

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75ac95c69ee5b6cd50e2c4903a068f26_JaffaCakes118.dll
Size

476KB
MD5

75ac95c69ee5b6cd50e2c4903a068f26
SHA1

aa80a94ed17869dfe2ec18ee18ef6051f7836805
SHA256

4e4bc1e6626ef7099dee44942e4350e3b1d327689fbbfe708705950a8be62d96
SHA512

b9c30aa22cebfc5a832803db26f42c0607be94afb57d38ad3fcf3c39a2df636f78c93bade1ebf49ca49a0bafc2823f713d729629703683d6ad551f1ef2d721d4
SSDEEP

12288:xFY/nud2glrDhcLrfJ/p/To0vp84nCrMlUDcoSmkq/u:Q/8l/OHJh/UuxCrMDoSmkA

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	36bd.exe

Executes dropped EXE 4 IoCs

pid	Process
720	36bd.exe
1508	36bd.exe
2252	36bd.exe
1976	mtv.exe

Loads dropped DLL 33 IoCs

pid	Process
4200	regsvr32.exe
2252	36bd.exe
2816	rundll32.exe
4728	rundll32.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe
2252	36bd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\plc = "c:\\windows\\system32\\rundll32.exe C:\\Windows\\system32/36be.dll,Always"	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCAA0766-15FC-4aec-A010-F4605D272581}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	36bd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\b3rc.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\353r.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b33o.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File created	C:\Windows\SysWOW64\026	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\36ud.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\353r.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\36be.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\36bd.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3ce8.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\c35s.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\bba6.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b33d.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b33o.dlltmp	rundll32.exe
File created	C:\Windows\SysWOW64\-680121-79	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\b5b3.bmp	rundll32.exe
File opened for modification	C:\Windows\cd4d.flv	rundll32.exe
File opened for modification	C:\Windows\d48.flv	rundll32.exe
File created	C:\Windows\Tasks\ms.job	rundll32.exe
File opened for modification	C:\Windows\b3cd.exe	rundll32.exe
File opened for modification	C:\Windows\436b.flv	rundll32.exe
File opened for modification	C:\Windows\480.exe	rundll32.exe
File opened for modification	C:\Windows\3cdd.flv	rundll32.exe
File opened for modification	C:\Windows\cd4d.exe	rundll32.exe
File opened for modification	C:\Windows\80a.bmp	rundll32.exe
File opened for modification	C:\Windows\0acu.bmp	rundll32.exe
File opened for modification	C:\Windows\d48d.exe	rundll32.exe
File opened for modification	C:\Windows\cd4u.bmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\VersionIndependentProgID\ = "BHO.FffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{FCAA0766-15FC-4aec-A010-F4605D272581}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\ProgID\ = "BHO.FffPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b33o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\ = "{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ = "IFffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\ = "C:\\Windows\\SysWow64\\b33o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C573EEC-FF56-4312-BEBA-F9BBD3387824}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\FLAGS\ = "0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2252	36bd.exe
2252	36bd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1976	mtv.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 4124	3568	rundll32.exe	84
PID 3568 wrote to memory of 4124	3568	rundll32.exe	84
PID 3568 wrote to memory of 4124	3568	rundll32.exe	84
PID 4124 wrote to memory of 1164	4124	rundll32.exe	85
PID 4124 wrote to memory of 1164	4124	rundll32.exe	85
PID 4124 wrote to memory of 1164	4124	rundll32.exe	85
PID 4124 wrote to memory of 4288	4124	rundll32.exe	86
PID 4124 wrote to memory of 4288	4124	rundll32.exe	86
PID 4124 wrote to memory of 4288	4124	rundll32.exe	86
PID 4124 wrote to memory of 3488	4124	rundll32.exe	87
PID 4124 wrote to memory of 3488	4124	rundll32.exe	87
PID 4124 wrote to memory of 3488	4124	rundll32.exe	87
PID 4124 wrote to memory of 4784	4124	rundll32.exe	88
PID 4124 wrote to memory of 4784	4124	rundll32.exe	88
PID 4124 wrote to memory of 4784	4124	rundll32.exe	88
PID 4124 wrote to memory of 4200	4124	rundll32.exe	89
PID 4124 wrote to memory of 4200	4124	rundll32.exe	89
PID 4124 wrote to memory of 4200	4124	rundll32.exe	89
PID 4124 wrote to memory of 720	4124	rundll32.exe	91
PID 4124 wrote to memory of 720	4124	rundll32.exe	91
PID 4124 wrote to memory of 720	4124	rundll32.exe	91
PID 4124 wrote to memory of 1508	4124	rundll32.exe	93
PID 4124 wrote to memory of 1508	4124	rundll32.exe	93
PID 4124 wrote to memory of 1508	4124	rundll32.exe	93
PID 2252 wrote to memory of 2816	2252	36bd.exe	98
PID 2252 wrote to memory of 2816	2252	36bd.exe	98
PID 2252 wrote to memory of 2816	2252	36bd.exe	98
PID 4124 wrote to memory of 1976	4124	rundll32.exe	99
PID 4124 wrote to memory of 1976	4124	rundll32.exe	99
PID 4124 wrote to memory of 1976	4124	rundll32.exe	99
PID 4124 wrote to memory of 4728	4124	rundll32.exe	100
PID 4124 wrote to memory of 4728	4124	rundll32.exe	100
PID 4124 wrote to memory of 4728	4124	rundll32.exe	100

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\75ac95c69ee5b6cd50e2c4903a068f26_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\75ac95c69ee5b6cd50e2c4903a068f26_JaffaCakes118.dll,#1
  2⤵
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4bl4.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1164
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/c6cb.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4288
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/353r.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3488
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b33o.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4784
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b33o.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4200
- - C:\Windows\SysWOW64\36bd.exe
    C:\Windows\system32/36bd.exe -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:720
- - C:\Windows\SysWOW64\36bd.exe
    C:\Windows\system32/36bd.exe -s
    3⤵
    - Executes dropped EXE
    PID:1508
- - C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1976
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll, Always
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4728

C:\Windows\SysWOW64\36bd.exe
C:\Windows\SysWOW64\36bd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
108KB

MD5
c38581343705a6e4ef62d00c3271c643

SHA1
18bce6c98a793e8b16370f2b697fbd4fbd789de2

SHA256
86419e682a8f31be738a23d2ae11a78b1ae1ec2a2d4483062d38c6b88eaf466e

SHA512
05968e133946d61e9ef7dd47f9b1c98542f7e36db525374a092ab5d1912760d85b26e927b78f91d99e3797818f82ceb387cdc200f8932546a4bc454497e95897

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
40KB

MD5
d86092d20b154bae743996669b0e4b3a

SHA1
115da67ad46266fffe45a4640139d7fd8a2e5dad

SHA256
28fb2166430d223fa0dca8fb6b87388b0854a19c2b145c9713cfe73b6eb2613c

SHA512
92caba6fc9d0d60dce6f8840fcbb8d2435f6afba1ea793f18507c84d58236a3ff9c1950db5b6d851d4be4416c11cbc928abc44c22e86fdae4d64f2c2ff27890a

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
495KB

MD5
9ab26bb1d7809d9b44e9ef139a4328a5

SHA1
a177d70888706507421c9361a84e54a7e9050bbd

SHA256
59e2a5186e3c3b0ce5ba885e3df89f5aa4d962c037ebba3531fd96dd2c8347ed

SHA512
0b1b7e20d348250d880c6dc0bfd222eb07a3067aa61ee6b46d55eaf6f1154270445a6d2f92f853779a0fc57a57cd29f1dd58dba6deace981c82142b486217c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
200KB

MD5
793d762d9573de858df13593c32e2be8

SHA1
2f64c1fb91b62ca55ebf9136122b1155e531f93a

SHA256
7a912a1f6a4a3ff5c204abfde4c5a7a6880bac86aa6da392010a430026c2e95b

SHA512
f79223a4ee89b202665ea88b578ca90990edf2ab5a6c424269e78c7625c02e4979da8dd6e11953a3184c7e6e18d2be97350f7d0b6d38585f28d55300e86135f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqok9i\tmp.exe

Filesize
68KB

MD5
018f3281c6e9359b7ab38509d5c7f1a1

SHA1
385cf75db76aecadfe1880d1b0b69dbd419179c3

SHA256
086d3f231448d412d5e16a0ce42a1af3a00aa9c7fcb0538d94a99abda4bb30fc

SHA512
38d5b20d3149ef9b98945f807bbc664900e2c976098b2d29a3bde7cd709e2a8dac0d02d3da825594baefe31ee284e7e141c6ad0a893ed557860892d4077c3376

Download Submit