ddb430d00afb7bc830f83519c749306dbc59fb8384b181c48522629d9c408302

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 05:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
Size

386KB
MD5

a1508d6acaa0907f088ba7a4dcf8746e
SHA1

0458c6b5581e6a6ab92ea98ed2264675dce4d95c
SHA256

ddb430d00afb7bc830f83519c749306dbc59fb8384b181c48522629d9c408302
SHA512

ffe51e7d578afb7f11c1b4c66a8801a67f970f4e9cfb29f76a1e5091e6370a2a165605c8532cceb009d700da8f183c37671e2c381fcf07224143940986180d0c
SSDEEP

6144:IU+BcxCxy+7LFOuUK4ERbwrQcTt14nIggVrVhuhJbdZjTG8NH:lYFy+7LFH4EoPggVJwHvjq8NH

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	36bd.exe

Executes dropped EXE 4 IoCs

pid	Process
2624	36bd.exe
2864	36bd.exe
2324	36bd.exe
584	mtv.exe

Loads dropped DLL 54 IoCs

pid	Process
2828	regsvr32.exe
2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
2624	36bd.exe
2624	36bd.exe
2624	36bd.exe
2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
2864	36bd.exe
2864	36bd.exe
2864	36bd.exe
2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
584	mtv.exe
584	mtv.exe
584	mtv.exe
2900	regsvr32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
1480	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
3016	regsvr32.exe
2156	regsvr32.exe
2448	regsvr32.exe
408	regsvr32.exe
2580	regsvr32.exe
1312	regsvr32.exe
1896	regsvr32.exe
1964	regsvr32.exe
1916	regsvr32.exe
1576	regsvr32.exe
756	regsvr32.exe
1496	regsvr32.exe
2076	regsvr32.exe
1984	regsvr32.exe
2032	regsvr32.exe
1932	regsvr32.exe
1904	regsvr32.exe
2232	regsvr32.exe
2068	regsvr32.exe
2288	regsvr32.exe
2840	regsvr32.exe
1640	regsvr32.exe
2860	regsvr32.exe
2748	regsvr32.exe
2824	regsvr32.exe
2552	regsvr32.exe
2956	regsvr32.exe
2812	regsvr32.exe
2600	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	36bd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\b3rc.exe	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dll	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\36ud.exe	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\353r.dll	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b33o.dll	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\c35s.dll	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b33o.dlltmp	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b33o.dll	36bd.exe
File created	C:\Windows\SysWOW64\´ï"23-32103105	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3ce8.dll	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dlltmp	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c6cb.dlltmp	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\353r.dlltmp	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\36bd.exe	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\083	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4bl4.dll	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bba6.dll	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b33d.exe	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\36be.dll	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cd4u.bmp	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\80a.bmp	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\436b.flv	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\d48.flv	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\0acu.bmp	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\cd4d.exe	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\b3cd.exe	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\d48d.exe	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\3cdd.flv	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\b5b3.bmp	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\cd4d.flv	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
File opened for modification	C:\Windows\480.exe	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2324	36bd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
584	mtv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2856	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2856	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2856	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2856	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2856	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2856	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2856	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2860	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2860	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2860	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2860	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2860	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2860	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2860	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2872	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2872	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2872	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2872	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2872	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2872	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2872	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2932	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	33
PID 2420 wrote to memory of 2932	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	33
PID 2420 wrote to memory of 2932	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	33
PID 2420 wrote to memory of 2932	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	33
PID 2420 wrote to memory of 2932	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	33
PID 2420 wrote to memory of 2932	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	33
PID 2420 wrote to memory of 2932	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	33
PID 2420 wrote to memory of 2828	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	34
PID 2420 wrote to memory of 2828	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	34
PID 2420 wrote to memory of 2828	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	34
PID 2420 wrote to memory of 2828	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	34
PID 2420 wrote to memory of 2828	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	34
PID 2420 wrote to memory of 2828	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	34
PID 2420 wrote to memory of 2828	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	34
PID 2420 wrote to memory of 2624	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	35
PID 2420 wrote to memory of 2624	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	35
PID 2420 wrote to memory of 2624	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	35
PID 2420 wrote to memory of 2624	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	35
PID 2420 wrote to memory of 2624	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	35
PID 2420 wrote to memory of 2624	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	35
PID 2420 wrote to memory of 2624	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	35
PID 2420 wrote to memory of 2864	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	37
PID 2420 wrote to memory of 2864	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	37
PID 2420 wrote to memory of 2864	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	37
PID 2420 wrote to memory of 2864	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	37
PID 2420 wrote to memory of 2864	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	37
PID 2420 wrote to memory of 2864	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	37
PID 2420 wrote to memory of 2864	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	37
PID 2420 wrote to memory of 584	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	40
PID 2420 wrote to memory of 584	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	40
PID 2420 wrote to memory of 584	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	40
PID 2420 wrote to memory of 584	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	40
PID 2420 wrote to memory of 584	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	40
PID 2420 wrote to memory of 584	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	40
PID 2420 wrote to memory of 584	2420	a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe	40
PID 2324 wrote to memory of 2900	2324	36bd.exe	41
PID 2324 wrote to memory of 2900	2324	36bd.exe	41
PID 2324 wrote to memory of 2900	2324	36bd.exe	41
PID 2324 wrote to memory of 2900	2324	36bd.exe	41
PID 2324 wrote to memory of 2900	2324	36bd.exe	41
PID 2324 wrote to memory of 2900	2324	36bd.exe	41
PID 2324 wrote to memory of 2900	2324	36bd.exe	41
PID 2324 wrote to memory of 1480	2324	36bd.exe	42

C:\Users\Admin\AppData\Local\Temp\a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1508d6acaa0907f088ba7a4dcf8746e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4bl4.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/c6cb.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/353r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b33o.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2932
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2828
- C:\Windows\SysWOW64\36bd.exe
  C:\Windows\system32/36bd.exe -i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Windows\SysWOW64\36bd.exe
  C:\Windows\system32/36bd.exe -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:584
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll, Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2796

C:\Windows\SysWOW64\36bd.exe
C:\Windows\SysWOW64\36bd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/36be.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1480
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3016
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2156
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2448
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:408
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2580
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1312
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1896
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1964
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1916
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1576
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:756
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1496
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2076
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1984
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2032
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1904
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2232
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2288
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1640
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2748
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2552
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2956
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32/regsvr32.exe /s "C:\Windows\system32/b33o.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
59KB

MD5
e0e3aeaf90f7049a21c7a4cfc1439ef7

SHA1
3dd40dbf5dcdac22e01ad021465ddec37a675aef

SHA256
fbd332fa664fffbea0d405fe3de8c8f089198ba05d1760a8dd84d868abe27152

SHA512
263ba547bc58b442a000b9439bac9ab6cd77fc92abbd446237fa268b4713df251b193f2367814614a02c8c17a74d64e6888b158fff05d75ebc6e3bdc85faea9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
48KB

MD5
206e449a1f7395dbee9846905397f4f1

SHA1
f00d012fba44eb4dc3a74bb32afad62a28d661f1

SHA256
da70d71b9e278c15304c621a57bc36c5d679f6ddc7883096b219fb08b8c064ae

SHA512
7eea34d2c439210ee9417e163e818c9aaa7dfd0af7c2ca301829dc996c2b5369098436a61d95b681f789714d50f54ddb44d4bec6408f9f2390b39db3e641c067

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
384KB

MD5
ad3a1c8624eb5920f0f847296ffeb024

SHA1
2ca263446ec2699f4e1767b759d514f9e1ef7ee6

SHA256
7224055e830af645f19573d000bb3b54b35f01d54ac72994b1c984c6e6c06466

SHA512
ab6e7d52344beda48e12f86ba18f87c4a1208e0d4db5727f5e9a623fc2e732b5bcb18805d9c46b8dfde83126fb6c90952dc9304af935b409281a5aafc586a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
120KB

MD5
2f442c189e9ee9ff8a0f430ae8aee116

SHA1
0d2bf71d1473f235c645b29cb295807ad27c7e92

SHA256
1e9d68626e2b718188d69b56016a46f3acb799c316279260d1225885978b3f62

SHA512
fab8961d13ae3458bc2f150e3ed7fb97d1baa18c346bb664ecb6aee9e71f2e98510c478bcfe1ec36b0cd01c16d060db0e5cb05d933d593326c121c8aefb8018a

Download Submit
C:\Windows\Temp\tmp.exe

Filesize
52KB

MD5
368e6515e481712f9a8d309fbfb953a3

SHA1
a7109fb87bd009719b130ddde884d9f937dcecef

SHA256
f764e116479677d9e3f61a7b3ff7324276d2591b209b6170bc322c0e612810c7

SHA512
0f876673f26b108fe4173517d2c6f7c11577982af6a38f959ae6243e50c6c194d7635eb4977e060430db5247aeb5ca2a47b50142db1636b34b30b4e2b7645b2d

Download Submit
memory/408-152-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/756-180-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1312-160-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1496-184-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1576-176-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1896-164-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1904-198-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1916-172-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1964-168-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1984-192-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2032-195-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2076-188-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2156-145-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2232-200-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2420-2-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2420-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2420-1-0x0000000000240000-0x00000000002BE000-memory.dmp

Filesize
504KB

Download
memory/2420-132-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2580-156-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2824-210-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2828-61-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2840-204-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2860-207-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/3016-141-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download