bdbac2f17795626b5f2c7174327e118b212eee9ea7f291113661cf91dd5fb59c

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
Size

391KB
MD5

2e391c25a113b890b3f4dd5dc81230e5
SHA1

61537ea107c566eeae6d1a476e0feac67c2c21d8
SHA256

bdbac2f17795626b5f2c7174327e118b212eee9ea7f291113661cf91dd5fb59c
SHA512

708a29e55e0e7962b9e039a7e5205210ea689d3dabf36bd43405d96265cfd4a750975ef7a19f4bfe25df9de2da53be9e150f03d84a8433c1f625cd6380825e5a
SSDEEP

6144:OY9GYX5o45hdzgdfmgFL1yISqsZXj3vjw7a144ghCgOVXlfYfpdhZacivDgr+C:OhmjvdzJgFkdj3rGro1mWcirgb

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	330d.exe

Executes dropped EXE 4 IoCs

pid	Process
4760	330d.exe
3716	330d.exe
2552	330d.exe
4012	mtv.exe

Loads dropped DLL 33 IoCs

pid	Process
492	regsvr32.exe
2552	330d.exe
4872	rundll32.exe
3700	rundll32.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe
2552	330d.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	330d.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\70l8.dll	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\33u6.exe	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dll	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dlltmp	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\a3do.dlltmp	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\41067295	rundll32.exe
File created	C:\Windows\SysWOW64\05ba	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a3do.dll	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dlltmp	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0aa3.dll	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dlltmp	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03as.dll	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dll	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0ddd.exe	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\330e.dll	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File opened for modification	C:\Windows\SysWOW64\30e6.dll	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0dr0.exe	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\330d.exe	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\0d06.exe	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\64a.bmp	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\864.exe	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\686.flv	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\4acu.bmp	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\d06d.flv	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\aa0d.bmp	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\733a.flv	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\686d.exe	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\068u.bmp	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\068d.exe	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File opened for modification	C:\Windows\068d.flv	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	330d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	330d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\ = "IFffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\TypeLib\ = "{F914606B-7622-4364-9FCA-889F50C497D8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID\ = "{BA1B62CC-6D79-4901-B6A2-409F98906E9D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\TypeLib\ = "{F914606B-7622-4364-9FCA-889F50C497D8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\ = "CFffPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\ = "CFffPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\ProgID\ = "BHO.FffPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\a3do.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\ = "IFffPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer\CurVer\ = "BHO.FffPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA1B62CC-6D79-4901-B6A2-409F98906E9D}\VersionIndependentProgID\ = "BHO.FffPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\a3do.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FffPlayer.1\CLSID\ = "{BA1B62CC-6D79-4901-B6A2-409F98906E9D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F914606B-7622-4364-9FCA-889F50C497D8}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BFA0DF5-865F-48CC-9D0C-377036D38208}\TypeLib\ = "{F914606B-7622-4364-9FCA-889F50C497D8}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2552	330d.exe
2552	330d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4012	mtv.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 1952	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	84
PID 4384 wrote to memory of 1952	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	84
PID 4384 wrote to memory of 1952	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	84
PID 4384 wrote to memory of 4952	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	85
PID 4384 wrote to memory of 4952	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	85
PID 4384 wrote to memory of 4952	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	85
PID 4384 wrote to memory of 364	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	86
PID 4384 wrote to memory of 364	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	86
PID 4384 wrote to memory of 364	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	86
PID 4384 wrote to memory of 1616	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	87
PID 4384 wrote to memory of 1616	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	87
PID 4384 wrote to memory of 1616	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	87
PID 4384 wrote to memory of 492	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	89
PID 4384 wrote to memory of 492	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	89
PID 4384 wrote to memory of 492	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	89
PID 4384 wrote to memory of 4760	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	90
PID 4384 wrote to memory of 4760	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	90
PID 4384 wrote to memory of 4760	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	90
PID 4384 wrote to memory of 3716	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	93
PID 4384 wrote to memory of 3716	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	93
PID 4384 wrote to memory of 3716	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	93
PID 4384 wrote to memory of 4012	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	96
PID 4384 wrote to memory of 4012	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	96
PID 4384 wrote to memory of 4012	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	96
PID 2552 wrote to memory of 4872	2552	330d.exe	97
PID 2552 wrote to memory of 4872	2552	330d.exe	97
PID 2552 wrote to memory of 4872	2552	330d.exe	97
PID 4384 wrote to memory of 3700	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	98
PID 4384 wrote to memory of 3700	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	98
PID 4384 wrote to memory of 3700	4384	2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e391c25a113b890b3f4dd5dc81230e5_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/70l8.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1952
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/03ca.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4952
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/da3r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:364
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a3do.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/a3do.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:492
- C:\Windows\SysWOW64\330d.exe
  C:\Windows\system32/330d.exe -i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4760
- C:\Windows\SysWOW64\330d.exe
  C:\Windows\system32/330d.exe -s
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4012
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll, Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3700

C:\Windows\SysWOW64\330d.exe
C:\Windows\SysWOW64\330d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/330e.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
135KB

MD5
cafadeb2ddaae2664880ee57a6b2bfeb

SHA1
3f95ad686415792220230a0c9247cbbb3044ba08

SHA256
e88c197d862dff23aa86cdcc6575f53af1a794dac8fb60b3bcd805653441b766

SHA512
1ff9c16a33e4a5e7e4c297c44de872c490ad14a5a0f5b877fc6fcee20066b5825df754700dc33e62ee14e4bb1ea5fb79cb83c589809fce42e9112f1692e09537

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
124KB

MD5
31b5efdf9cd559439b373a57f99a6bce

SHA1
5e18ad508e6340e4a021fdd30d881ab0676b0dcc

SHA256
649a73746f1df41f5cbfc463d5b030c865e80ff3c91867f588b63ca89461c7b3

SHA512
c6e1596a71de291b55dff0a04eb8e19fa06ab621112016b227f69c5e39e5416845f063fef81be6208ca40710e0b57f491de1013211aa0b89b0df16530a496885

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
477KB

MD5
2dd2fc2f340d4c76972a42eda5056b25

SHA1
a966c4e5f20fcab77aa478ec0ac4d8dc5ed817e3

SHA256
e39bc8bf9f516efadcaa40e1edb3c8fa4c353f8f94920d3fd86add594a7819e1

SHA512
2a16b66426bffb5f86d610f4c80ee9f5c35d648119d9baf9fab27d26d0acca1661f7aa5e56e51148651aafc98aa537093091ea5c3b1b272fd4879d9c2198e585

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
152KB

MD5
0c71495a3b7dc4e140fe83d8c3706d71

SHA1
90e6dd8c1515595788c9b3734173a32d453adf62

SHA256
b501e9760ddcb8b87c3e562663548cdf7027f674ae0156908ae84da7cf7edbc9

SHA512
4647d273e9626d4c6c4f11c73f50162f5bb5723aac461c7d2e22e9a10858538628c94b0bf3048f16c99a91659e6d541fbfb76a3203c71c6fddc9f80179f570d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ho8\tmp.exe

Filesize
48KB

MD5
cee24b0740f6eec9b8a85fd3819d290e

SHA1
12d40223c6d38e26124c39ff2ee50fa9ca9a90d0

SHA256
626585f08b1ff4e4e8d1f0c8e3e1dbb98ab8abf200d5f6ae2bc1679c0adaf8a1

SHA512
bce92692db38556739998e0d69bc1c255ee78862fbac0e6f5f5556fb6ae75b3f82fa342752e1b671b0279543ad6b6de5f7db668d27ee0c8b9797220c5b619a25

Download Submit
memory/492-58-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2552-75-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2552-107-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2552-114-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2552-116-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2552-123-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2552-126-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4384-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4384-1-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/4384-100-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download