f38484003e400719dfbeaab61d2404796a98aaa4c9f9c975e7dca49b612130d6

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2024, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
Size

580KB
MD5

b19570295774aa59a8ffb4849aa18735
SHA1

5aba19cbfe74b7b1992d1f85da0dd550753b5e3a
SHA256

f38484003e400719dfbeaab61d2404796a98aaa4c9f9c975e7dca49b612130d6
SHA512

dae4895ec6afa4d3665fbf1b8f84c3083580a346b7ec7b00e730fb21ae264a058e8a4074f843663264ff50ae336ed296b0259d178f79766652d31a2a59dd0fff
SSDEEP

12288:XQ5Tw3W1SXMe7tYm7CoaUAp/0vI4jkAEzs4k65j+oy5asIjkOSIb7xLXfCJ4:X0w3MSt7tKIe2I4fcsVO+oI3Ijkj47xj

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	aaad.exe

Executes dropped EXE 3 IoCs

pid	Process
5064	aaad.exe
3192	aaad.exe
2860	aaad.exe

Loads dropped DLL 33 IoCs

pid	Process
4940	regsvr32.exe
2860	aaad.exe
4520	rundll32.exe
584	rundll32.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe
2860	aaad.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "Microsoft User"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	aaad.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\70l8.dll	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\830e.dll	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\33u6.exe	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03as.dll	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dlltmp	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\8ado.dll	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\aaad.exe	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\126-96543	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\30e6.dll	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0aa3.dll	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dlltmp	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0ddd.exe	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\03ca.dll	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\da3r.dll	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\8ado.dlltmp	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\013c	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\0dr0.exe	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\70l8.dlltmp	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\aa0d.bmp	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\686.flv	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\4acu.bmp	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\686d.flv	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\64au.bmp	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\864d.exe	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\0d06.exe	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\733a.flv	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\64a.bmp	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\864.exe	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\686d.exe	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File opened for modification	C:\Windows\d06d.flv	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
File created	C:\Windows\Tasks\ms.job	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaad.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8ado.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2860	aaad.exe
2860	aaad.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 4472	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	83
PID 4716 wrote to memory of 4472	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	83
PID 4716 wrote to memory of 4472	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	83
PID 4716 wrote to memory of 3944	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	84
PID 4716 wrote to memory of 3944	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	84
PID 4716 wrote to memory of 3944	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	84
PID 4716 wrote to memory of 4424	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	85
PID 4716 wrote to memory of 4424	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	85
PID 4716 wrote to memory of 4424	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	85
PID 4716 wrote to memory of 4952	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	86
PID 4716 wrote to memory of 4952	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	86
PID 4716 wrote to memory of 4952	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	86
PID 4716 wrote to memory of 4940	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	87
PID 4716 wrote to memory of 4940	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	87
PID 4716 wrote to memory of 4940	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	87
PID 4716 wrote to memory of 5064	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	88
PID 4716 wrote to memory of 5064	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	88
PID 4716 wrote to memory of 5064	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	88
PID 4716 wrote to memory of 3192	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	90
PID 4716 wrote to memory of 3192	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	90
PID 4716 wrote to memory of 3192	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	90
PID 4716 wrote to memory of 4520	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	93
PID 4716 wrote to memory of 4520	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	93
PID 4716 wrote to memory of 4520	4716	b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe	93
PID 2860 wrote to memory of 584	2860	aaad.exe	94
PID 2860 wrote to memory of 584	2860	aaad.exe	94
PID 2860 wrote to memory of 584	2860	aaad.exe	94

C:\Users\Admin\AppData\Local\Temp\b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b19570295774aa59a8ffb4849aa18735_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4472
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3944
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4424
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4952
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4940
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32\aaad.exe -i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5064
- C:\Windows\SysWOW64\aaad.exe
  C:\Windows\system32\aaad.exe -s
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4520

C:\Windows\SysWOW64\aaad.exe
C:\Windows\SysWOW64\aaad.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
216KB

MD5
aedf5e5d1f1f478936d30f1b937b8537

SHA1
56206fb55e636b977fe7524c7db0d44e3e76262c

SHA256
e7cce4ff5575a4e8ebb6fb891fee5a34922b09f7089323554283efc5e8e79382

SHA512
c7ad70e55faf84b77a4c5936488587882b80fa4e883660f9c684c933908bfd557f10b78e254418eeaf2a4db20950a4805aeea126b80d35863ed0d6172530c0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
412KB

MD5
579ad39b0938a4040efe76715faa2a33

SHA1
1e1a111f2856c7b28eed809381b90d018aec9c9a

SHA256
c3f3668af2e4f2cfefaa5c8b99d6915c30efe5299911c1353811096bb3dd5b55

SHA512
da8cccb0ed00bc826ab0b7c2a87e55e81eafee27d05f913e2a54a56d55fa74c99deeb80dfa0cc13cc9073acd269ad2d0880035d9659d0d9e6012ab9490d756b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

Filesize
152KB

MD5
b6c2782d0746e7d43034372a4fe64133

SHA1
7fa3ef387fbccb031c02e39c67aefde5da16761a

SHA256
3fb1ec5810cd066c4a8ff362bae7c9ffa8fe6f50bbff7da76f72a0a035ce85a5

SHA512
abc89d193b43eca7c5d468130dac504d45a63e14aa4b6b3464d84763607c4ba1475f2a1646b600c6fdb120e78cfec34fcb1b15adbb272724ed413ad7be492ad5

Download Submit