Overview
overview
8Static
static
CF�...��.exe
windows7-x64
8CF�...��.exe
windows10-2004-x64
8CF�...��.url
windows7-x64
1CF�...��.url
windows10-2004-x64
1csla_30367.exe
windows7-x64
7csla_30367.exe
windows10-2004-x64
7˵.htm
windows7-x64
1˵.htm
windows10-2004-x64
1�...վ.url
windows7-x64
1�...վ.url
windows10-2004-x64
1Analysis
-
max time kernel
170s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 00:48
Static task
static1
Behavioral task
behavioral1
Sample
CFV1.0/CF½.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
CFV1.0/CF½.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
CFV1.0/.url
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
CFV1.0/.url
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
csla_30367.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
csla_30367.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
˵.htm
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
˵.htm
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
վ.url
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
վ.url
Resource
win10v2004-20220812-en
General
-
Target
csla_30367.exe
-
Size
2.0MB
-
MD5
fdc89772a53b7ac5b336789ef67a0911
-
SHA1
5bb38ac0f1e605c6e710268d9a7bcacdc343952b
-
SHA256
d9bf029440c25e053980e95f54750c9f942118c19f54d411e8ded9c8a4c352f8
-
SHA512
7d5436780c9bc2b38a026a89b943b03e8d3031eba0f1bb356422bef25ad27f1e34f75f932db3deedcf02fd39b8f0657fbc4f9e47ea7b6be33140897c62b8bd05
-
SSDEEP
49152:w+q5Y63XJAqJepSwLOHE8daBY2qCWRcGT48zNq:n6Y6Jl2z6HExBPhWmGTW
Malware Config
Signatures
-
Loads dropped DLL 10 IoCs
Processes:
csla_30367.exepid process 4396 csla_30367.exe 4396 csla_30367.exe 4396 csla_30367.exe 4396 csla_30367.exe 4396 csla_30367.exe 4396 csla_30367.exe 4396 csla_30367.exe 4396 csla_30367.exe 4396 csla_30367.exe 4396 csla_30367.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
csla_30367.exedescription ioc process File opened for modification \??\PhysicalDrive0 csla_30367.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
Processes:
csla_30367.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid csla_30367.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd csla_30367.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 13492982f7d171409967e65629860a73 csla_30367.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
csla_30367.exepid process 4396 csla_30367.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
csla_30367.exepid process 4396 csla_30367.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\BDMDownload.dllFilesize
158KB
MD5b62367fe2d02b8f47914b088a006d50c
SHA13743c953e48e6f3f76689423ba9c1ed25e9f86d3
SHA256cbd4c5b6b945620e8b65752dff5a0f0900fc5de2dda8daf3cdda68b1661420b7
SHA512c010e3cc736ac1e10c6af44132d831df34d09bf1e7d1e96fb5c9f571cade04462d442c4b0fd84de92dc68d753a0beab0b4081122d53d516406f0d3c1ec1e0dbb
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\BDMDownload.dllFilesize
158KB
MD5b62367fe2d02b8f47914b088a006d50c
SHA13743c953e48e6f3f76689423ba9c1ed25e9f86d3
SHA256cbd4c5b6b945620e8b65752dff5a0f0900fc5de2dda8daf3cdda68b1661420b7
SHA512c010e3cc736ac1e10c6af44132d831df34d09bf1e7d1e96fb5c9f571cade04462d442c4b0fd84de92dc68d753a0beab0b4081122d53d516406f0d3c1ec1e0dbb
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\BDMNetGetInfo.dllFilesize
314KB
MD512f98be1d919784370eb0f87e78b60d8
SHA1d07de2227b2ec68545be0adeb042af457d68f9e2
SHA25663e34375374ae6cc695c0bc03f1f9aad67e068fc51962fd25edbf2fbeceda9f9
SHA512ab2fcdd3eb7b58f044a855b5cae744bc1b3be599cf0d22ee93ccce2e97cb3bc1f36ea2c1ed75013c76f8c9e4071ba29710595c3a57cda2470885ee9293fc2d8d
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\BDMNetGetInfo.dllFilesize
314KB
MD512f98be1d919784370eb0f87e78b60d8
SHA1d07de2227b2ec68545be0adeb042af457d68f9e2
SHA25663e34375374ae6cc695c0bc03f1f9aad67e068fc51962fd25edbf2fbeceda9f9
SHA512ab2fcdd3eb7b58f044a855b5cae744bc1b3be599cf0d22ee93ccce2e97cb3bc1f36ea2c1ed75013c76f8c9e4071ba29710595c3a57cda2470885ee9293fc2d8d
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\BDMSkin.dllFilesize
1.3MB
MD539257175ac9c90199c69aea1a7bcbda0
SHA16cf4a8dedf37d24ce902f34fa66120a214e1a2cc
SHA25684d5fb0a7cf1bc1e4bbd0de51d3b7eb04bb92af9a1fc3675601b382a5f11d9fc
SHA5124a71d0ac3df53b25509205e9ed0bf781cbefa2ba6307501ae336488c8a3f7f627b8d01f861adbf47986e168abab5a06b36848f87cbcf27fe846e5f0ffc3a9f53
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\BDMSkin.dllFilesize
1.3MB
MD539257175ac9c90199c69aea1a7bcbda0
SHA16cf4a8dedf37d24ce902f34fa66120a214e1a2cc
SHA25684d5fb0a7cf1bc1e4bbd0de51d3b7eb04bb92af9a1fc3675601b382a5f11d9fc
SHA5124a71d0ac3df53b25509205e9ed0bf781cbefa2ba6307501ae336488c8a3f7f627b8d01f861adbf47986e168abab5a06b36848f87cbcf27fe846e5f0ffc3a9f53
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\KVNetInstallHelper.dllFilesize
5.6MB
MD54026d7ff3c8b4c01f58980ffd420acca
SHA19eed66c50585a8d3c5d2c6a7b2e6dd8ebeec9097
SHA25616de77748719ee43aa3b64964711f060c765837a318106cbf893d05fda74d627
SHA5125d2791474d3f7d6f0376c6112016267d501f6b6b281cade504d0e1d9e1aa5b9fe7d49e54089e92a15fabd3a3c1afeeed962601f6371987c12e3f2ad11d9b4ac2
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\System.dllFilesize
18KB
MD51c951bbcbc780046d6be1079a04870a4
SHA1a5bae7d838973154e6fac69b1c5ff7d2cda01906
SHA256d23676fbcf76355d1af68e7b32964b837243349920921b2ec74d97554809a65e
SHA51262c3686baed2232f7d8ddc8f48a41761812b5b2a67f3a689b7a43275f077842366abc13c7e8259613bfd9df25cf467e4001337c1454aec910abce121d551e2d8
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\dl.dllFilesize
1.9MB
MD5763b532d651f0ad5e135d9b57bf4fba4
SHA123f1302f904a67a1fe0d48e11a435c2f36336196
SHA25650b3c45ede6fd2d77c4f040242b2174289767b18a3a084e7046133b05f93e173
SHA512a4ec0f5bfa30d3558935f4075a75aebf080ece324a550c573d8a424730693b030cd26b4862973e8da8937e610c287d64e96c2fd952b59324ed1822919a00737c
-
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\dl.dllFilesize
1.9MB
MD5763b532d651f0ad5e135d9b57bf4fba4
SHA123f1302f904a67a1fe0d48e11a435c2f36336196
SHA25650b3c45ede6fd2d77c4f040242b2174289767b18a3a084e7046133b05f93e173
SHA512a4ec0f5bfa30d3558935f4075a75aebf080ece324a550c573d8a424730693b030cd26b4862973e8da8937e610c287d64e96c2fd952b59324ed1822919a00737c
-
memory/4396-136-0x0000000003220000-0x0000000003377000-memory.dmpFilesize
1.3MB
-
memory/4396-140-0x0000000005810000-0x000000000585F000-memory.dmpFilesize
316KB
-
memory/4396-149-0x0000000006370000-0x000000000655D000-memory.dmpFilesize
1.9MB