608baaa3ec9cfdf7eebbd360828dc871e3cc53cd791bb6152c8bd6c4adbf716e

Analysis

max time kernel
170s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

csla_30367.exe
Size

2.0MB
MD5

fdc89772a53b7ac5b336789ef67a0911
SHA1

5bb38ac0f1e605c6e710268d9a7bcacdc343952b
SHA256

d9bf029440c25e053980e95f54750c9f942118c19f54d411e8ded9c8a4c352f8
SHA512

7d5436780c9bc2b38a026a89b943b03e8d3031eba0f1bb356422bef25ad27f1e34f75f932db3deedcf02fd39b8f0657fbc4f9e47ea7b6be33140897c62b8bd05
SSDEEP

49152:w+q5Y63XJAqJepSwLOHE8daBY2qCWRcGT48zNq:n6Y6Jl2z6HExBPhWmGTW

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 10 IoCs

Processes:

csla_30367.exe

pid	process
4396	csla_30367.exe
4396	csla_30367.exe
4396	csla_30367.exe
4396	csla_30367.exe
4396	csla_30367.exe
4396	csla_30367.exe
4396	csla_30367.exe
4396	csla_30367.exe
4396	csla_30367.exe
4396	csla_30367.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

csla_30367.exe

description ioc process

File opened for modification \??\PhysicalDrive0 csla_30367.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	csla_30367.exe

Modifies registry class 3 IoCs

Processes:

csla_30367.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid	csla_30367.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd	csla_30367.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 13492982f7d171409967e65629860a73	csla_30367.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

csla_30367.exe

pid process

4396 csla_30367.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

csla_30367.exe

pid process

4396 csla_30367.exe

C:\Users\Admin\AppData\Local\Temp\csla_30367.exe
"C:\Users\Admin\AppData\Local\Temp\csla_30367.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\BDMDownload.dll
Filesize
158KB

MD5
b62367fe2d02b8f47914b088a006d50c

SHA1
3743c953e48e6f3f76689423ba9c1ed25e9f86d3

SHA256
cbd4c5b6b945620e8b65752dff5a0f0900fc5de2dda8daf3cdda68b1661420b7

SHA512
c010e3cc736ac1e10c6af44132d831df34d09bf1e7d1e96fb5c9f571cade04462d442c4b0fd84de92dc68d753a0beab0b4081122d53d516406f0d3c1ec1e0dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\BDMDownload.dll
Filesize
158KB

MD5
b62367fe2d02b8f47914b088a006d50c

SHA1
3743c953e48e6f3f76689423ba9c1ed25e9f86d3

SHA256
cbd4c5b6b945620e8b65752dff5a0f0900fc5de2dda8daf3cdda68b1661420b7

SHA512
c010e3cc736ac1e10c6af44132d831df34d09bf1e7d1e96fb5c9f571cade04462d442c4b0fd84de92dc68d753a0beab0b4081122d53d516406f0d3c1ec1e0dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\BDMNetGetInfo.dll
Filesize
314KB

MD5
12f98be1d919784370eb0f87e78b60d8

SHA1
d07de2227b2ec68545be0adeb042af457d68f9e2

SHA256
63e34375374ae6cc695c0bc03f1f9aad67e068fc51962fd25edbf2fbeceda9f9

SHA512
ab2fcdd3eb7b58f044a855b5cae744bc1b3be599cf0d22ee93ccce2e97cb3bc1f36ea2c1ed75013c76f8c9e4071ba29710595c3a57cda2470885ee9293fc2d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\BDMNetGetInfo.dll
Filesize
314KB

MD5
12f98be1d919784370eb0f87e78b60d8

SHA1
d07de2227b2ec68545be0adeb042af457d68f9e2

SHA256
63e34375374ae6cc695c0bc03f1f9aad67e068fc51962fd25edbf2fbeceda9f9

SHA512
ab2fcdd3eb7b58f044a855b5cae744bc1b3be599cf0d22ee93ccce2e97cb3bc1f36ea2c1ed75013c76f8c9e4071ba29710595c3a57cda2470885ee9293fc2d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\BDMSkin.dll
Filesize
1.3MB

MD5
39257175ac9c90199c69aea1a7bcbda0

SHA1
6cf4a8dedf37d24ce902f34fa66120a214e1a2cc

SHA256
84d5fb0a7cf1bc1e4bbd0de51d3b7eb04bb92af9a1fc3675601b382a5f11d9fc

SHA512
4a71d0ac3df53b25509205e9ed0bf781cbefa2ba6307501ae336488c8a3f7f627b8d01f861adbf47986e168abab5a06b36848f87cbcf27fe846e5f0ffc3a9f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\BDMSkin.dll
Filesize
1.3MB

MD5
39257175ac9c90199c69aea1a7bcbda0

SHA1
6cf4a8dedf37d24ce902f34fa66120a214e1a2cc

SHA256
84d5fb0a7cf1bc1e4bbd0de51d3b7eb04bb92af9a1fc3675601b382a5f11d9fc

SHA512
4a71d0ac3df53b25509205e9ed0bf781cbefa2ba6307501ae336488c8a3f7f627b8d01f861adbf47986e168abab5a06b36848f87cbcf27fe846e5f0ffc3a9f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\KVNetInstallHelper.dll
Filesize
5.6MB

MD5
4026d7ff3c8b4c01f58980ffd420acca

SHA1
9eed66c50585a8d3c5d2c6a7b2e6dd8ebeec9097

SHA256
16de77748719ee43aa3b64964711f060c765837a318106cbf893d05fda74d627

SHA512
5d2791474d3f7d6f0376c6112016267d501f6b6b281cade504d0e1d9e1aa5b9fe7d49e54089e92a15fabd3a3c1afeeed962601f6371987c12e3f2ad11d9b4ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\System.dll
Filesize
18KB

MD5
1c951bbcbc780046d6be1079a04870a4

SHA1
a5bae7d838973154e6fac69b1c5ff7d2cda01906

SHA256
d23676fbcf76355d1af68e7b32964b837243349920921b2ec74d97554809a65e

SHA512
62c3686baed2232f7d8ddc8f48a41761812b5b2a67f3a689b7a43275f077842366abc13c7e8259613bfd9df25cf467e4001337c1454aec910abce121d551e2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\dl.dll
Filesize
1.9MB

MD5
763b532d651f0ad5e135d9b57bf4fba4

SHA1
23f1302f904a67a1fe0d48e11a435c2f36336196

SHA256
50b3c45ede6fd2d77c4f040242b2174289767b18a3a084e7046133b05f93e173

SHA512
a4ec0f5bfa30d3558935f4075a75aebf080ece324a550c573d8a424730693b030cd26b4862973e8da8937e610c287d64e96c2fd952b59324ed1822919a00737c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\dl.dll
Filesize
1.9MB

MD5
763b532d651f0ad5e135d9b57bf4fba4

SHA1
23f1302f904a67a1fe0d48e11a435c2f36336196

SHA256
50b3c45ede6fd2d77c4f040242b2174289767b18a3a084e7046133b05f93e173

SHA512
a4ec0f5bfa30d3558935f4075a75aebf080ece324a550c573d8a424730693b030cd26b4862973e8da8937e610c287d64e96c2fd952b59324ed1822919a00737c

Download Submit
memory/4396-136-0x0000000003220000-0x0000000003377000-memory.dmp

Filesize
1.3MB

Download
memory/4396-140-0x0000000005810000-0x000000000585F000-memory.dmp

Filesize
316KB

Download
memory/4396-149-0x0000000006370000-0x000000000655D000-memory.dmp

Filesize
1.9MB

Download