Overview
overview
10Static
static
5Raid_Recovery.exe
windows7-x64
7Raid_Recovery.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3Alligator.exe
windows7-x64
5Alligator.exe
windows10-2004-x64
5MIG_29.dll
windows7-x64
3MIG_29.dll
windows10-2004-x64
3PascalStreams.dll
windows7-x64
3PascalStreams.dll
windows10-2004-x64
3StarBurn.dll
windows7-x64
3StarBurn.dll
windows10-2004-x64
3Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3bs_load.dll
windows7-x64
3bs_load.dll
windows10-2004-x64
3bs_wm.dll
windows7-x64
3bs_wm.dll
windows10-2004-x64
3i386/CbFsMntNtf3.dll
windows7-x64
10i386/CbFsMntNtf3.dll
windows10-2004-x64
10i386/CbFsNetRdr3.dll
windows7-x64
3i386/CbFsNetRdr3.dll
windows10-2004-x64
3i386/cbfs3.sys
windows7-x64
1i386/cbfs3.sys
windows10-2004-x64
1ia64/CbFsMntNtf3.dll
windows7-x64
1ia64/CbFsMntNtf3.dll
windows10-2004-x64
1ia64/CbFsNetRdr3.dll
windows7-x64
1ia64/CbFsNetRdr3.dll
windows10-2004-x64
1wow64sup.exe
windows7-x64
1wow64sup.exe
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08-11-2024 12:23
Behavioral task
behavioral1
Sample
Raid_Recovery.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral2
Sample
Raid_Recovery.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Alligator.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
Alligator.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
MIG_29.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral8
Sample
MIG_29.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
PascalStreams.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral10
Sample
PascalStreams.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
StarBurn.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
StarBurn.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Uninstall.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
Uninstall.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
bs_load.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral18
Sample
bs_load.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
bs_wm.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
bs_wm.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
i386/CbFsMntNtf3.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral22
Sample
i386/CbFsMntNtf3.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
i386/CbFsNetRdr3.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
i386/CbFsNetRdr3.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
i386/cbfs3.sys
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
i386/cbfs3.sys
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
ia64/CbFsMntNtf3.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
ia64/CbFsMntNtf3.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
ia64/CbFsNetRdr3.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral30
Sample
ia64/CbFsNetRdr3.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
wow64sup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
wow64sup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
i386/CbFsMntNtf3.dll
-
Size
151KB
-
MD5
d48ecfbbcbfee2b91f369394759bcdb3
-
SHA1
3b19a6eba987f850a09dd8d4b4e9a4f5a12b99a8
-
SHA256
1cbfad3699e6b14a56d9c55caeb65253d440e426431278a0968cc0308a8d1d95
-
SHA512
2840869544bc099ad7b7c327ba2f1bf4e4cea27414c43b19a425b9e2b2ec971a4d93ce79253dfe7ecc8a463fa45e1c50b24342bfefd3fcfb199f5d586604b73c
-
SSDEEP
1536:W8B5kdgz33c6J9N2YXxn+42sgqf/jme/SSbaEEUkggEG34cvhWVPIWtZrm8gCy4F:W8gO3Tn2YXxNB7jorVQhIWtZrHgJ4W+
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\EldosMountNotificator = "{5FF49FE8-B332-4CB9-B102-FB6951629E55}" regsvr32.exe -
Modifies Shared Task Scheduler registry keys 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\{5FF49FE8-B332-4CB9-B102-FB6951629E55} = "Virtual Storage Mount Notification" regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5FF49FE8-B332-4CB9-B102-FB6951629E55}\ = "Virtual Storage Mount Notification" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5FF49FE8-B332-4CB9-B102-FB6951629E55} regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 62 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\CbFsMntNtf3.dll\AppID = "{4666FB4D-64B4-4860-BD8B-38E119F9F5AA}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FF49FE8-B332-4CB9-B102-FB6951629E55} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A16EC36B-20A2-47FF-AB7B-90DB0BD77437}\TypeLib\Version = "2.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A16EC36B-20A2-47FF-AB7B-90DB0BD77437} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A16EC36B-20A2-47FF-AB7B-90DB0BD77437}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4666FB4D-64B4-4860-BD8B-38E119F9F5AA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FF49FE8-B332-4CB9-B102-FB6951629E55}\VersionIndependentProgID\ = "VSMntNtf.MountShlExt" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VSMntNtf.VSMntNtfOverlayIcon.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B54EE418-E4ED-41B0-B51F-D25D257B72EA}\2.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A16EC36B-20A2-47FF-AB7B-90DB0BD77437} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FF49FE8-B332-4CB9-B102-FB6951629E55}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\i386\\CbFsMntNtf3.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A16EC36B-20A2-47FF-AB7B-90DB0BD77437}\ = "IVSMntNtfOverlayIcon" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A16EC36B-20A2-47FF-AB7B-90DB0BD77437}\TypeLib\Version = "2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4666FB4D-64B4-4860-BD8B-38E119F9F5AA}\ = "VSMntNtf" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VSMntNtf.VSMntNtfOverlayIcon.1\CLSID\ = "{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VSMntNtf.VSMntNtfOverlayIcon\ = "VSMntNtfOverlayIcon Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}\ = "VSMntNtfOverlayIcon Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B54EE418-E4ED-41B0-B51F-D25D257B72EA}\2.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FF49FE8-B332-4CB9-B102-FB6951629E55}\ = "Virtual Storage Mount Notification" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FF49FE8-B332-4CB9-B102-FB6951629E55}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VSMntNtf.VSMntNtfOverlayIcon\CurVer\ = "VSMntNtf.VSMntNtfOverlayIcon.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}\TypeLib\ = "{B54EE418-E4ED-41B0-B51F-D25D257B72EA}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B54EE418-E4ED-41B0-B51F-D25D257B72EA}\2.0\HELPDIR\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FF49FE8-B332-4CB9-B102-FB6951629E55}\TypeLib\ = "{06DB5BFA-7A40-4FC6-88A6-34F6F073F690}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}\AppID = "{4666FB4D-64B4-4860-BD8B-38E119F9F5AA}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FF49FE8-B332-4CB9-B102-FB6951629E55}\AppID = "{4666FB4D-64B4-4860-BD8B-38E119F9F5AA}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A16EC36B-20A2-47FF-AB7B-90DB0BD77437}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A16EC36B-20A2-47FF-AB7B-90DB0BD77437}\ = "IVSMntNtfOverlayIcon" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A16EC36B-20A2-47FF-AB7B-90DB0BD77437}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\CbFsMntNtf3.dll regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FF49FE8-B332-4CB9-B102-FB6951629E55}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VSMntNtf.VSMntNtfOverlayIcon\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\i386\\CbFsMntNtf3.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B54EE418-E4ED-41B0-B51F-D25D257B72EA} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B54EE418-E4ED-41B0-B51F-D25D257B72EA}\2.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B54EE418-E4ED-41B0-B51F-D25D257B72EA}\2.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B54EE418-E4ED-41B0-B51F-D25D257B72EA}\2.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FF49FE8-B332-4CB9-B102-FB6951629E55}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VSMntNtf.VSMntNtfOverlayIcon regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VSMntNtf.VSMntNtfOverlayIcon\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A16EC36B-20A2-47FF-AB7B-90DB0BD77437}\TypeLib\ = "{B54EE418-E4ED-41B0-B51F-D25D257B72EA}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A16EC36B-20A2-47FF-AB7B-90DB0BD77437}\TypeLib\ = "{B54EE418-E4ED-41B0-B51F-D25D257B72EA}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FF49FE8-B332-4CB9-B102-FB6951629E55}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VSMntNtf.VSMntNtfOverlayIcon\CLSID\ = "{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}\ProgID\ = "VSMntNtf.VSMntNtfOverlayIcon.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B54EE418-E4ED-41B0-B51F-D25D257B72EA}\2.0\ = "VSMntNtf 2.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VSMntNtf.VSMntNtfOverlayIcon.1\ = "VSMntNtfOverlayIcon Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}\VersionIndependentProgID\ = "VSMntNtf.VSMntNtfOverlayIcon" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A16EC36B-20A2-47FF-AB7B-90DB0BD77437}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VSMntNtf.VSMntNtfOverlayIcon.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B54EE418-E4ED-41B0-B51F-D25D257B72EA}\2.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B54EE418-E4ED-41B0-B51F-D25D257B72EA}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\i386\\CbFsMntNtf3.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5FF49FE8-B332-4CB9-B102-FB6951629E55}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A16EC36B-20A2-47FF-AB7B-90DB0BD77437}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A16EC36B-20A2-47FF-AB7B-90DB0BD77437}\ProxyStubClsid32 regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2376 2568 regsvr32.exe 30 PID 2568 wrote to memory of 2376 2568 regsvr32.exe 30 PID 2568 wrote to memory of 2376 2568 regsvr32.exe 30 PID 2568 wrote to memory of 2376 2568 regsvr32.exe 30 PID 2568 wrote to memory of 2376 2568 regsvr32.exe 30 PID 2568 wrote to memory of 2376 2568 regsvr32.exe 30 PID 2568 wrote to memory of 2376 2568 regsvr32.exe 30
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\i386\CbFsMntNtf3.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\i386\CbFsMntNtf3.dll2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies Shared Task Scheduler registry keys
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2376
-