Resubmissions
23/02/2024, 10:06
240223-l5dfzafb34 822/02/2024, 21:32
240222-1dt2zafd3z 822/02/2024, 21:30
240222-1ctptaff92 422/02/2024, 21:25
240222-z9kmqsff58 8Analysis
-
max time kernel
28s -
max time network
190s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
22/02/2024, 21:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
readme.txt
Resource
win11-20240221-en
9 signatures
150 seconds
General
-
Target
readme.txt
-
Size
318B
-
MD5
d066989e7c3329ceee99b4461a31cad6
-
SHA1
aba6ba54cfb19ac454bad9b18e75b86be1f8d625
-
SHA256
a56b31136f7a822ca4e01d17728e1683989e440e6ccff7bf1ca0f282ef521648
-
SHA512
2c9388f87a4b3a3582697b968d70463194c7475ae5502790299c4030762f09e6581e38b5c52fe0202bf61862cec6fd0e988c9f0689a78fa564c4b744c5be4e47
Score
8/10
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 salinewin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2504 reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2908 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 400 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 400 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3144 salinewin.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2908 1700 cmd.exe 79 PID 1700 wrote to memory of 2908 1700 cmd.exe 79 PID 3144 wrote to memory of 4072 3144 salinewin.exe 87 PID 3144 wrote to memory of 4072 3144 salinewin.exe 87 PID 3144 wrote to memory of 4072 3144 salinewin.exe 87 PID 4072 wrote to memory of 2504 4072 cmd.exe 89 PID 4072 wrote to memory of 2504 4072 cmd.exe 89 PID 4072 wrote to memory of 2504 4072 cmd.exe 89
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\readme.txt1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\readme.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2908
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1932
-
C:\Users\Admin\Desktop\salinewin.exe"C:\Users\Admin\Desktop\salinewin.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\reg.exeREG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f3⤵
- Modifies registry key
PID:2504
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004F0 0x00000000000004E81⤵
- Suspicious use of AdjustPrivilegeToken
PID:400