Resubmissions

23/02/2024, 10:06

240223-l5dfzafb34 8

22/02/2024, 21:32

240222-1dt2zafd3z 8

22/02/2024, 21:30

240222-1ctptaff92 4

22/02/2024, 21:25

240222-z9kmqsff58 8

Analysis

  • max time kernel
    28s
  • max time network
    190s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22/02/2024, 21:25

General

  • Target

    readme.txt

  • Size

    318B

  • MD5

    d066989e7c3329ceee99b4461a31cad6

  • SHA1

    aba6ba54cfb19ac454bad9b18e75b86be1f8d625

  • SHA256

    a56b31136f7a822ca4e01d17728e1683989e440e6ccff7bf1ca0f282ef521648

  • SHA512

    2c9388f87a4b3a3582697b968d70463194c7475ae5502790299c4030762f09e6581e38b5c52fe0202bf61862cec6fd0e988c9f0689a78fa564c4b744c5be4e47

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\readme.txt
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\readme.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2908
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1932
    • C:\Users\Admin\Desktop\salinewin.exe
      "C:\Users\Admin\Desktop\salinewin.exe"
      1⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3144
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4072
        • C:\Windows\SysWOW64\reg.exe
          REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
          3⤵
          • Modifies registry key
          PID:2504
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x00000000000004F0 0x00000000000004E8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:400

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads