Malware Analysis Report

2025-08-10 12:04

Sample ID 240222-z9kmqsff58
Target salinewin.zip
SHA256 b3020dd6c9ffceaba72c465c8d596cf04e2d7388b4fd58f10d78be6b91a7e99d
Tags
bootkit evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b3020dd6c9ffceaba72c465c8d596cf04e2d7388b4fd58f10d78be6b91a7e99d

Threat Level: Likely malicious

The file salinewin.zip was found to be: Likely malicious.

Malicious Activity Summary

bootkit evasion persistence

Disables Task Manager via registry modification

Writes to the Master Boot Record (MBR)

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 21:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 21:25

Reported

2024-02-22 21:29

Platform

win11-20240221-en

Max time kernel

28s

Max time network

190s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\readme.txt

Signatures

Disables Task Manager via registry modification

evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\Desktop\salinewin.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\salinewin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 1700 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 3144 wrote to memory of 4072 N/A C:\Users\Admin\Desktop\salinewin.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 4072 N/A C:\Users\Admin\Desktop\salinewin.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 4072 N/A C:\Users\Admin\Desktop\salinewin.exe C:\Windows\SysWOW64\cmd.exe
PID 4072 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4072 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4072 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\readme.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\readme.txt

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\salinewin.exe

"C:\Users\Admin\Desktop\salinewin.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004F0 0x00000000000004E8

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

N/A