Analysis Overview
SHA256
b3020dd6c9ffceaba72c465c8d596cf04e2d7388b4fd58f10d78be6b91a7e99d
Threat Level: Likely malicious
The file salinewin.zip was found to be: Likely malicious.
Malicious Activity Summary
Disables Task Manager via registry modification
Writes to the Master Boot Record (MBR)
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 21:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 21:25
Reported
2024-02-22 21:29
Platform
win11-20240221-en
Max time kernel
28s
Max time network
190s
Command Line
Signatures
Disables Task Manager via registry modification
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Desktop\salinewin.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\salinewin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1700 wrote to memory of 2908 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 1700 wrote to memory of 2908 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 3144 wrote to memory of 4072 | N/A | C:\Users\Admin\Desktop\salinewin.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3144 wrote to memory of 4072 | N/A | C:\Users\Admin\Desktop\salinewin.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3144 wrote to memory of 4072 | N/A | C:\Users\Admin\Desktop\salinewin.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4072 wrote to memory of 2504 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\reg.exe |
| PID 4072 wrote to memory of 2504 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\reg.exe |
| PID 4072 wrote to memory of 2504 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\reg.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\readme.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\readme.txt
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\salinewin.exe
"C:\Users\Admin\Desktop\salinewin.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F0 0x00000000000004E8
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp |