Resubmissions
23/02/2024, 10:06
240223-l5dfzafb34 822/02/2024, 21:32
240222-1dt2zafd3z 822/02/2024, 21:30
240222-1ctptaff92 422/02/2024, 21:25
240222-z9kmqsff58 8Analysis
-
max time kernel
38s -
max time network
319s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
23/02/2024, 10:06
Static task
static1
Behavioral task
behavioral1
Sample
salinewin-safety.exe
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
salinewin.exe
Resource
win10-20240221-en
General
-
Target
salinewin.exe
-
Size
283KB
-
MD5
2b1e9226d7e1015552a21faca891ec41
-
SHA1
f87fcbe10fa9312048214d4473498ad4f9f331ce
-
SHA256
7163fefbf2f865ef78a2d3d4480532fffb979300d6f0a77b6f3fc5c4b0d2cada
-
SHA512
1852f6d05c9fca962178bc190bc8c90f0ca54ea99714480690f44417e49eee6c392579091ae8a6cd053ec47ad1980dbbbc0db3e0e00520ee1bdbadbf8dc9d69e
-
SSDEEP
3072:HZVUJ58IAelkapH3shY6iEwgaBZP5pHQpYR95WPNpNMl3:nUJ5PzB5ZPPHQpY35WPNpGl3
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 salinewin.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4968 reg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1112 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1112 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4692 wrote to memory of 2536 4692 salinewin.exe 72 PID 4692 wrote to memory of 2536 4692 salinewin.exe 72 PID 4692 wrote to memory of 2536 4692 salinewin.exe 72 PID 2536 wrote to memory of 4968 2536 cmd.exe 74 PID 2536 wrote to memory of 4968 2536 cmd.exe 74 PID 2536 wrote to memory of 4968 2536 cmd.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\salinewin.exe"C:\Users\Admin\AppData\Local\Temp\salinewin.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\reg.exeREG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f3⤵
- Modifies registry key
PID:4968
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3a41⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112