560b03c4ba18e5a443f74a69727db0eabac6f455bb836757d620cc51615a92ea

Resubmissions

20-04-2024 17:03

240420-vkpg6sdb99 3

20-04-2024 16:55

240420-vfgxjada85 8

Analysis

max time kernel
278s
max time network
412s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 16:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-20T17:02:52Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240226-en/instance_5-dirty.qcow2\"}"

Report Analysis Logs

General

Target

$PLUGINSDIR/System.dll
Size

12KB
MD5

0d7ad4f45dc6f5aa87f606d0331c6901
SHA1

48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256

3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512

c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
SSDEEP

192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

197 raw.githubusercontent.com
198 raw.githubusercontent.com
199 raw.githubusercontent.com
196 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

salinewin.exe

description ioc process

File opened for modification \??\PhysicalDrive0 salinewin.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4708 3476 WerFault.exe rundll32.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5492 reg.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

salinewin.exesalinewin.exe

pid process

1376 salinewin.exe
700 salinewin.exe

flow	ioc
197	raw.githubusercontent.com
198	raw.githubusercontent.com
199	raw.githubusercontent.com
196	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	salinewin.exe

pid	pid_target	process	target process
4708	3476	WerFault.exe	rundll32.exe

pid	process
5492	reg.exe

pid	process
1376	salinewin.exe
700	salinewin.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exesalinewin.execmd.exe

description	pid	process	target process
PID 556 wrote to memory of 3476	556	rundll32.exe	rundll32.exe
PID 556 wrote to memory of 3476	556	rundll32.exe	rundll32.exe
PID 556 wrote to memory of 3476	556	rundll32.exe	rundll32.exe
PID 700 wrote to memory of 656	700	salinewin.exe	cmd.exe
PID 700 wrote to memory of 656	700	salinewin.exe	cmd.exe
PID 700 wrote to memory of 656	700	salinewin.exe	cmd.exe
PID 656 wrote to memory of 5492	656	cmd.exe	reg.exe
PID 656 wrote to memory of 5492	656	cmd.exe	reg.exe
PID 656 wrote to memory of 5492	656	cmd.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
2⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 612
3⤵
- Program crash
PID:4708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.0.1677501368\486823999" -parentBuildID 20221007134813 -prefsHandle 1828 -prefMapHandle 1820 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {694ffbf2-3913-4d86-9574-10f5498d98a2} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 1908 15bacded858 gpu
1⤵
PID:1368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.1.454362856\147905112" -parentBuildID 20221007134813 -prefsHandle 2296 -prefMapHandle 2292 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc3aa67d-838c-451d-968b-cd8638f24c74} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 2308 15bacafa558 socket
1⤵
PID:640

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.2.1941627509\928995319" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4a9cf9f-5d64-4fbc-89d7-33c647897958} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 2932 15bb0945f58 tab
1⤵
PID:3576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.3.629177718\384159708" -childID 2 -isForBrowser -prefsHandle 2352 -prefMapHandle 1384 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43ef4031-cd01-4897-8f28-05b125219e72} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 1220 15ba0371658 tab
1⤵
PID:3836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.4.171017485\2022747708" -childID 3 -isForBrowser -prefsHandle 3788 -prefMapHandle 3796 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d151f8cd-7144-46c5-a232-74bb9ca73084} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 3808 15ba0362858 tab
1⤵
PID:1624

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.5.1487308996\1417739115" -childID 4 -isForBrowser -prefsHandle 4916 -prefMapHandle 4976 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db8934f1-0783-4a53-a745-4ae9a1eab63b} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 4964 15bb0e47258 tab
1⤵
PID:2840

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.6.1762244600\2039826197" -childID 5 -isForBrowser -prefsHandle 4704 -prefMapHandle 2708 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dff3765-a6b6-489b-8a65-0b15c06cb07e} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 5116 15bb2a58a58 tab
1⤵
PID:3352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.7.1150561757\203959409" -childID 6 -isForBrowser -prefsHandle 5144 -prefMapHandle 5148 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8af7eb40-2fd2-4607-a242-20f6b1610d0f} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 5136 15bb2a5ab58 tab
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3476 -ip 3476
1⤵
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:5428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.8.26098988\810619475" -childID 7 -isForBrowser -prefsHandle 3508 -prefMapHandle 3504 -prefsLen 26471 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18b06f01-dacc-4bdd-be4f-5d89fd160468} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 3124 15bb2808a58 tab
1⤵
PID:5632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.9.1747148195\1280206440" -childID 8 -isForBrowser -prefsHandle 4312 -prefMapHandle 5376 -prefsLen 26734 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c012fd6c-80f1-4a83-aa94-28b9cd2984e6} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 4560 15baf718d58 tab
1⤵
PID:316

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.10.2018674685\383642897" -childID 9 -isForBrowser -prefsHandle 5944 -prefMapHandle 5868 -prefsLen 26734 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f6bbc7a-5e2f-4568-a876-59c8e4af7186} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 6048 15bb497a358 tab
1⤵
PID:5100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4124.11.1169107545\1389374028" -childID 10 -isForBrowser -prefsHandle 4428 -prefMapHandle 4416 -prefsLen 26734 -prefMapSize 233444 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5841226e-3651-4766-93c5-33dcda6903f7} 4124 "\\.\pipe\gecko-crash-server-pipe.4124" 5804 15bb486d458 tab
1⤵
PID:2696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5488

C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\reg.exe
REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
3⤵
- Modifies registry key
PID:5492

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x4f0
1⤵
PID:5268

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39bc055 /state1:0x41c64e6d
1⤵
PID:3504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads