78aefd46d31f2bb67f0b9bd0d831f10f21bfd9d44b9deebcfa52c45e85a72473

Analysis

max time kernel
19s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

salinewin/Release/salinewin.exe
Size

283KB
MD5

2b1e9226d7e1015552a21faca891ec41
SHA1

f87fcbe10fa9312048214d4473498ad4f9f331ce
SHA256

7163fefbf2f865ef78a2d3d4480532fffb979300d6f0a77b6f3fc5c4b0d2cada
SHA512

1852f6d05c9fca962178bc190bc8c90f0ca54ea99714480690f44417e49eee6c392579091ae8a6cd053ec47ad1980dbbbc0db3e0e00520ee1bdbadbf8dc9d69e
SSDEEP

3072:HZVUJ58IAelkapH3shY6iEwgaBZP5pHQpYR95WPNpNMl3:nUJ5PzB5ZPPHQpY35WPNpGl3

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

salinewin.exe

description ioc process

File opened for modification \??\PhysicalDrive0 salinewin.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2524 reg.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	salinewin.exe

pid	process
2524	reg.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

salinewin.execmd.exe

description	pid	process	target process
PID 2188 wrote to memory of 2504	2188	salinewin.exe	cmd.exe
PID 2188 wrote to memory of 2504	2188	salinewin.exe	cmd.exe
PID 2188 wrote to memory of 2504	2188	salinewin.exe	cmd.exe
PID 2188 wrote to memory of 2504	2188	salinewin.exe	cmd.exe
PID 2504 wrote to memory of 2524	2504	cmd.exe	reg.exe
PID 2504 wrote to memory of 2524	2504	cmd.exe	reg.exe
PID 2504 wrote to memory of 2524	2504	cmd.exe	reg.exe
PID 2504 wrote to memory of 2524	2504	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\salinewin\Release\salinewin.exe
"C:\Users\Admin\AppData\Local\Temp\salinewin\Release\salinewin.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\reg.exe
REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
3⤵
- Modifies registry key
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads