Overview
overview
8Static
static
3salinewin-...ty.exe
windows7-x64
1salinewin-...ty.exe
windows10-2004-x64
1salinewin/...te.bat
windows7-x64
1salinewin/...te.bat
windows10-2004-x64
1salinewin/...DL.dll
windows7-x64
1salinewin/...DL.dll
windows10-2004-x64
1salinewin/...-4.dll
windows7-x64
3salinewin/...-4.dll
windows10-2004-x64
3salinewin/...mu.exe
windows7-x64
1salinewin/...mu.exe
windows10-2004-x64
1salinewin/...ss.exe
windows7-x64
1salinewin/...ss.exe
windows10-2004-x64
1salinewin/...sm.exe
windows7-x64
1salinewin/...sm.exe
windows10-2004-x64
1salinewin/...in.exe
windows7-x64
7salinewin/...in.exe
windows10-2004-x64
7salinewin/...bin.py
windows7-x64
3salinewin/...bin.py
windows10-2004-x64
3salinewin/...in.exe
windows7-x64
8salinewin/...in.exe
windows10-2004-x64
8Analysis
-
max time kernel
131s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 16:17
Static task
static1
Behavioral task
behavioral1
Sample
salinewin-safety/Release/salinewin-safety.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
salinewin-safety/Release/salinewin-safety.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
salinewin/PayloadMBR/Create.bat
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
salinewin/PayloadMBR/Create.bat
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
salinewin/PayloadMBR/Programs/QEMU/SDL.dll
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
salinewin/PayloadMBR/Programs/QEMU/SDL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
salinewin/PayloadMBR/Programs/QEMU/libcurl-4.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
salinewin/PayloadMBR/Programs/QEMU/libcurl-4.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
salinewin/PayloadMBR/Programs/QEMU/qemu.exe
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
salinewin/PayloadMBR/Programs/QEMU/qemu.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
salinewin/PayloadMBR/Programs/compress.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
salinewin/PayloadMBR/Programs/compress.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
salinewin/PayloadMBR/Programs/nasm.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
salinewin/PayloadMBR/Programs/nasm.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
salinewin/PayloadMBR/Programs/png2bin.exe
Resource
win7-20240215-en
Behavioral task
behavioral16
Sample
salinewin/PayloadMBR/Programs/png2bin.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
salinewin/PayloadMBR/Programs/png2bin.py
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
salinewin/PayloadMBR/Programs/png2bin.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
salinewin/Release/salinewin.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
salinewin/Release/salinewin.exe
Resource
win10v2004-20240508-en
General
-
Target
salinewin/PayloadMBR/Programs/QEMU/libcurl-4.dll
-
Size
295KB
-
MD5
baae54b1157b4c9587cceb4680b13da5
-
SHA1
939642b482d3e7697cec88d11aebc07bb076c2d1
-
SHA256
cde6e2b58641afd108ae2606337a71775021127a6109d6d64eadb056ca4598b7
-
SHA512
433f411f740bb2978a47776fa856874717531985ca3bfbf17cb2f6d1e106585132a7a90ef7b803a10f1293aaad63f2264ee8a8aea2806593d6944e189e0ff813
-
SSDEEP
6144:wK0GMvBI/QtKUbp9pDKRCzKuGpHTBI9yAR17rRH:wKEvB7Ke9pDXgHTdm7dH
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4596 4552 WerFault.exe 83 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4300 wrote to memory of 4552 4300 rundll32.exe 83 PID 4300 wrote to memory of 4552 4300 rundll32.exe 83 PID 4300 wrote to memory of 4552 4300 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\salinewin\PayloadMBR\Programs\QEMU\libcurl-4.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\salinewin\PayloadMBR\Programs\QEMU\libcurl-4.dll,#12⤵PID:4552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 6203⤵
- Program crash
PID:4596
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4552 -ip 45521⤵PID:396