Overview

overview

10

Static

static

3

Slinky/Loader.exe

windows7-x64

10

Slinky/Loader.exe

windows10-2004-x64

10

Slinky/sli...ry.dll

windows7-x64

5

Slinky/sli...ry.dll

windows10-2004-x64

5

Slinky/slinkyhook.dll

windows7-x64

1

Slinky/slinkyhook.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 14:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Slinky/Loader.exe

  • Size

    18.4MB

  • MD5

    2fdc48889ea411ba067e41cf0e8cfcbe

  • SHA1

    6071e1684213eda46735d54a1d440e60f7946617

  • SHA256

    b90885a042482dc4184a4dad64c06da3dc1f866e182ccb04baeaa33d6efda0d4

  • SHA512

    121be2937214b34fb3531ab010ea0294c5dd485c2ba304bc17a5c3f17e2d64e80485adb1c2d1bc122330ffd0d30ad0fb7dd7859dc8bdbca28f0a79354839d154

  • SSDEEP

    393216:zSgEaQOUsxWQ3mzFxORTzATDZRSbqoOjV65y3hd7pvk11DMTW2wOprJfn:zxERxsxOF4zATDKbq/j6sdlvo+vZn

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Slinky\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Slinky\Loader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        3⤵
        • Modifies WinLogon for persistence
        PID:1384
      • C:\Windows\INF\bcmdhd32.exe
        "C:\Windows\INF\bcmdhd32.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:112
        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1692
        • C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
          "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
          4⤵
          • Executes dropped EXE
          PID:1600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    Filesize

    18.4MB

    MD5

    a2223005e6d186689577e5a2b785a16b

    SHA1

    1075e177247880d3e1ec940623500bf2e9b275e3

    SHA256

    cef5b60321f17991400a19072052535638c0a5c02d338234686552deadeea82e

    SHA512

    073f8e682d2468bfe7d55b82cf0ff5dafd2754da2813de2116551e2811809debba7f06c5d8ed5901a59703bfb306fd5fd05d9d1e797bf9e7887826709c6993c6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    Filesize

    18.5MB

    MD5

    22fe3206f3c1827d4a77f79401ab533b

    SHA1

    47ce070a7ec1460ce4677e1803fc8b51b48930b6

    SHA256

    690195c4c5bd794cfdb3c2a5ad154da5a4542b45c0a35832cfddeec6c0d08726

    SHA512

    8f2a503443142d6fb36aac7c834c75eb31d41bb95e451d3df0269adca181135d0ade184e5a2feefc8de801dd3062e8c8b7e8cfd377a0fb155c24a695d0eb5f17

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    Filesize

    18.4MB

    MD5

    8fee9a77381cf09891f5777fa0cc5447

    SHA1

    1c6f8fbc8159e4be70265bbdc8fdb4f7ae741ce0

    SHA256

    d47bca12fc4c61c80c2d6419c538fc37c080a80eacb3a7f3382d6b2d14daf728

    SHA512

    7c13e04bbde9be5c1ef03a0bb158e85bbafbfec8fa77ee93f175b8cf2fce552d8e55f4bb53eb13aaec02c7ddc2258be8c49a2af6df63352ae9d3223c18265c3d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    Filesize

    18.4MB

    MD5

    47c43138acd704a2d43589d7b8315ba6

    SHA1

    2349ed9b8b587ba5f0888ffec0b0e73e5f4ddbe0

    SHA256

    b7934fb8b47e087b6fd98a6194f0aaa8088b57d38a85b4a2a7c828fb6b5cc540

    SHA512

    94d0172ce35e13b2a5a492aaff01ca6f35c6e9be26d0dbb63b1f0f000f026e891dea937dfb4d378196f168417f780f316d91a3f2bf2458f543994eb57eae8653

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
    Filesize

    225KB

    MD5

    3ba78c0e6cf82ee41740c3951f233cb8

    SHA1

    e8da222b1c129ffcd6c5f6db04d2d700fb397bc1

    SHA256

    190c5e452ca637149fcd5b7a734cf3a5fb9b9fd220882edd565ee82c1819033d

    SHA512

    499fc902820231fdc4868113edfd2cf6c990ba48bb63ce37cd4cd7637f4106160f5757313b752143440a7f7f977e7d93c04f589a7c754db50427f1c9ccb56926

    Download Submit

  • C:\Windows\INF\bcmdhd32.exe
    Filesize

    18.2MB

    MD5

    55e31f0ecd07c9b49d87bc11d642b088

    SHA1

    5a6d4123c271b76912580519dca43a41473fe716

    SHA256

    6882be40bd3c7db87dbbfa10afb7e0a754643250ccf797864566e00854907194

    SHA512

    d6fb730e0eae52a118f77cbe8c9df211cc30425b350ff6eaca1715c6a0827dda9de6fe582f4012315883a076f028f4a6ba0478b54b09b630bffdbe38c8edcc2c

    Download Submit

  • C:\Windows\INF\helper.vbs
    Filesize

    197B

    MD5

    090c330a578a62382c49c247025f2f61

    SHA1

    83888f584ff0009622a133a5cc6ed7a5c7488fe5

    SHA256

    83f1480dd41f6b904dfc13a5f8bf184350f52cea41ae8e6c5eb122969337ee88

    SHA512

    01cb318276882e1c6f0ea672ecd7c4986eda0f7ff059606ca6f34e0a2dd38e1ed685fa5aafe7790e309ee3b4836179e01c6ddfa58b795866b733e40f0f70cb31

    Download Submit

  • memory/1600-45-0x0000000000A70000-0x0000000000AAE000-memory.dmp

    Filesize

    248KB

    Download