![]() Part of the decrypted WINELOADER core module is shown in Figure 5 below.įigure 5: Data structure containing relevant configuration, RC4 key, encrypted strings, and the module. This is shown in the screenshot below.įigure 4: Code section that decrypts and executes the WINELOADER core module.Įach module consists of configuration data (e.g., C2 polling interval), an RC4 key, and encrypted strings, followed by the module code. This function decrypts the embedded WINELOADER core module within the DLL using a hardcoded 256-byte RC4 key before executing it. The exported function set_se_translator is then executed. When executing sqlwriter.exe, it loads a malicious DLL named vcruntime140.dll from the same directory using DLL side-loading. ![]() Executes sqlwriter.exe from the path: C:\Windows\Tasks\ which will kick start the infection chain.This implies that the threat actor in this case put in extra effort to identify a signed Microsoft executable vulnerable to DLL side-loading. Per our research, sqlwriter.exe has never been abused in-the-wild by any threat actor for DLL side-loading (at least to the best of our knowledge). Here, sqlwriter.exe is the legitimate binary signed by Microsoft and vcruntime140.dll is the malicious DLL crafted by the attacker which will be side-loaded automatically when sqlwriter.exe is executed. The ZIP archive contains two files named sqlwriter.exe and vcruntime140.dll. The command used is: tar -xf C:\Windows\Tasks\text.zip -C C:\Windows\Tasks\. Extracts the contents of the ZIP archive to the path: C:\Windows\Tasks\.The command used is: certutil -decode C:\Windows\Tasks\text.txt C:\Windows\\Tasks\text.zip Uses certutil.exe to Base64 decode the text file and write the result to a ZIP archive with the path: C:\Windows\Tasks\text.zip.Saves the text file to the path: C:\Windows\Tasks\text.txt. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |