When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com - Part Three

Dear blog readers,

 Continuing the "When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com - Part Two" blog post series in this post I'll continue analyzing the next malicious software binary which I obtained by data mining Conti Leaks with a lot of success. 

The actual malicious software binary location URL:

hxxp://shighil.com/dl2.exe

MD5: c2055b7fbaa041d9f68b9d5df9b45edd
SHA-1: e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
SHA-256: 342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3

Here's the actual analysis.

Executive Summary

dl2.exe is a Windows x86_64 PE executable (849.5 KB) exhibiting characteristics consistent with malicious software. The binary demonstrates sophisticated capabilities including registry manipulation, dynamic API resolution, file system operations, and system information gathering. Analysis identified multiple high-risk behaviors typical of malware, particularly around persistence mechanisms and anti-analysis techniques.

Key Findings

Critical Capabilities (High Severity)

1. Registry Manipulation

• Functions: sub_419118, sub_419228, sub_419198, sub_4192e8, sub_4193c4, sub_40da8c, sub_422ef4, sub_418ffc
• APIs Used: RegOpenKeyA, RegSetValue, RegCreateKey, RegQueryValue
• Registry Keys Accessed:
  • Software\Microsoft\Windows\CurrentVersion
  • RestrictRun and NoRun keys (policy restriction keys)
• Risk: High - Can modify system configuration and establish persistence

2. Dynamic API Resolution

• Function: sub_40b868 (0x40b868)
• APIs Used: GetProcAddress, LoadLibrary, GetModuleHandle
• Risk: High - Common evasion technique to bypass static analysis and API monitoring
• Details: Dynamically resolves function addresses at runtime, making static detection more difficult

Medium Severity Capabilities

3. File System Operations

• Functions: sub_423718, sub_4228a4, sub_423360, sub_41aeec
• APIs Used: CreateFile, DeleteFile, MoveFile, CopyFile, FindFirstFile, FindNextFile, GetFileAttributes
• Risk: Medium - Can manipulate files on the system

4. System Information Gathering

• Functions: sub_4542b0, sub_40f0ac, sub_46df44, sub_46d3bc
• APIs Used: GetVersionExA, GetSystemInfo, GetComputerName, GetUserName
• Risk: Medium - Fingerprints the system, likely for profiling or anti-VM checks

5. Memory Manipulation

• Functions: sub_4540e0, sub_453df0, sub_453d10, sub_453b50
• APIs Used: VirtualAlloc, VirtualProtect, HeapAlloc, HeapFree
• Risk: Medium - Can change memory protection flags, potentially indicating code injection or unpacking behavior

6. Mutex Creation

• Function: sub_46be50 (0x46be50)
• API Used: CreateMutex
• Risk: Medium - Commonly used for single-instance enforcement in malware

Security Features (Informational)

7. Stack Protection Mechanisms

• Stack Cookie Initialization (sub_45ca90 at 0x45ca90): Uses multiple entropy sources (GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter) to generate stack cookies
• Stack Guard Pages (sub_4540e0 at 0x4540e0): Implements guard pages using VirtualQuery, VirtualAlloc, and VirtualProtect

Notable Observations

• Entry Point: 0x4545a0 (_start)
• Main Function: 0x46d9f4 (jumps to 0x46da1c)
• Imported Libraries: ADVAPI32.dll, GDI32.dll, KERNEL32.dll, OLEAUT32.dll, SHELL32.dll, SHLWAPI.dll, USER32.dll, WINSPOOL.DRV, comdlg32.dll, ole32.dll, oledlg.dll
• Total Functions Identified: 2,616
• No Network APIs Detected: No direct socket, HTTP, or network communication APIs were found in the analyzed functions (analysis incomplete)
• No Obvious Encryption Strings: No strings matching common encryption algorithm names were found

Malware Classification

Based on identified capabilities, this binary exhibits behaviors consistent with:

• System modification malware (registry manipulation, file operations)
• Information stealer (system information gathering)
• Potentially a dropper/loader (dynamic API resolution, memory manipulation)

Critical Malicious Capabilities Identified

1. Windows Policy Restriction Manipulation (HIGH SEVERITY)

The binary targets multiple Windows policy registry keys designed to restrict user actions:

Registry Keys Targeted:

• Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • NoRun - Prevents running programs via Run dialog
  • RestrictRun - Restricts which programs can execute
  • NoDrives - Hides/restricts drive access
  • NoNetConnectDisconnect - Prevents network connections/disconnections
  • NoRecentDocsHistory - Disables recent documents
  • NoClose - Prevents closing windows
• Software\Microsoft\Windows\CurrentVersion\Policies\Network
  • NoEntireNetwork - Restricts network browsing
• Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
  • Common dialog restrictions

Functions Involved:

• sub_419228 (0x419228) - Writes DWORD registry values
• sub_4192e8 (0x4192e8) - Writes/deletes registry string values and keys
• sub_419198 (0x419198) - Reads registry integer values
• sub_4193c4 (0x4193c4) - Reads registry string values
• sub_419118 (0x419118) - Opens registry keys
• sub_40b0d4 (0x40b0d4) - Saves settings to registry
• sub_432610 (0x432610) - Batch registry operations

2. Console Output Manipulation

• sub_46be50 (0x46be50) - Opens CONOUT$ device handle, likely for output redirection or hiding console output

3. Persistence & Configuration

The binary uses both registry and INI file storage for configuration, with registry taking precedence. This dual-storage approach suggests:

• Fallback mechanisms for different environments
• Ability to persist settings across system changes

Summary of Malicious Findings

This binary is highly malicious with the following critical behaviors:

Primary Threat: System Restriction Malware

The binary manipulates Windows Group Policy registry keys to:

• Disable the Run dialog (NoRun)
• Restrict program execution (RestrictRun)
• Hide/disable drives (NoDrives)
• Prevent network operations (NoNetConnectDisconnect, NoEntireNetwork)
• Disable system features (NoClose, NoRecentDocsHistory)

This behavior is characteristic of ransomware preparation, system lockers, or destructive malware that prevents users from:

• Running recovery tools
• Accessing safe mode
• Using system utilities
• Connecting to networks for help

Additional Malicious Capabilities:

1. Dynamic API resolution - Evades static analysis
2. Dual persistence - Registry + INI file storage
3. Console manipulation - Hides output/errors
4. File system operations - Can modify/delete files
5. Memory manipulation - Can inject code or unpack payloads
6. System fingerprinting - Profiles victim environment