When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com - Part Three

Dear blog readers, Continuing the "When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com - Part Two" blog post series in this post I'll continue analyzing the next malicious software binary which I obtained by data mining Conti Leaks with a lot of success. The actual malicious software binary location URL:hxxp://shighil.com/dl2.exeMD5: c2055b7fbaa041d9f68b9d5df9b45eddSHA-1: e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06SHA-256: 342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3Here's the actual analysis.Executive Summary dl2.exe is a Windows x86_64 PE executable (849.5 KB) exhibiting characteristics consistent with malicious software. The binary demonstrates sophisticated capabilities including registry manipulation, dynamic API resolution, file system operations, and system information gathering. Analysis identified multiple high-risk behaviors typical of malware, particularly around persistence mechanisms and anti-analysis techniques. Key Findings Critical Capabilities (High Severity) 1. Registry Manipulation Functions: sub_419118, sub_419228, sub_419198, sub_4192e8, sub_4193c4, sub_40da8c, sub_422ef4, sub_418ffcAPIs Used: RegOpenKeyA, RegSetValue, RegCreateKey, RegQueryValueRegistry Keys Accessed: SoftwareMicrosoftWindowsCurrentVersionRestrictRun and NoRun keys (policy restriction keys)Risk: High - Can modify system configuration and establish persistence 2. Dynamic API Resolution Function: sub_40b868 (0x40b868)APIs Used: GetProcAddress, LoadLibrary, GetModuleHandleRisk: High - Common evasion technique to bypass static analysis and API monitoringDetails: Dynamically resolves function addresses at runtime, making static detection more difficult Medium Severity Capabilities 3. File System Operations Functions: sub_423718, sub_4228a4, sub_423360, sub_41aeecAPIs Used: CreateFile, DeleteFile, MoveFile, CopyFile, FindFirstFile, FindNextFile, GetFileAttributesRisk: Medium - Can manipulate files on the system 4. System Information Gathering Functions: sub_4542b0, sub_40f0ac, sub_46df44, sub_46d3bcAPIs Used: GetVersionExA, GetSystemInfo, GetComputerName, GetUserNameRisk: Medium - Fingerprints the system, likely for profiling or anti-VM checks 5. Memory Manipulation Functions: sub_4540e0, sub_453df0, sub_453d10, sub_453b50APIs Used: VirtualAlloc, VirtualProtect, HeapAlloc, HeapFreeRisk: Medium - Can change memory protection flags, potentially indicating code injection or unpacking behavior 6. Mutex Creation Function: sub_46be50 (0x46be50)API Used: CreateMutexRisk: Medium - Commonly used for single-instance enforcement in malware Security Features (Informational) 7. Stack Protection Mechanisms Stack Cookie Initialization (sub_45ca90 at 0x45ca90): Uses multiple entropy sources (GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter) to generate stack cookiesStack Guard Pages (sub_4540e0 at 0x4540e0): Implements guard pages using VirtualQuery, VirtualAlloc, and VirtualProtect Notable Observations Entry Point: 0x4545a0 (_start)Main Function: 0x46d9f4 (jumps to 0x46da1c)Imported Libraries: ADVAPI32.dll, GDI32.dll, KERNEL32.dll, OLEAUT32.dll, SHELL32.dll, SHLWAPI.dll, USER32.dll, WINSPOOL.DRV, comdlg32.dll, ole32.dll, oledlg.dllTotal Functions Identified: 2,616No Network APIs Detected: No direct socket, HTTP, or network communication APIs were found in the analyzed functions (analysis incomplete)No Obvious Encryption Strings: No strings matching common encryption algorithm names were found Malware Classification Based on identified capabilities, this binary exhibits behaviors consistent with: System modification malware (registry manipulation, file operations)Information stealer (system information gathering)Potentially a dropper/loader (dynamic API resolution, memory manipulation)Critical Malicious Capabilities Identified 1. Windows Policy Restriction Manipulation (HIGH SEVERITY) The binary targets multiple Windows policy registry keys designed to restrict user actions: Registry Keys Targeted: SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NoRun - Prevents running programs via Run dialogRestrictRun - Restricts which programs can executeNoDrives - Hides/restricts drive accessNoNetConnectDisconnect - Prevents network connections/disconnectionsNoRecentDocsHistory - Disables recent documentsNoClose - Prevents closing windowsSoftwareMicrosoftWindowsCurrentVersionPoliciesNetwork NoEntireNetwork - Restricts network browsingSoftwareMicrosoftWindowsCurrentVersionPoliciesComdlg32 Common dialog restrictions Functions Involved: sub_419228 (0x419228) - Writes DWORD registry valuessub_4192e8 (0x4192e8) - Writes/deletes registry string values and keyssub_419198 (0x419198) - Reads registry integer valuessub_4193c4 (0x4193c4) - Reads registry string valuessub_419118 (0x419118) - Opens registry keyssub_40b0d4 (0x40b0d4) - Saves settings to registrysub_432610 (0x432610) - Batch registry operations 2. Console Output Manipulation sub_46be50 (0x46be50) - Opens CONOUT$ device handle, likely for output redirection or hiding console output 3. Persistence & Configuration The binary uses both registry and INI file storage for configuration, with registry taking precedence. This dual-storage approach suggests: Fallback mechanisms for different environmentsAbility to persist settings across system changesSummary of Malicious Findings This binary is highly malicious with the following critical behaviors: Primary Threat: System Restriction Malware The binary manipulates Windows Group Policy registry keys to: Disable the Run dialog (NoRun)Restrict program execution (RestrictRun)Hide/disable drives (NoDrives)Prevent network operations (NoNetConnectDisconnect, NoEntireNetwork)Disable system features (NoClose, NoRecentDocsHistory) This behavior is characteristic of ransomware preparation, system lockers, or destructive malware that prevents users from: Running recovery toolsAccessing safe modeUsing system utilitiesConnecting to networks for help Additional Malicious Capabilities: Dynamic API resolution - Evades static analysisDual persistence - Registry + INI file storageConsole manipulation - Hides output/errorsFile system operations - Can modify/delete filesMemory manipulation - Can inject code or unpack payloadsSystem fingerprinting - Profiles victim environment