d75990426cd4b97862d31c2553a6acf8825655be8a8961365105ac1c61c0708a

General

Target

SQLDorks.exe
Size

7.2MB
MD5

31c509a0b4f7afb71cf71d79fe919271
SHA1

f0936682d0a6719671be78b6c311851bfb1343cf
SHA256

52786577431ea2e6526843f0ca8815c910c0a57388b43abf6b52b6905181ff7a
SHA512

7cd663f3d602a298d7f66bb24c8be7f638bf9c911175b380ae847eea884f3f0bf8008a9eac7c8c36048c3ac208aa0a0ab3287e507b2ec1ec2717d69f606bb9d6

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

SQLDorks.exe

pid	process
3876	SQLDorks.exe
3876	SQLDorks.exe
3876	SQLDorks.exe
3876	SQLDorks.exe
3876	SQLDorks.exe
3876	SQLDorks.exe
3876	SQLDorks.exe
3876	SQLDorks.exe
3876	SQLDorks.exe
3876	SQLDorks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SQLDorks.exewerfault.exe

description pid process

Token: SeDebugPrivilege 3876 SQLDorks.exe
Token: SeRestorePrivilege 1040 werfault.exe
Token: SeBackupPrivilege 1040 werfault.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LogonUI.exe

pid process

3000 LogonUI.exe
3000 LogonUI.exe

description	pid	process
Token: SeDebugPrivilege	3876	SQLDorks.exe
Token: SeRestorePrivilege	1040	werfault.exe
Token: SeBackupPrivilege	1040	werfault.exe

pid	process
3000	LogonUI.exe
3000	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\SQLDorks.exe
"C:\Users\Admin\AppData\Local\Temp\SQLDorks.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\84ac93533ae647458b6e968bb0c4a0a0 /t 3872 /p 3876
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\8f9055e04cdc466ba5b75fa1945cbe31 /t 3872 /p 3876
1⤵
PID:1564

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\86e576a3a4194bb4aabee0a45aa2031a /t 3872 /p 3876
1⤵
PID:1968

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\cdb0655e9cb44541a5949b92fef75ef9 /t 3872 /p 3876
1⤵
PID:2568

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\c74b079a39064e6b857462abff0f19fe /t 3872 /p 3876
1⤵
PID:1596

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\18b12804b3cd45b38f5808f9434639d9 /t 3872 /p 3876
1⤵
PID:1776

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\db24dfe4819f4ef09d40d3eb8a3532ca /t 3872 /p 3876
1⤵
PID:3128

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\a5fa467e94a84083b95364f2bdaeb81a /t 3872 /p 3876
1⤵
PID:1096

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\55fa51d71dc548f2ba48ec69e41b1aac /t 3872 /p 3876
1⤵
PID:1236

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\4b86baf58dd44f8d866e438682e923df /t 3872 /p 3876
1⤵
PID:1132

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\75ea76a64e0446fc84981fe29e3ece5d /t 3872 /p 3876
1⤵
PID:2704

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\28f9a43344824389bb72c882db76baf1 /t 3872 /p 3876
1⤵
PID:3972

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\8ebef385afe34b558cbb051f77a286eb /t 3872 /p 3876
1⤵
PID:3948

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\c193194296b9473f8d6126997fc8fe83 /t 3872 /p 3876
1⤵
PID:2772

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\1520634ea7c34ac399655290b20d402f /t 3872 /p 3876
1⤵
PID:4032

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\843be4a8a3ca4f92ad3cbca98e97fb21 /t 3872 /p 3876
1⤵
PID:3484

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\14028c46b876448bb2c6a9e7910dbfcc /t 3872 /p 3876
1⤵
PID:3564

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\43639291690549bb8d2038f27d103d3a /t 3872 /p 3876
1⤵
PID:3544

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\e5d08567b69041388cdce911c6467417 /t 3872 /p 3876
1⤵
PID:3904

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad0855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3876-114-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3876-117-0x0000000010000000-0x00000000101C3000-memory.dmp

Filesize
1.8MB

Download
memory/3876-118-0x00000000728F0000-0x0000000072970000-memory.dmp

Filesize
512KB

Download
memory/3876-120-0x0000000000F90000-0x0000000000FB0000-memory.dmp

Filesize
128KB

Download
memory/3876-122-0x0000000001410000-0x0000000001412000-memory.dmp

Filesize
8KB

Download
memory/3876-124-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/3876-125-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3876-126-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/3876-127-0x0000000007020000-0x0000000007196000-memory.dmp

Filesize
1.5MB

Download
memory/3876-129-0x00000000071A0000-0x00000000071A2000-memory.dmp

Filesize
8KB

Download
memory/3876-130-0x0000000006650000-0x000000000667D000-memory.dmp

Filesize
180KB

Download
memory/3876-131-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/3876-132-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/3876-133-0x0000000000FB3000-0x0000000000FB5000-memory.dmp

Filesize
8KB

Download
memory/3876-134-0x0000000009270000-0x00000000092DE000-memory.dmp

Filesize
440KB

Download
memory/3876-135-0x0000000000FB5000-0x0000000000FB6000-memory.dmp

Filesize
4KB

Download
memory/3876-136-0x0000000008DA0000-0x0000000008E4A000-memory.dmp

Filesize
680KB

Download
memory/3876-138-0x0000000008E50000-0x0000000008E52000-memory.dmp

Filesize
8KB

Download
memory/3876-141-0x0000000008DD0000-0x0000000008DD1000-memory.dmp

Filesize
4KB

Download
memory/3876-142-0x0000000008F80000-0x0000000008F81000-memory.dmp

Filesize
4KB

Download
memory/3876-143-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/3876-144-0x0000000000FB6000-0x0000000000FB7000-memory.dmp

Filesize
4KB

Download
memory/3876-145-0x0000000000FB7000-0x0000000000FB8000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing