766cacfa16cd2ea48e391b116c2c16e37dbf402e9930b592f145a7c9dd51f54d

Analysis

max time kernel
142s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2023, 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SqlRun06.msi
Size

1.8MB
MD5

538f13cd27f16f4e000ba01ea8f5befe
SHA1

b94bdd243b44ee57c7fb8e7d8d18f476f18713ae
SHA256

766cacfa16cd2ea48e391b116c2c16e37dbf402e9930b592f145a7c9dd51f54d
SHA512

60e3ee10b70f2898d1d22b9be5abf931ddfcaf5f178d823e59afc1267b140ffb5d6346517acaa77ffb20af96165eaca1dac41f77f41677349826bc149ce114d2
SSDEEP

24576:rKxlhvoCYzOnrt18J/OCwCuO22PhyxqVfisrw+Jl1tuWEJ+x4:rKxPBou01fiyWJ+u

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
4192	MsiExec.exe
4192	MsiExec.exe
4192	MsiExec.exe
4192	MsiExec.exe
4192	MsiExec.exe
4192	MsiExec.exe
4192	MsiExec.exe
4192	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e58433e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58433e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43BB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI466B.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007ec2211f72b7cbde0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007ec2211f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809007ec2211f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809197ec2211f000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007ec2211f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2804	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2804	msiexec.exe
Token: SeSecurityPrivilege	3448	msiexec.exe
Token: SeCreateTokenPrivilege	2804	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2804	msiexec.exe
Token: SeLockMemoryPrivilege	2804	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2804	msiexec.exe
Token: SeMachineAccountPrivilege	2804	msiexec.exe
Token: SeTcbPrivilege	2804	msiexec.exe
Token: SeSecurityPrivilege	2804	msiexec.exe
Token: SeTakeOwnershipPrivilege	2804	msiexec.exe
Token: SeLoadDriverPrivilege	2804	msiexec.exe
Token: SeSystemProfilePrivilege	2804	msiexec.exe
Token: SeSystemtimePrivilege	2804	msiexec.exe
Token: SeProfSingleProcessPrivilege	2804	msiexec.exe
Token: SeIncBasePriorityPrivilege	2804	msiexec.exe
Token: SeCreatePagefilePrivilege	2804	msiexec.exe
Token: SeCreatePermanentPrivilege	2804	msiexec.exe
Token: SeBackupPrivilege	2804	msiexec.exe
Token: SeRestorePrivilege	2804	msiexec.exe
Token: SeShutdownPrivilege	2804	msiexec.exe
Token: SeDebugPrivilege	2804	msiexec.exe
Token: SeAuditPrivilege	2804	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2804	msiexec.exe
Token: SeChangeNotifyPrivilege	2804	msiexec.exe
Token: SeRemoteShutdownPrivilege	2804	msiexec.exe
Token: SeUndockPrivilege	2804	msiexec.exe
Token: SeSyncAgentPrivilege	2804	msiexec.exe
Token: SeEnableDelegationPrivilege	2804	msiexec.exe
Token: SeManageVolumePrivilege	2804	msiexec.exe
Token: SeImpersonatePrivilege	2804	msiexec.exe
Token: SeCreateGlobalPrivilege	2804	msiexec.exe
Token: SeBackupPrivilege	1048	vssvc.exe
Token: SeRestorePrivilege	1048	vssvc.exe
Token: SeAuditPrivilege	1048	vssvc.exe
Token: SeBackupPrivilege	3448	msiexec.exe
Token: SeRestorePrivilege	3448	msiexec.exe
Token: SeRestorePrivilege	3448	msiexec.exe
Token: SeTakeOwnershipPrivilege	3448	msiexec.exe
Token: SeRestorePrivilege	3448	msiexec.exe
Token: SeTakeOwnershipPrivilege	3448	msiexec.exe
Token: SeRestorePrivilege	3448	msiexec.exe
Token: SeTakeOwnershipPrivilege	3448	msiexec.exe
Token: SeBackupPrivilege	1192	srtasks.exe
Token: SeRestorePrivilege	1192	srtasks.exe
Token: SeSecurityPrivilege	1192	srtasks.exe
Token: SeTakeOwnershipPrivilege	1192	srtasks.exe
Token: SeBackupPrivilege	1192	srtasks.exe
Token: SeRestorePrivilege	1192	srtasks.exe
Token: SeSecurityPrivilege	1192	srtasks.exe
Token: SeTakeOwnershipPrivilege	1192	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2804	msiexec.exe
2804	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 1192	3448	msiexec.exe	98
PID 3448 wrote to memory of 1192	3448	msiexec.exe	98
PID 3448 wrote to memory of 4192	3448	msiexec.exe	100
PID 3448 wrote to memory of 4192	3448	msiexec.exe	100
PID 3448 wrote to memory of 4192	3448	msiexec.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SqlRun06.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2804

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 006162593600943DDC817A9602495E28
  2⤵
  - Loads dropped DLL
  PID:4192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{7E5C338B-E77E-4CB4-9C1D-FB67B56B3B19}\sqdedev.dll

Filesize
124KB

MD5
16226887414a379024932877db50ba2d

SHA1
6435e88e933d07c3ebd24159b53e57f7608638a2

SHA256
235bb073e69dc4e375e464504bd9266c8bc10a201bca6da06ce045b7d8fefb21

SHA512
91b97aad7f38b8e8573d734cd50870c2fe1def75cf9abc03ce89e8e3743078dcf7d81ac498bd800db0449afa28c36563c4d678ce81bec2ed48b4563f0c6f02fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7E5C338B-E77E-4CB4-9C1D-FB67B56B3B19}\sqlcax.dll

Filesize
336KB

MD5
b72d924d3efa6f3c1f1cfb0d9327925a

SHA1
9bd9074706ffed93c3f4a0354ec74014729cc9c8

SHA256
df98b25c3bdc823db62d44062eac7aca7b2888bf8c625b7b5381e713c543a5ce

SHA512
6fe3aca4629c3c41e6ea0dc08682b59142b674b2253c2fbf724dce51fcdb3de32eeb505979b3fa52e6f4d4045c477775710124c84835aa93d7207e4951414af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7E5C338B-E77E-4CB4-9C1D-FB67B56B3B19}\sqlcax.dll

Filesize
336KB

MD5
b72d924d3efa6f3c1f1cfb0d9327925a

SHA1
9bd9074706ffed93c3f4a0354ec74014729cc9c8

SHA256
df98b25c3bdc823db62d44062eac7aca7b2888bf8c625b7b5381e713c543a5ce

SHA512
6fe3aca4629c3c41e6ea0dc08682b59142b674b2253c2fbf724dce51fcdb3de32eeb505979b3fa52e6f4d4045c477775710124c84835aa93d7207e4951414af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7E5C338B-E77E-4CB4-9C1D-FB67B56B3B19}\sqlresld.dll

Filesize
28KB

MD5
c9a6e4189a24ee551584dfdc0e29ad39

SHA1
098cfde73cba13b585bb4b80cc1e813e3240f390

SHA256
9cc6138033fcab0ebb9ffcbb0abf068cfab66c0feb1b1c2645b1c0130e66d838

SHA512
1abc5adcaaa7b5972c1a39a14f1b1ece9e0d70fee2d959cf964607d35c598a18ada4998244ac16d1143b4dd295259f1c20110c6713ce92deeb0a0dfbf020637e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7E5C338B-E77E-4CB4-9C1D-FB67B56B3B19}\sqlstp.dll

Filesize
68KB

MD5
ca7ea952eef3015208a1a480c30f2dbb

SHA1
2136bd1faedd5144fe535cad912f70084b61832c

SHA256
2070bab06795b45e79e88c5fdd471793456a8e8309a6003b03397145e51015c9

SHA512
4e1421aba969e23ad72bbf5b09ca6b25fa8eec18a6a8e5cb818c10cb595f8b0a07962054a2e70b23b4569ebceb6f07974b27a728785438b2bf09bd638d928634

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7E5C338B-E77E-4CB4-9C1D-FB67B56B3B19}\sqlsut.dll

Filesize
244KB

MD5
aaa1a70de4327050efb3a0f8c0805f87

SHA1
5c57730c83531d70ce40d60dd8faaee18dd200ca

SHA256
25db8e0c42b6c737225b182b4516d4bbdb6ae94b5b16c34fd453cc7371083f21

SHA512
66c2fef161ec95857d94c6cc554c2633333c170c9e089a0b3e3f119b0dcb9c199539229385dfc64a31a5bbfc271c5f21eef5155fc7cb639a1237c59aac701ed8

Download Submit
C:\Windows\Installer\MSI43BB.tmp

Filesize
172KB

MD5
12acbc2f093e080cd120210e1394ffd7

SHA1
5ec746485e53d59f2f30c458330efba7e919a1a5

SHA256
6b952555ef2e54ad24de7f58f0c213b8b98a59fbae98b132d8ecb57631ebe2a3

SHA512
e13e3a72c672fe33ddd08e248db77e5c816c9fc26b35699289df14b39fb6307b40757c3c7b9ea48a2d536e17e6e85052d57c3a62d5c22f4d65b2ef4f593108d9

Download Submit
C:\Windows\Installer\MSI43BB.tmp

Filesize
172KB

MD5
12acbc2f093e080cd120210e1394ffd7

SHA1
5ec746485e53d59f2f30c458330efba7e919a1a5

SHA256
6b952555ef2e54ad24de7f58f0c213b8b98a59fbae98b132d8ecb57631ebe2a3

SHA512
e13e3a72c672fe33ddd08e248db77e5c816c9fc26b35699289df14b39fb6307b40757c3c7b9ea48a2d536e17e6e85052d57c3a62d5c22f4d65b2ef4f593108d9

Download Submit
C:\Windows\Installer\MSI466B.tmp

Filesize
172KB

MD5
12acbc2f093e080cd120210e1394ffd7

SHA1
5ec746485e53d59f2f30c458330efba7e919a1a5

SHA256
6b952555ef2e54ad24de7f58f0c213b8b98a59fbae98b132d8ecb57631ebe2a3

SHA512
e13e3a72c672fe33ddd08e248db77e5c816c9fc26b35699289df14b39fb6307b40757c3c7b9ea48a2d536e17e6e85052d57c3a62d5c22f4d65b2ef4f593108d9

Download Submit
C:\Windows\Installer\MSI466B.tmp

Filesize
172KB

MD5
12acbc2f093e080cd120210e1394ffd7

SHA1
5ec746485e53d59f2f30c458330efba7e919a1a5

SHA256
6b952555ef2e54ad24de7f58f0c213b8b98a59fbae98b132d8ecb57631ebe2a3

SHA512
e13e3a72c672fe33ddd08e248db77e5c816c9fc26b35699289df14b39fb6307b40757c3c7b9ea48a2d536e17e6e85052d57c3a62d5c22f4d65b2ef4f593108d9

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
1247624db90798cf3aa9d30b01717e94

SHA1
3845f91e17d4fd4eae94081e79153733a67f2ef9

SHA256
14a9fc4f0f02b11a1abe7cd7a829125976b9bde5696853f416844570432faeae

SHA512
b8098afd6bb228ca498f38017a92370c64392520884dfe60f2236d9bee17a9c9d8e3cab6d1aa3cb1d0e7fe1e04fcbf6104311a796cca1f6587fcb6285dc4e671

Download Submit
\??\Volume{1f21c27e-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f1a63a69-822f-4f78-a66a-a21ebdfd9bb7}_OnDiskSnapshotProp

Filesize
5KB

MD5
57f6ce4370797b15ef96bf74776d2b60

SHA1
7f31b059d3ba6c4b4afbef1b52ab260da33e32f6

SHA256
7eca7c2fac443c1be8dbe4095810726e3b31d61ed8fae9695300009caa6132ef

SHA512
08edfd1802869de161443277530948ada2d5a9d0144eeedb3a4327aaf84a917bd6a8eae14f1a4dfee95a6217f9527d334fef9ec8b7977072588e1507e98c15f6

Download Submit
memory/4192-160-0x00000000033E0000-0x0000000003436000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads