72093d7d7fb58fd11f979b2d1da771fc925b96e464811bf4e48ad164d30d5988

Analysis

max time kernel
141s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2023 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SqlRun15.msi
Size

1.8MB
MD5

54c08ed0a44da461eea0234478e20eaa
SHA1

a41b781e0d8f2e1e55e4b1911574ab3062ff8240
SHA256

72093d7d7fb58fd11f979b2d1da771fc925b96e464811bf4e48ad164d30d5988
SHA512

9311ba50e763641ce951f4f74c0a06cc0140228fb0fa7d4c672c85f32712b3ec67495dd122e6acfc83ad0448f50321b986ce336f8b1a22e15e8b51c9fe1f1989
SSDEEP

24576:MKxlhvKCYzOnrt18J/OCwCuO22PhyxqVfisrw+Jl1tuWEJ+xz:MKxProu01fiyWJ+p

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
4804	MsiExec.exe
4804	MsiExec.exe
4804	MsiExec.exe
4804	MsiExec.exe
4804	MsiExec.exe
4804	MsiExec.exe
4804	MsiExec.exe
4804	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI41A9.tmp	msiexec.exe
File created	C:\Windows\Installer\e583e6b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e583e6b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F46.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b893ca0f38e622ee0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b893ca0f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff000000000700010000680900b893ca0f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff000000000700010000680919b893ca0f000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b893ca0f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3664	msiexec.exe
Token: SeSecurityPrivilege	4516	msiexec.exe
Token: SeCreateTokenPrivilege	3664	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3664	msiexec.exe
Token: SeLockMemoryPrivilege	3664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3664	msiexec.exe
Token: SeMachineAccountPrivilege	3664	msiexec.exe
Token: SeTcbPrivilege	3664	msiexec.exe
Token: SeSecurityPrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe
Token: SeLoadDriverPrivilege	3664	msiexec.exe
Token: SeSystemProfilePrivilege	3664	msiexec.exe
Token: SeSystemtimePrivilege	3664	msiexec.exe
Token: SeProfSingleProcessPrivilege	3664	msiexec.exe
Token: SeIncBasePriorityPrivilege	3664	msiexec.exe
Token: SeCreatePagefilePrivilege	3664	msiexec.exe
Token: SeCreatePermanentPrivilege	3664	msiexec.exe
Token: SeBackupPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeShutdownPrivilege	3664	msiexec.exe
Token: SeDebugPrivilege	3664	msiexec.exe
Token: SeAuditPrivilege	3664	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3664	msiexec.exe
Token: SeChangeNotifyPrivilege	3664	msiexec.exe
Token: SeRemoteShutdownPrivilege	3664	msiexec.exe
Token: SeUndockPrivilege	3664	msiexec.exe
Token: SeSyncAgentPrivilege	3664	msiexec.exe
Token: SeEnableDelegationPrivilege	3664	msiexec.exe
Token: SeManageVolumePrivilege	3664	msiexec.exe
Token: SeImpersonatePrivilege	3664	msiexec.exe
Token: SeCreateGlobalPrivilege	3664	msiexec.exe
Token: SeBackupPrivilege	4972	vssvc.exe
Token: SeRestorePrivilege	4972	vssvc.exe
Token: SeAuditPrivilege	4972	vssvc.exe
Token: SeBackupPrivilege	4516	msiexec.exe
Token: SeRestorePrivilege	4516	msiexec.exe
Token: SeRestorePrivilege	4516	msiexec.exe
Token: SeTakeOwnershipPrivilege	4516	msiexec.exe
Token: SeRestorePrivilege	4516	msiexec.exe
Token: SeTakeOwnershipPrivilege	4516	msiexec.exe
Token: SeRestorePrivilege	4516	msiexec.exe
Token: SeTakeOwnershipPrivilege	4516	msiexec.exe
Token: SeBackupPrivilege	2180	srtasks.exe
Token: SeRestorePrivilege	2180	srtasks.exe
Token: SeSecurityPrivilege	2180	srtasks.exe
Token: SeTakeOwnershipPrivilege	2180	srtasks.exe
Token: SeBackupPrivilege	2180	srtasks.exe
Token: SeRestorePrivilege	2180	srtasks.exe
Token: SeSecurityPrivilege	2180	srtasks.exe
Token: SeTakeOwnershipPrivilege	2180	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3664	msiexec.exe
3664	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 2180	4516	msiexec.exe	99
PID 4516 wrote to memory of 2180	4516	msiexec.exe	99
PID 4516 wrote to memory of 4804	4516	msiexec.exe	101
PID 4516 wrote to memory of 4804	4516	msiexec.exe	101
PID 4516 wrote to memory of 4804	4516	msiexec.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SqlRun15.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3664

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 45FA8CFB1C8C5A5F0C57A2CBC443750B
  2⤵
  - Loads dropped DLL
  PID:4804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{B7300824-E68F-45F1-BAC1-5F15636C346F}\sqdedev.dll

Filesize
124KB

MD5
16226887414a379024932877db50ba2d

SHA1
6435e88e933d07c3ebd24159b53e57f7608638a2

SHA256
235bb073e69dc4e375e464504bd9266c8bc10a201bca6da06ce045b7d8fefb21

SHA512
91b97aad7f38b8e8573d734cd50870c2fe1def75cf9abc03ce89e8e3743078dcf7d81ac498bd800db0449afa28c36563c4d678ce81bec2ed48b4563f0c6f02fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B7300824-E68F-45F1-BAC1-5F15636C346F}\sqlcax.dll

Filesize
336KB

MD5
b72d924d3efa6f3c1f1cfb0d9327925a

SHA1
9bd9074706ffed93c3f4a0354ec74014729cc9c8

SHA256
df98b25c3bdc823db62d44062eac7aca7b2888bf8c625b7b5381e713c543a5ce

SHA512
6fe3aca4629c3c41e6ea0dc08682b59142b674b2253c2fbf724dce51fcdb3de32eeb505979b3fa52e6f4d4045c477775710124c84835aa93d7207e4951414af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B7300824-E68F-45F1-BAC1-5F15636C346F}\sqlcax.dll

Filesize
336KB

MD5
b72d924d3efa6f3c1f1cfb0d9327925a

SHA1
9bd9074706ffed93c3f4a0354ec74014729cc9c8

SHA256
df98b25c3bdc823db62d44062eac7aca7b2888bf8c625b7b5381e713c543a5ce

SHA512
6fe3aca4629c3c41e6ea0dc08682b59142b674b2253c2fbf724dce51fcdb3de32eeb505979b3fa52e6f4d4045c477775710124c84835aa93d7207e4951414af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B7300824-E68F-45F1-BAC1-5F15636C346F}\sqlresld.dll

Filesize
28KB

MD5
c9a6e4189a24ee551584dfdc0e29ad39

SHA1
098cfde73cba13b585bb4b80cc1e813e3240f390

SHA256
9cc6138033fcab0ebb9ffcbb0abf068cfab66c0feb1b1c2645b1c0130e66d838

SHA512
1abc5adcaaa7b5972c1a39a14f1b1ece9e0d70fee2d959cf964607d35c598a18ada4998244ac16d1143b4dd295259f1c20110c6713ce92deeb0a0dfbf020637e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B7300824-E68F-45F1-BAC1-5F15636C346F}\sqlstp.dll

Filesize
68KB

MD5
ca7ea952eef3015208a1a480c30f2dbb

SHA1
2136bd1faedd5144fe535cad912f70084b61832c

SHA256
2070bab06795b45e79e88c5fdd471793456a8e8309a6003b03397145e51015c9

SHA512
4e1421aba969e23ad72bbf5b09ca6b25fa8eec18a6a8e5cb818c10cb595f8b0a07962054a2e70b23b4569ebceb6f07974b27a728785438b2bf09bd638d928634

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B7300824-E68F-45F1-BAC1-5F15636C346F}\sqlsut.dll

Filesize
244KB

MD5
aaa1a70de4327050efb3a0f8c0805f87

SHA1
5c57730c83531d70ce40d60dd8faaee18dd200ca

SHA256
25db8e0c42b6c737225b182b4516d4bbdb6ae94b5b16c34fd453cc7371083f21

SHA512
66c2fef161ec95857d94c6cc554c2633333c170c9e089a0b3e3f119b0dcb9c199539229385dfc64a31a5bbfc271c5f21eef5155fc7cb639a1237c59aac701ed8

Download Submit
C:\Windows\Installer\MSI3F46.tmp

Filesize
172KB

MD5
12acbc2f093e080cd120210e1394ffd7

SHA1
5ec746485e53d59f2f30c458330efba7e919a1a5

SHA256
6b952555ef2e54ad24de7f58f0c213b8b98a59fbae98b132d8ecb57631ebe2a3

SHA512
e13e3a72c672fe33ddd08e248db77e5c816c9fc26b35699289df14b39fb6307b40757c3c7b9ea48a2d536e17e6e85052d57c3a62d5c22f4d65b2ef4f593108d9

Download Submit
C:\Windows\Installer\MSI3F46.tmp

Filesize
172KB

MD5
12acbc2f093e080cd120210e1394ffd7

SHA1
5ec746485e53d59f2f30c458330efba7e919a1a5

SHA256
6b952555ef2e54ad24de7f58f0c213b8b98a59fbae98b132d8ecb57631ebe2a3

SHA512
e13e3a72c672fe33ddd08e248db77e5c816c9fc26b35699289df14b39fb6307b40757c3c7b9ea48a2d536e17e6e85052d57c3a62d5c22f4d65b2ef4f593108d9

Download Submit
C:\Windows\Installer\MSI41A9.tmp

Filesize
172KB

MD5
12acbc2f093e080cd120210e1394ffd7

SHA1
5ec746485e53d59f2f30c458330efba7e919a1a5

SHA256
6b952555ef2e54ad24de7f58f0c213b8b98a59fbae98b132d8ecb57631ebe2a3

SHA512
e13e3a72c672fe33ddd08e248db77e5c816c9fc26b35699289df14b39fb6307b40757c3c7b9ea48a2d536e17e6e85052d57c3a62d5c22f4d65b2ef4f593108d9

Download Submit
C:\Windows\Installer\MSI41A9.tmp

Filesize
172KB

MD5
12acbc2f093e080cd120210e1394ffd7

SHA1
5ec746485e53d59f2f30c458330efba7e919a1a5

SHA256
6b952555ef2e54ad24de7f58f0c213b8b98a59fbae98b132d8ecb57631ebe2a3

SHA512
e13e3a72c672fe33ddd08e248db77e5c816c9fc26b35699289df14b39fb6307b40757c3c7b9ea48a2d536e17e6e85052d57c3a62d5c22f4d65b2ef4f593108d9

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
c7ca8ae4663764987182460523f4c807

SHA1
baa2f15b8145867d72125e8118df059934b5c40c

SHA256
336f52f539969d3185c0da7d65e2d8fc2d62a747854cbea8ec138ab2f3607605

SHA512
93525d78ee9c4e0e460bf50557e4f0d991185a9ffc85ed87e8df5fe76eb0eafd7430910ff8a3da50e4bee79744a9eb4f5f08754b975aa210fd43c210bc1ffd18

Download Submit
\??\Volume{0fca93b8-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1e7287ff-77a8-4e75-a171-e66947ce2e58}_OnDiskSnapshotProp

Filesize
5KB

MD5
7c042beae3e955fc17befdff756c484e

SHA1
db07d3fa7a2fde7fdae6710b1df4b2df81982ddb

SHA256
03936c08ab68cae5ba115c94c5bbece3eae61a59c367d1ed06ceb0597bc68b19

SHA512
aa905859cd8a1dd42402f08692359e4a26ca49eef3c70bba27064b1be9e1a633774c125af8e38fb3ff6031917f13a765a6c71a4d801ff45ef2334dab1a73ed6a

Download Submit
memory/4804-160-0x0000000002FB0000-0x0000000003006000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads