Analysis
-
max time kernel
18s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2023 14:32
Static task
static1
Behavioral task
behavioral1
Sample
SQLi-DB.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
SQLi-DB.exe
Resource
win10v2004-20230703-en
General
-
Target
SQLi-DB.exe
-
Size
999KB
-
MD5
2b2b5de1c1c8e9d150e02c6fe9e7f17d
-
SHA1
dfbd86d1b4825542639deafe30b8bbc68a02b038
-
SHA256
2fde4eb59df5b21cb197127a9b65ad514d6a68b21d8ff8bdee8360c367972b8e
-
SHA512
90cbb5fe19661b54f5eda95945cdef020625191ecfa03c702779ffbd1ddfc0411fcf25aa4599eec8b5a371d4c61869a48e7aa71923682f13f2ea4827b962419d
-
SSDEEP
12288:hrdLJ/itCph7yQJIVGuH7U8R0pRc84sTASq2+DeZFmGXMcnq:hxLJ/iIpZCr0zh4sKDsFmElq
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4464 Setup.exe 4388 Setup.exe 2672 SQLi-DB .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4248 2672 WerFault.exe 84 4980 2672 WerFault.exe 84 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4464 Setup.exe Token: SeDebugPrivilege 4388 Setup.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4408 wrote to memory of 4464 4408 SQLi-DB.exe 82 PID 4408 wrote to memory of 4464 4408 SQLi-DB.exe 82 PID 4408 wrote to memory of 4388 4408 SQLi-DB.exe 83 PID 4408 wrote to memory of 4388 4408 SQLi-DB.exe 83 PID 4408 wrote to memory of 2672 4408 SQLi-DB.exe 84 PID 4408 wrote to memory of 2672 4408 SQLi-DB.exe 84 PID 4408 wrote to memory of 2672 4408 SQLi-DB.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\SQLi-DB.exe"C:\Users\Admin\AppData\Local\Temp\SQLi-DB.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\SQLi-DB .exe"C:\Users\Admin\AppData\Local\Temp\SQLi-DB .exe"2⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 14323⤵
- Program crash
PID:4248
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 14523⤵
- Program crash
PID:4980
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2672 -ip 26721⤵PID:4552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2672 -ip 26721⤵PID:3276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
404B
MD5a77d82e60cf3fa4cf1c1a6477a798fdf
SHA1fc4c2bbdc2a87483022b14e15f0c656fd9ab12e5
SHA25657fdd9ecffeaf2968626d80a30e85907d56dfb3b580820f3beae0001e1c32a21
SHA5124606317ccb8b51fa36ecad49256a3da9c8a265afa811ceabe4cdf9f5c3d5d07723a772fa724e958c7c39bcda3dfde2dc3383d04d1d52952584180b8152cc270c
-
Filesize
919KB
MD55b940b9742b30617768b2f51f059672f
SHA172884c0ffc60379dde94bac0ed629546a7b057c0
SHA25675ffec65ae027c9e4beee064a05b402aa7106e3b9120f95c5fab085e753fa1c7
SHA512d17c65dcf7cd30a7aacda64e261c0fd64b99c157d78742d569071d8718bd98fd7a6c8d43c2988b1d7a8123fc5a23d627702fc260982b3468f0c798a01c8d21e5
-
Filesize
919KB
MD55b940b9742b30617768b2f51f059672f
SHA172884c0ffc60379dde94bac0ed629546a7b057c0
SHA25675ffec65ae027c9e4beee064a05b402aa7106e3b9120f95c5fab085e753fa1c7
SHA512d17c65dcf7cd30a7aacda64e261c0fd64b99c157d78742d569071d8718bd98fd7a6c8d43c2988b1d7a8123fc5a23d627702fc260982b3468f0c798a01c8d21e5
-
Filesize
919KB
MD55b940b9742b30617768b2f51f059672f
SHA172884c0ffc60379dde94bac0ed629546a7b057c0
SHA25675ffec65ae027c9e4beee064a05b402aa7106e3b9120f95c5fab085e753fa1c7
SHA512d17c65dcf7cd30a7aacda64e261c0fd64b99c157d78742d569071d8718bd98fd7a6c8d43c2988b1d7a8123fc5a23d627702fc260982b3468f0c798a01c8d21e5
-
Filesize
63KB
MD527d2084c1ad920288b2250f6bc81ef54
SHA1604a152e0d88a40294eeb1a043c0f4e809ebb607
SHA256bdc52cca869db7734fa87c35ebbb0de110aee66e2224d022303ece9f40f51f42
SHA5125bd98206d8d3d98f7f7323ba2736d19245d492dac6bd7656f312d5fd650f55febd3e1c538bb9ed0d5736340f505a6711450699d8a105999b668654f6346b3f91
-
Filesize
63KB
MD527d2084c1ad920288b2250f6bc81ef54
SHA1604a152e0d88a40294eeb1a043c0f4e809ebb607
SHA256bdc52cca869db7734fa87c35ebbb0de110aee66e2224d022303ece9f40f51f42
SHA5125bd98206d8d3d98f7f7323ba2736d19245d492dac6bd7656f312d5fd650f55febd3e1c538bb9ed0d5736340f505a6711450699d8a105999b668654f6346b3f91
-
Filesize
63KB
MD527d2084c1ad920288b2250f6bc81ef54
SHA1604a152e0d88a40294eeb1a043c0f4e809ebb607
SHA256bdc52cca869db7734fa87c35ebbb0de110aee66e2224d022303ece9f40f51f42
SHA5125bd98206d8d3d98f7f7323ba2736d19245d492dac6bd7656f312d5fd650f55febd3e1c538bb9ed0d5736340f505a6711450699d8a105999b668654f6346b3f91
-
Filesize
63KB
MD527d2084c1ad920288b2250f6bc81ef54
SHA1604a152e0d88a40294eeb1a043c0f4e809ebb607
SHA256bdc52cca869db7734fa87c35ebbb0de110aee66e2224d022303ece9f40f51f42
SHA5125bd98206d8d3d98f7f7323ba2736d19245d492dac6bd7656f312d5fd650f55febd3e1c538bb9ed0d5736340f505a6711450699d8a105999b668654f6346b3f91