Analysis

  • max time kernel
    18s
  • max time network
    15s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-08-2023 14:32

General

  • Target

    SQLi-DB.exe

  • Size

    999KB

  • MD5

    2b2b5de1c1c8e9d150e02c6fe9e7f17d

  • SHA1

    dfbd86d1b4825542639deafe30b8bbc68a02b038

  • SHA256

    2fde4eb59df5b21cb197127a9b65ad514d6a68b21d8ff8bdee8360c367972b8e

  • SHA512

    90cbb5fe19661b54f5eda95945cdef020625191ecfa03c702779ffbd1ddfc0411fcf25aa4599eec8b5a371d4c61869a48e7aa71923682f13f2ea4827b962419d

  • SSDEEP

    12288:hrdLJ/itCph7yQJIVGuH7U8R0pRc84sTASq2+DeZFmGXMcnq:hxLJ/iIpZCr0zh4sKDsFmElq

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SQLi-DB.exe
    "C:\Users\Admin\AppData\Local\Temp\SQLi-DB.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4408
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4464
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4388
    • C:\Users\Admin\AppData\Local\Temp\SQLi-DB .exe
      "C:\Users\Admin\AppData\Local\Temp\SQLi-DB .exe"
      2⤵
      • Executes dropped EXE
      PID:2672
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1432
        3⤵
        • Program crash
        PID:4248
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1452
        3⤵
        • Program crash
        PID:4980
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2672 -ip 2672
    1⤵
      PID:4552
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2672 -ip 2672
      1⤵
        PID:3276

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

        Filesize

        404B

        MD5

        a77d82e60cf3fa4cf1c1a6477a798fdf

        SHA1

        fc4c2bbdc2a87483022b14e15f0c656fd9ab12e5

        SHA256

        57fdd9ecffeaf2968626d80a30e85907d56dfb3b580820f3beae0001e1c32a21

        SHA512

        4606317ccb8b51fa36ecad49256a3da9c8a265afa811ceabe4cdf9f5c3d5d07723a772fa724e958c7c39bcda3dfde2dc3383d04d1d52952584180b8152cc270c

      • C:\Users\Admin\AppData\Local\Temp\SQLi-DB .exe

        Filesize

        919KB

        MD5

        5b940b9742b30617768b2f51f059672f

        SHA1

        72884c0ffc60379dde94bac0ed629546a7b057c0

        SHA256

        75ffec65ae027c9e4beee064a05b402aa7106e3b9120f95c5fab085e753fa1c7

        SHA512

        d17c65dcf7cd30a7aacda64e261c0fd64b99c157d78742d569071d8718bd98fd7a6c8d43c2988b1d7a8123fc5a23d627702fc260982b3468f0c798a01c8d21e5

      • C:\Users\Admin\AppData\Local\Temp\SQLi-DB .exe

        Filesize

        919KB

        MD5

        5b940b9742b30617768b2f51f059672f

        SHA1

        72884c0ffc60379dde94bac0ed629546a7b057c0

        SHA256

        75ffec65ae027c9e4beee064a05b402aa7106e3b9120f95c5fab085e753fa1c7

        SHA512

        d17c65dcf7cd30a7aacda64e261c0fd64b99c157d78742d569071d8718bd98fd7a6c8d43c2988b1d7a8123fc5a23d627702fc260982b3468f0c798a01c8d21e5

      • C:\Users\Admin\AppData\Local\Temp\SQLi-DB .exe

        Filesize

        919KB

        MD5

        5b940b9742b30617768b2f51f059672f

        SHA1

        72884c0ffc60379dde94bac0ed629546a7b057c0

        SHA256

        75ffec65ae027c9e4beee064a05b402aa7106e3b9120f95c5fab085e753fa1c7

        SHA512

        d17c65dcf7cd30a7aacda64e261c0fd64b99c157d78742d569071d8718bd98fd7a6c8d43c2988b1d7a8123fc5a23d627702fc260982b3468f0c798a01c8d21e5

      • C:\Users\Admin\AppData\Local\Temp\Setup.exe

        Filesize

        63KB

        MD5

        27d2084c1ad920288b2250f6bc81ef54

        SHA1

        604a152e0d88a40294eeb1a043c0f4e809ebb607

        SHA256

        bdc52cca869db7734fa87c35ebbb0de110aee66e2224d022303ece9f40f51f42

        SHA512

        5bd98206d8d3d98f7f7323ba2736d19245d492dac6bd7656f312d5fd650f55febd3e1c538bb9ed0d5736340f505a6711450699d8a105999b668654f6346b3f91

      • C:\Users\Admin\AppData\Local\Temp\Setup.exe

        Filesize

        63KB

        MD5

        27d2084c1ad920288b2250f6bc81ef54

        SHA1

        604a152e0d88a40294eeb1a043c0f4e809ebb607

        SHA256

        bdc52cca869db7734fa87c35ebbb0de110aee66e2224d022303ece9f40f51f42

        SHA512

        5bd98206d8d3d98f7f7323ba2736d19245d492dac6bd7656f312d5fd650f55febd3e1c538bb9ed0d5736340f505a6711450699d8a105999b668654f6346b3f91

      • C:\Users\Admin\AppData\Local\Temp\Setup.exe

        Filesize

        63KB

        MD5

        27d2084c1ad920288b2250f6bc81ef54

        SHA1

        604a152e0d88a40294eeb1a043c0f4e809ebb607

        SHA256

        bdc52cca869db7734fa87c35ebbb0de110aee66e2224d022303ece9f40f51f42

        SHA512

        5bd98206d8d3d98f7f7323ba2736d19245d492dac6bd7656f312d5fd650f55febd3e1c538bb9ed0d5736340f505a6711450699d8a105999b668654f6346b3f91

      • C:\Users\Admin\AppData\Local\Temp\Setup.exe

        Filesize

        63KB

        MD5

        27d2084c1ad920288b2250f6bc81ef54

        SHA1

        604a152e0d88a40294eeb1a043c0f4e809ebb607

        SHA256

        bdc52cca869db7734fa87c35ebbb0de110aee66e2224d022303ece9f40f51f42

        SHA512

        5bd98206d8d3d98f7f7323ba2736d19245d492dac6bd7656f312d5fd650f55febd3e1c538bb9ed0d5736340f505a6711450699d8a105999b668654f6346b3f91

      • memory/2672-176-0x0000000000DF0000-0x0000000000EDC000-memory.dmp

        Filesize

        944KB

      • memory/2672-175-0x0000000074980000-0x0000000075130000-memory.dmp

        Filesize

        7.7MB

      • memory/2672-186-0x0000000074980000-0x0000000075130000-memory.dmp

        Filesize

        7.7MB

      • memory/2672-185-0x0000000001EB0000-0x0000000001EC0000-memory.dmp

        Filesize

        64KB

      • memory/2672-184-0x0000000005BC0000-0x0000000005BCA000-memory.dmp

        Filesize

        40KB

      • memory/2672-178-0x0000000005740000-0x00000000057D2000-memory.dmp

        Filesize

        584KB

      • memory/2672-183-0x0000000001EB0000-0x0000000001EC0000-memory.dmp

        Filesize

        64KB

      • memory/2672-177-0x0000000005CF0000-0x0000000006294000-memory.dmp

        Filesize

        5.6MB

      • memory/4388-182-0x00007FFA30EA0000-0x00007FFA31841000-memory.dmp

        Filesize

        9.6MB

      • memory/4388-159-0x0000000001780000-0x0000000001790000-memory.dmp

        Filesize

        64KB

      • memory/4388-161-0x00007FFA30EA0000-0x00007FFA31841000-memory.dmp

        Filesize

        9.6MB

      • memory/4388-169-0x00007FFA30EA0000-0x00007FFA31841000-memory.dmp

        Filesize

        9.6MB

      • memory/4408-138-0x000000001C120000-0x000000001C5EE000-memory.dmp

        Filesize

        4.8MB

      • memory/4408-135-0x00007FFA30EA0000-0x00007FFA31841000-memory.dmp

        Filesize

        9.6MB

      • memory/4408-174-0x00007FFA30EA0000-0x00007FFA31841000-memory.dmp

        Filesize

        9.6MB

      • memory/4408-136-0x00007FFA30EA0000-0x00007FFA31841000-memory.dmp

        Filesize

        9.6MB

      • memory/4408-133-0x0000000000A60000-0x0000000000B60000-memory.dmp

        Filesize

        1024KB

      • memory/4408-137-0x00000000014F0000-0x0000000001500000-memory.dmp

        Filesize

        64KB

      • memory/4408-139-0x000000001C690000-0x000000001C72C000-memory.dmp

        Filesize

        624KB

      • memory/4408-134-0x000000001BB90000-0x000000001BC36000-memory.dmp

        Filesize

        664KB

      • memory/4464-157-0x00007FFA30EA0000-0x00007FFA31841000-memory.dmp

        Filesize

        9.6MB

      • memory/4464-180-0x00007FFA30EA0000-0x00007FFA31841000-memory.dmp

        Filesize

        9.6MB

      • memory/4464-160-0x0000000000800000-0x000000000080E000-memory.dmp

        Filesize

        56KB

      • memory/4464-154-0x0000000000AF0000-0x0000000000B00000-memory.dmp

        Filesize

        64KB

      • memory/4464-153-0x00007FFA30EA0000-0x00007FFA31841000-memory.dmp

        Filesize

        9.6MB

      • memory/4464-152-0x0000000000110000-0x0000000000128000-memory.dmp

        Filesize

        96KB