Overview

overview

7

Static

static

1

sqlncli.msi

windows7-x64

7

sqlncli.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2023 04:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sqlncli.msi

  • Size

    4.8MB

  • MD5

    129fc6413083694818cbc0a297d706fd

  • SHA1

    a391bf631cca15e5ceb4bd6b5d17eae4b1ea25c3

  • SHA256

    6737269ad63771c15b6e249209bee0ec2ad1231503efd9e1f1a7213ee7e70886

  • SHA512

    bf5c80cf62a4dc71f8d0c0e6e9a1dfa29fd021dc02982df1d55df068e4b950b19e44e06affbde2d7ec5572d3ae5a8c41832d6e8d76d1dfa51eb10d4a8de813f7

  • SSDEEP

    98304:n2EFqz1zS25sCnwT4h85R/x7ijbq/0WePORfD3yxa:nLFqZS2B1WR/4fq/0WA5

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\sqlncli.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:540
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3416
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 639EB35EA16A1D5D384A9C3EB27CCF6F C
      2⤵
      • Loads dropped DLL
      PID:3972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI7ADD.tmp
    Filesize

    99KB

    MD5

    5ff85536c392f340fc5f1bb164f59934

    SHA1

    33492bbfcadfce18da7283e2e8fd15cd07ffefde

    SHA256

    00c16418c2caa6dd12037e3e8e816c52e6378cf4cebde0a85800307f9c70f755

    SHA512

    76b0dfe029f815ec2697479b4617307e436d38bf90055f995e617ef77e370bdf6fef04e18778e73800669a92476efca4c945ce6c2889076e6b7e0083f32e5651

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI7ADD.tmp
    Filesize

    99KB

    MD5

    5ff85536c392f340fc5f1bb164f59934

    SHA1

    33492bbfcadfce18da7283e2e8fd15cd07ffefde

    SHA256

    00c16418c2caa6dd12037e3e8e816c52e6378cf4cebde0a85800307f9c70f755

    SHA512

    76b0dfe029f815ec2697479b4617307e436d38bf90055f995e617ef77e370bdf6fef04e18778e73800669a92476efca4c945ce6c2889076e6b7e0083f32e5651

    Download Submit