73f87e605d3b9e7873e0988d578e7f85b3a5608ebcf801756c099ad47f060df1

Analysis

max time kernel
147s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 10:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

408f6707a53dfd4164ddd2a9f003334b.exe
Size

775KB
MD5

408f6707a53dfd4164ddd2a9f003334b
SHA1

efcf148ed4ee1faee1d45f89b3d0602384a02e74
SHA256

73f87e605d3b9e7873e0988d578e7f85b3a5608ebcf801756c099ad47f060df1
SHA512

19a9b004c60ec928e56f5fb9bd078b181368d267c9aff03c7fd82b79f88e925bdc5e06ec647ca1f72ff6069afb6e3c185cb51f6e92fdf07578918aaaa41b61ba
SSDEEP

3072:sz5GTwpEGM6mwDFDU/LdSMpOeNkA9o0zPeSFW:eGcpFbNDujdSgtNlzP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
4352	sqlhandler.exe
4068	sqlhandler.exe
3532	sqlhandler.exe
2908	sqlhandler.exe
1728	sqlhandler.exe
3452	sqlhandler.exe
4624	sqlhandler.exe
2124	sqlhandler.exe
1588	sqlhandler.exe
4512	sqlhandler.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File created	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File created	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File opened for modification	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File opened for modification	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File created	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File opened for modification	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File opened for modification	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File created	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File opened for modification	C:\Windows\SysWOW64\sqlhandler.exe	408f6707a53dfd4164ddd2a9f003334b.exe
File created	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File created	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File opened for modification	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File created	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File opened for modification	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File created	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File opened for modification	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File created	C:\Windows\SysWOW64\sqlhandler.exe	408f6707a53dfd4164ddd2a9f003334b.exe
File created	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File opened for modification	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File opened for modification	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe
File created	C:\Windows\SysWOW64\sqlhandler.exe	sqlhandler.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 4352	3224	408f6707a53dfd4164ddd2a9f003334b.exe	90
PID 3224 wrote to memory of 4352	3224	408f6707a53dfd4164ddd2a9f003334b.exe	90
PID 3224 wrote to memory of 4352	3224	408f6707a53dfd4164ddd2a9f003334b.exe	90
PID 4352 wrote to memory of 4068	4352	sqlhandler.exe	92
PID 4352 wrote to memory of 4068	4352	sqlhandler.exe	92
PID 4352 wrote to memory of 4068	4352	sqlhandler.exe	92
PID 4068 wrote to memory of 3532	4068	sqlhandler.exe	98
PID 4068 wrote to memory of 3532	4068	sqlhandler.exe	98
PID 4068 wrote to memory of 3532	4068	sqlhandler.exe	98
PID 3532 wrote to memory of 2908	3532	sqlhandler.exe	103
PID 3532 wrote to memory of 2908	3532	sqlhandler.exe	103
PID 3532 wrote to memory of 2908	3532	sqlhandler.exe	103
PID 2908 wrote to memory of 1728	2908	sqlhandler.exe	106
PID 2908 wrote to memory of 1728	2908	sqlhandler.exe	106
PID 2908 wrote to memory of 1728	2908	sqlhandler.exe	106
PID 1728 wrote to memory of 3452	1728	sqlhandler.exe	107
PID 1728 wrote to memory of 3452	1728	sqlhandler.exe	107
PID 1728 wrote to memory of 3452	1728	sqlhandler.exe	107
PID 3452 wrote to memory of 4624	3452	sqlhandler.exe	109
PID 3452 wrote to memory of 4624	3452	sqlhandler.exe	109
PID 3452 wrote to memory of 4624	3452	sqlhandler.exe	109
PID 4624 wrote to memory of 2124	4624	sqlhandler.exe	113
PID 4624 wrote to memory of 2124	4624	sqlhandler.exe	113
PID 4624 wrote to memory of 2124	4624	sqlhandler.exe	113
PID 2124 wrote to memory of 1588	2124	sqlhandler.exe	116
PID 2124 wrote to memory of 1588	2124	sqlhandler.exe	116
PID 2124 wrote to memory of 1588	2124	sqlhandler.exe	116
PID 1588 wrote to memory of 4512	1588	sqlhandler.exe	120
PID 1588 wrote to memory of 4512	1588	sqlhandler.exe	120
PID 1588 wrote to memory of 4512	1588	sqlhandler.exe	120

C:\Users\Admin\AppData\Local\Temp\408f6707a53dfd4164ddd2a9f003334b.exe
"C:\Users\Admin\AppData\Local\Temp\408f6707a53dfd4164ddd2a9f003334b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\SysWOW64\sqlhandler.exe
  C:\Windows\system32\sqlhandler.exe 1132 "C:\Users\Admin\AppData\Local\Temp\408f6707a53dfd4164ddd2a9f003334b.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\SysWOW64\sqlhandler.exe
    C:\Windows\system32\sqlhandler.exe 1124 "C:\Windows\SysWOW64\sqlhandler.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\SysWOW64\sqlhandler.exe
      C:\Windows\system32\sqlhandler.exe 1096 "C:\Windows\SysWOW64\sqlhandler.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3532
    - - C:\Windows\SysWOW64\sqlhandler.exe
        
        C:\Windows\system32\sqlhandler.exe 1092 "C:\Windows\SysWOW64\sqlhandler.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\SysWOW64\sqlhandler.exe
        
        C:\Windows\system32\sqlhandler.exe 1088 "C:\Windows\SysWOW64\sqlhandler.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\sqlhandler.exe
        
        C:\Windows\system32\sqlhandler.exe 1108 "C:\Windows\SysWOW64\sqlhandler.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\sqlhandler.exe
        
        C:\Windows\system32\sqlhandler.exe 1112 "C:\Windows\SysWOW64\sqlhandler.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\sqlhandler.exe
        
        C:\Windows\system32\sqlhandler.exe 1104 "C:\Windows\SysWOW64\sqlhandler.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\sqlhandler.exe
        
        C:\Windows\system32\sqlhandler.exe 1116 "C:\Windows\SysWOW64\sqlhandler.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\sqlhandler.exe
        
        C:\Windows\system32\sqlhandler.exe 1144 "C:\Windows\SysWOW64\sqlhandler.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sqlhandler.exe

Filesize
207KB

MD5
95ec3010550a42c22f0105f2aebbe38f

SHA1
8a810b20d593042853f9c8f350beaa094559c289

SHA256
fc6f869991885829113040de5b6b85fd7d75e20eb952e4e2d336fafbd3371e76

SHA512
555876992d38603f8d7520cf6c4929ad1575fd4e6aa7716a607885f570f4ddd6ef17cdb5b5d64cb681e82779ef88d710e0c4af9b499d6e557bbe1a2332e75de0

Download Submit
C:\Windows\SysWOW64\sqlhandler.exe

Filesize
24KB

MD5
20b2b2c9bf42388b2b19e03c45c3ba67

SHA1
39b4a1eb4e504629e3619aa4c098f9f858f6a40a

SHA256
3fb0013a5a893c9c3abf3f0e051a8a084e61f14d5aafd44d093d7a44aa0f95fb

SHA512
eb60647533984ff8e644599196e9902cb87d23bbd353709c33a0c46a344e98dfd7e187daf51a821ea59c0186747ef6d5ddee134123de3ebd4d0b3a9bbff477dc

Download Submit
C:\Windows\SysWOW64\sqlhandler.exe

Filesize
50KB

MD5
4fa75079458fff6b6c543267eee3da43

SHA1
0e9d2171f749760c70b7cbfc57fe68c4c16bfda1

SHA256
3686c9bbf27ab7e6b9e9d8b3c9125a0e435bfd6aefa2a447794b03c270ea7a35

SHA512
a5e5a76541d814dd7ed9fee95430d9feae4d4c3b7f4f32dc92d68e48ce7672377ebde1157d3a4b2be8743b2ae53e8cf6ccb77f94408c61ef538d547f0f33ba1a

Download Submit
C:\Windows\SysWOW64\sqlhandler.exe

Filesize
82KB

MD5
b6ec4afb212e4ea1ed7fcedd600cf25d

SHA1
33b8af69f9c8f011eedac2881a9cf03ea45d8108

SHA256
aa1defbc6826c9ea65345e36fb4d1637394eb81909417b4723c07dbf9ac09508

SHA512
8147beec46672a6d9a6e9c8623138188f2f8132b1321995c46a6978d7cc721fcee7560f8c72af078dc5cc0f0ecb7ed05009a7b794523aff01171e684da5edde4

Download Submit
C:\Windows\SysWOW64\sqlhandler.exe

Filesize
775KB

MD5
408f6707a53dfd4164ddd2a9f003334b

SHA1
efcf148ed4ee1faee1d45f89b3d0602384a02e74

SHA256
73f87e605d3b9e7873e0988d578e7f85b3a5608ebcf801756c099ad47f060df1

SHA512
19a9b004c60ec928e56f5fb9bd078b181368d267c9aff03c7fd82b79f88e925bdc5e06ec647ca1f72ff6069afb6e3c185cb51f6e92fdf07578918aaaa41b61ba

Download Submit
memory/1588-34-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1728-22-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2124-31-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2908-19-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3224-0-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3224-8-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3452-25-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3532-16-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4068-13-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4068-11-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4352-9-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4352-7-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4624-28-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads