139bf4bc1e0b8b3832e82f23cef43ab0b66530caa0963e45950175df459b1458

General

Target

msodbcsql_3be4cf889ad6c6334b15ac136d57321cbca28026.exe
Size

4.1MB
MD5

ac85224e7442d03afab8e7e468d12b12
SHA1

3be4cf889ad6c6334b15ac136d57321cbca28026
SHA256

139bf4bc1e0b8b3832e82f23cef43ab0b66530caa0963e45950175df459b1458
SHA512

607405c83eeac87239e9906092732a808deb16d4620ac46708f0b0efe15e097a66869e97ac6d78bcbe0f48a9ec30cfaf4a44c74ab8c35e95dd75e09ba39140d7
SSDEEP

98304:tJxJzqAgBeiY7reD2RZDwEZbRmckDZVRss+C26lbZ8nHezBbH8YD:tJxwAn3e6RZhbUcif26sn+9bRD

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msodbcsql_3be4cf889ad6c6334b15ac136d57321cbca28026.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	msodbcsql_3be4cf889ad6c6334b15ac136d57321cbca28026.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

5 3436 msiexec.exe

flow	pid	process
5	3436	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in System32 directory 9 IoCs

Processes:

msiexec.exemmc.exe

description	ioc	process
File created	C:\Windows\system32\1033\msodbcsqlr17.rll	msiexec.exe
File created	C:\Windows\SysWOW64\adal.dll	msiexec.exe
File created	C:\Windows\system32\adal.dll	msiexec.exe
File opened for modification	C:\Windows\System32\services.msc	mmc.exe
File created	C:\Windows\SysWOW64\msodbcdiag17.dll	msiexec.exe
File created	C:\Windows\system32\msodbcdiag17.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msodbcsql17.dll	msiexec.exe
File created	C:\Windows\system32\msodbcsql17.dll	msiexec.exe
File created	C:\Windows\SysWOW64\1033\msodbcsqlr17.rll	msiexec.exe

Drops file in Program Files directory 3 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\170\License Terms\License_msodbcsql_ENU.txt	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\License Terms\License_msodbcsql_ENU.txt	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\KeyFile\1033\sqlodbc_keyfile.dll	msiexec.exe

Drops file in Windows directory 29 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6	msiexec.exe
File created	C:\Windows\Installer\{0E0F96AC-80DE-4400-A40C-429D63293651}\ARPIco	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\msvcp140.dll.E281B893_10D7_34CE_BB0E_B69D88E154A5	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\vccorlib140.dll.AF4EABEE_4589_3789_BA0A_C83A71662E1D	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\vccorlib140.dll.E281B893_10D7_34CE_BB0E_B69D88E154A5	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\vcruntime140.dll.AF4EABEE_4589_3789_BA0A_C83A71662E1D	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\msvcp140.dll.AF4EABEE_4589_3789_BA0A_C83A71662E1D	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\vccorlib140.dll.AF4EABEE_4589_3789_BA0A_C83A71662E1D	msiexec.exe
File opened for modification	C:\Windows\Installer\{0E0F96AC-80DE-4400-A40C-429D63293651}\ARPIco	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\concrt140.dll.E281B893_10D7_34CE_BB0E_B69D88E154A5	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\msvcp140.dll.E281B893_10D7_34CE_BB0E_B69D88E154A5	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0E0F96AC-80DE-4400-A40C-429D63293651}	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BCF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\msvcp140.dll.AF4EABEE_4589_3789_BA0A_C83A71662E1D	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\vccorlib140.dll.E281B893_10D7_34CE_BB0E_B69D88E154A5	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\vcruntime140.dll.E281B893_10D7_34CE_BB0E_B69D88E154A5	msiexec.exe
File opened for modification	C:\Windows\Installer\e581160.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e581164.msi	msiexec.exe
File created	C:\Windows\Installer\e581160.msi	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\vcruntime140.dll.AF4EABEE_4589_3789_BA0A_C83A71662E1D	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\concrt140.dll.E281B893_10D7_34CE_BB0E_B69D88E154A5	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\concrt140.dll.AF4EABEE_4589_3789_BA0A_C83A71662E1D	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\concrt140.dll.AF4EABEE_4589_3789_BA0A_C83A71662E1D	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\CA69F0E0ED0800444AC024D936926315\17.10.6\vcruntime140.dll.E281B893_10D7_34CE_BB0E_B69D88E154A5	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI21DB.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

1156 MsiExec.exe

pid	process
1156	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe

Modifies registry class 27 IoCs

Processes:

msiexec.exetaskmgr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\PackageCode = "B043BF1022B40BE40BD14ABC884F7B03"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CA69F0E0ED0800444AC024D936926315\SQL_SQLODBC_SDK = "\x06"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\012A321037B97E645BECF7333630007E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\SourceList\Net	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	taskmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\Version = "285868038"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\SourceList\PackageName = "msodbcsql.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\SourceList\Media\MediaPackage = "\\1033_ENU_LP\\x64\\Setup\\x64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\SourceList\Media\1 = "MSODBCSQL17;"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CA69F0E0ED0800444AC024D936926315\SQL_SQLODBC_CORE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\ProductIcon = "C:\\Windows\\Installer\\{0E0F96AC-80DE-4400-A40C-429D63293651}\\ARPIco"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\012A321037B97E645BECF7333630007E\CA69F0E0ED0800444AC024D936926315	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CA69F0E0ED0800444AC024D936926315	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\ProductName = "Microsoft ODBC Driver 17 for SQL Server"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA69F0E0ED0800444AC024D936926315	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exetaskmgr.exe

pid	process
3436	msiexec.exe
3436	msiexec.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

644 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3904	msiexec.exe
Token: SeSecurityPrivilege	3436	msiexec.exe
Token: SeCreateTokenPrivilege	3904	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3904	msiexec.exe
Token: SeLockMemoryPrivilege	3904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3904	msiexec.exe
Token: SeMachineAccountPrivilege	3904	msiexec.exe
Token: SeTcbPrivilege	3904	msiexec.exe
Token: SeSecurityPrivilege	3904	msiexec.exe
Token: SeTakeOwnershipPrivilege	3904	msiexec.exe
Token: SeLoadDriverPrivilege	3904	msiexec.exe
Token: SeSystemProfilePrivilege	3904	msiexec.exe
Token: SeSystemtimePrivilege	3904	msiexec.exe
Token: SeProfSingleProcessPrivilege	3904	msiexec.exe
Token: SeIncBasePriorityPrivilege	3904	msiexec.exe
Token: SeCreatePagefilePrivilege	3904	msiexec.exe
Token: SeCreatePermanentPrivilege	3904	msiexec.exe
Token: SeBackupPrivilege	3904	msiexec.exe
Token: SeRestorePrivilege	3904	msiexec.exe
Token: SeShutdownPrivilege	3904	msiexec.exe
Token: SeDebugPrivilege	3904	msiexec.exe
Token: SeAuditPrivilege	3904	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3904	msiexec.exe
Token: SeChangeNotifyPrivilege	3904	msiexec.exe
Token: SeRemoteShutdownPrivilege	3904	msiexec.exe
Token: SeUndockPrivilege	3904	msiexec.exe
Token: SeSyncAgentPrivilege	3904	msiexec.exe
Token: SeEnableDelegationPrivilege	3904	msiexec.exe
Token: SeManageVolumePrivilege	3904	msiexec.exe
Token: SeImpersonatePrivilege	3904	msiexec.exe
Token: SeCreateGlobalPrivilege	3904	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe
Token: SeRestorePrivilege	3436	msiexec.exe
Token: SeTakeOwnershipPrivilege	3436	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe
644	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

mmc.exe

pid process

3020 mmc.exe
3020 mmc.exe
3020 mmc.exe
3020 mmc.exe

pid	process
3020	mmc.exe
3020	mmc.exe
3020	mmc.exe
3020	mmc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

msodbcsql_3be4cf889ad6c6334b15ac136d57321cbca28026.exemsiexec.exetaskmgr.exe

description	pid	process	target process
PID 1952 wrote to memory of 3904	1952	msodbcsql_3be4cf889ad6c6334b15ac136d57321cbca28026.exe	msiexec.exe
PID 1952 wrote to memory of 3904	1952	msodbcsql_3be4cf889ad6c6334b15ac136d57321cbca28026.exe	msiexec.exe
PID 3436 wrote to memory of 1156	3436	msiexec.exe	MsiExec.exe
PID 3436 wrote to memory of 1156	3436	msiexec.exe	MsiExec.exe
PID 644 wrote to memory of 3020	644	taskmgr.exe	mmc.exe
PID 644 wrote to memory of 3020	644	taskmgr.exe	mmc.exe

C:\Users\Admin\AppData\Local\Temp\msodbcsql_3be4cf889ad6c6334b15ac136d57321cbca28026.exe
"C:\Users\Admin\AppData\Local\Temp\msodbcsql_3be4cf889ad6c6334b15ac136d57321cbca28026.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SYSTEM32\msiexec.exe
msiexec /quiet /passive /qn /i msodbcsql.msi IACCEPTMSODBCSQLLICENSETERMS=YES
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 602E65D1F101419876954C7DB9BBA116
2⤵
- Loads dropped DLL
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3012

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
2⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e581163.rbs
Filesize
27KB

MD5
40ecb55a41f43f2e8d2b81f8ef37ad3c

SHA1
2798fbc52bea3f5c8cc9cb562b593106e1650248

SHA256
3b8f9053956059f8d20a170380651b106f79c400656615c971305d965bc80613

SHA512
48581624bc162bd7ba4834fb335f264d298c34beb28272b27b0e630bcc0134dab79b46174e9543c2541d558dd12606c040356eb5faf2bfbcfe7c1f93d8997fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msodbcsql.msi
Filesize
4.5MB

MD5
5dab1714ad4c7336de247e8a342a85f8

SHA1
3ae75e74fda38674144ac30a40d7f734dc849d7f

SHA256
1b6e2fe09fb48bd0f4c78e092e441993718eb5515abf94552384e09a06afee58

SHA512
b838ef39fa88f944d0f19f081dd528546d017bad3ba2b8da9e843a6aaed0e880a2a1b0841f3a2de7b4fc3ce9737ed294f4ae293d45081e8083734d34742cfa56

Download Submit
C:\Windows\Installer\MSI21DB.tmp
Filesize
29KB

MD5
885c18679e8801363b0de671dc4fd88c

SHA1
fa5d67d04d65502edc62b2967f4df28f78b7b879

SHA256
8efa4c0c279df5db94a10e05390b539424293ab8dcb402c613ed74749737afb7

SHA512
4cf10b350b841e24678f2b88aa7f11dc65ea5a4a1dad032540f1d11fe792d5517c8ba332017d716ad6f197814f7bf29e4852b235b9ca0e19d2d569d9431d1563

Download Submit
memory/644-62-0x0000021B8AFA0000-0x0000021B8AFA1000-memory.dmp

Filesize
4KB

Download
memory/644-55-0x0000021B8AFA0000-0x0000021B8AFA1000-memory.dmp

Filesize
4KB

Download
memory/644-57-0x0000021B8AFA0000-0x0000021B8AFA1000-memory.dmp

Filesize
4KB

Download
memory/644-56-0x0000021B8AFA0000-0x0000021B8AFA1000-memory.dmp

Filesize
4KB

Download
memory/644-61-0x0000021B8AFA0000-0x0000021B8AFA1000-memory.dmp

Filesize
4KB

Download
memory/644-63-0x0000021B8AFA0000-0x0000021B8AFA1000-memory.dmp

Filesize
4KB

Download
memory/644-64-0x0000021B8AFA0000-0x0000021B8AFA1000-memory.dmp

Filesize
4KB

Download
memory/644-65-0x0000021B8AFA0000-0x0000021B8AFA1000-memory.dmp

Filesize
4KB

Download
memory/644-66-0x0000021B8AFA0000-0x0000021B8AFA1000-memory.dmp

Filesize
4KB

Download
memory/644-67-0x0000021B8AFA0000-0x0000021B8AFA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads