a1fee4045eed25da9a4d6dcaa9188d15e88fecc8c175dda59a116d0cd9b511e9

General

Target

SSMS-Setup-ENU.exe
Size

485.3MB
MD5

0f230d87d2c57bee16c9d33d75060d73
SHA1

7d1a9b702adcbbc6a4a8331ef9a238e49be39480
SHA256

a1fee4045eed25da9a4d6dcaa9188d15e88fecc8c175dda59a116d0cd9b511e9
SHA512

1ae914ac95107c3a1ba829a1793835a3a715cefc42e7d7e5b6a07d08cf4c632ccdae6cba78bf90c3183195620eb1493ce8cbee7c6cda65636c2939ea26a6b0d1
SSDEEP

12582912:K97VVz5GSxX9ME4ReEhlvpAiQ/VbKJB2k74hLPozHJFL+uBvP1jlW+TO8iy5hE:K97VVz5GSxX9MEuxAi8lKJB2kcVQzHHS

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2512	SSMS-Setup-ENU.exe

Loads dropped DLL 15 IoCs

pid	Process
1876	SSMS-Setup-ENU.exe
2512	SSMS-Setup-ENU.exe
2512	SSMS-Setup-ENU.exe
2512	SSMS-Setup-ENU.exe
2512	SSMS-Setup-ENU.exe
2512	SSMS-Setup-ENU.exe
2512	SSMS-Setup-ENU.exe
2512	SSMS-Setup-ENU.exe
2512	SSMS-Setup-ENU.exe
2512	SSMS-Setup-ENU.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2976	2512	WerFault.exe	28

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2512	1876	SSMS-Setup-ENU.exe	28
PID 1876 wrote to memory of 2512	1876	SSMS-Setup-ENU.exe	28
PID 1876 wrote to memory of 2512	1876	SSMS-Setup-ENU.exe	28
PID 1876 wrote to memory of 2512	1876	SSMS-Setup-ENU.exe	28
PID 1876 wrote to memory of 2512	1876	SSMS-Setup-ENU.exe	28
PID 1876 wrote to memory of 2512	1876	SSMS-Setup-ENU.exe	28
PID 1876 wrote to memory of 2512	1876	SSMS-Setup-ENU.exe	28
PID 2512 wrote to memory of 2976	2512	SSMS-Setup-ENU.exe	29
PID 2512 wrote to memory of 2976	2512	SSMS-Setup-ENU.exe	29
PID 2512 wrote to memory of 2976	2512	SSMS-Setup-ENU.exe	29
PID 2512 wrote to memory of 2976	2512	SSMS-Setup-ENU.exe	29

C:\Users\Admin\AppData\Local\Temp\SSMS-Setup-ENU.exe
"C:\Users\Admin\AppData\Local\Temp\SSMS-Setup-ENU.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\Temp\{E67DB6FF-1F89-4072-8AE7-20AA1F502D56}\.cr\SSMS-Setup-ENU.exe
  "C:\Windows\Temp\{E67DB6FF-1F89-4072-8AE7-20AA1F502D56}\.cr\SSMS-Setup-ENU.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\SSMS-Setup-ENU.exe" -burn.filehandle.attached=184 -burn.filehandle.self=192
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 844
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{26FC1C97-DF64-4792-AFC6-BA5A4C419698}\.ba\BootstrapperCore.config

Filesize
1KB

MD5
78e515b8f1108092186634577e4465d1

SHA1
8234f9991dc39bdcbbe1d7d640f89106efe8aca0

SHA256
ff1e0652b304c1edaa2401572ef30705b374dd80a72e08c32bcd9340989e2b9c

SHA512
3059cae879ddcd2d0eb7aa7b0fb2df6bda681fc2ed82cc4361031b8056d3d9607f3164a06a2fda70789b83a490607ba87e4f8b86b6f06ab3736e1cfcb21d8f31

Download Submit
\Windows\Temp\{26FC1C97-DF64-4792-AFC6-BA5A4C419698}\.ba\BootstrapperCore.dll

Filesize
91KB

MD5
60eaff04cfa5edd04b05e61c1f4d6e7e

SHA1
35f69f0487653a5992564ef13387449cc63990b5

SHA256
139e767080fcdd816a19e664ece9e15769451d924d99288441607065cc928a8c

SHA512
17506d40f29cc1321290310ca62be116addc19b7e2d5cf7eeb6c55f91c36beced51d71a0f29c6ebfd6b7a88205f2fa2cc6df7ea3b2c6017d3ea13ea2d50f1b36

Download Submit
\Windows\Temp\{26FC1C97-DF64-4792-AFC6-BA5A4C419698}\.ba\Microsoft.Deployment.WindowsInstaller.dll

Filesize
183KB

MD5
a4d3eaf44156ab27772e2cf99033ed64

SHA1
bd28431730bea4908d2ea728ea70ccf48debc5d8

SHA256
abe1742945a10588376cd127771c3d5f3f0579d4ff1bde15c41a494451d89444

SHA512
aeb342f38a05cd061b76bdc7cbfa469e6c95e40dc81707d0df2223a7bb1ac2b25169653aae4d49945ffd579954897a166d897b65410dec5ecda5f32e15f1adaa

Download Submit
\Windows\Temp\{26FC1C97-DF64-4792-AFC6-BA5A4C419698}\.ba\Microsoft.Practices.Prism.Mvvm.dll

Filesize
30KB

MD5
de2ee70b925501cb3d29707a6c0bf0e5

SHA1
99002cd52db1dd170c972381f2b530b55d2a99b9

SHA256
06f36c88682b48640e1adc2d8320672b210db2c5eb0038eaae7d21b809e1a3ba

SHA512
9da49222e486e31b5e87c0e915fdd040b49665836b308fabe6f260fbdeffc6bc819fd0bd3a94c69eda30228d864c2cdf7302790076cd49a572e551048e4581a6

Download Submit
\Windows\Temp\{26FC1C97-DF64-4792-AFC6-BA5A4C419698}\.ba\Microsoft.Sql.DataTools.ManagedBootstrapperApp.dll

Filesize
122KB

MD5
077619d880a716c5b9a3fe94e57b9305

SHA1
8cc4bddb1df6fe83f4c6593593a0cbbcf23729f3

SHA256
388e92b2e27fba114a3d032f07ac1dac89f5c111f367954e6883f3dbfe8e415f

SHA512
8a52366f3c799ec3eaa97fc598349d1037bd9df7ce99455787faa14e0e05e0bb6ab73856730f3eabec45cf08327e55b341fbc554deb6c33f327d1a5da0865263

Download Submit
\Windows\Temp\{26FC1C97-DF64-4792-AFC6-BA5A4C419698}\.ba\mbahost.dll

Filesize
139KB

MD5
a98eb2617326292d3ab96e54b4ba703c

SHA1
dc72b1e18930d26c16b8d5e4f25711e4da9da24c

SHA256
7182fb48a03f653a2b87d66409599d0d11dfb197ca7f969d2c8d72e38bf13590

SHA512
0fac78fc2f9ff8d6688726a4e082cbefa0b6c1a421b90235062581adf854a1c3bbdd0295b7f6bf931455ad974cf7e6ab966c558c769fcd6e26c1270e3c69a543

Download Submit
\Windows\Temp\{E67DB6FF-1F89-4072-8AE7-20AA1F502D56}\.cr\SSMS-Setup-ENU.exe

Filesize
1.4MB

MD5
8710baaf21c3954bf0f42779a8895ddd

SHA1
60f9f1252f7a916f66f01ad0d175c2008957d008

SHA256
d5cf7b93cd3b9bc39306e60adaafa2fa8dd593362d6e839d8eb0eda2603f48ad

SHA512
44f3325204a57d580865150930b120944847bd8ec9de8e5b3ac8831727f51b235d63fbe6d5561a28cf2795b875281b5f8d6575fd873ea12ae3fc07eb2d251a2f

Download Submit
memory/2512-68-0x00000000023F0000-0x0000000002412000-memory.dmp

Filesize
136KB

Download
memory/2512-62-0x0000000073C70000-0x000000007435E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-61-0x0000000073C70000-0x000000007435E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-69-0x0000000073C70000-0x000000007435E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-59-0x00000000023A0000-0x00000000023B8000-memory.dmp

Filesize
96KB

Download
memory/2512-73-0x00000000026B0000-0x00000000026DE000-memory.dmp

Filesize
184KB

Download
memory/2512-54-0x0000000073C7E000-0x0000000073C7F000-memory.dmp

Filesize
4KB

Download
memory/2512-77-0x0000000002430000-0x000000000243C000-memory.dmp

Filesize
48KB

Download
memory/2512-78-0x0000000002540000-0x000000000254A000-memory.dmp

Filesize
40KB

Download
memory/2512-79-0x0000000002610000-0x0000000002618000-memory.dmp

Filesize
32KB

Download
memory/2512-86-0x0000000073C7E000-0x0000000073C7F000-memory.dmp

Filesize
4KB

Download
memory/2512-87-0x0000000073C70000-0x000000007435E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads