Overview

overview

7

Static

static

3

ChilkatDotNet46.dll

windows10-1703-x64

1

SQLiDumper.exe

windows10-1703-x64

7

SkinSoft.V...er.dll

windows10-1703-x64

1

Analysis

  • max time kernel
    596s
  • max time network
    1603s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-08-2024 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SQLiDumper.exe

  • Size

    3.0MB

  • MD5

    51d248a502a9cad01f3185bac732b44c

  • SHA1

    64767eff622a8702e8e0667aa5dacbe5d7e5e636

  • SHA256

    1dbe61f396d7158dde8547413be29925ed8b835c53377572a790139b32a0dad4

  • SHA512

    2be44bb32bedaf99c94dda1fef05f6171fe941694e933fe9a6a8783e26cbac624abf6824e3078e794212decebc99f67b934ede5527025f0f43673bc47bcd0ba4

  • SSDEEP

    49152:ERPWp+EohWYomvrvevULQVXltdtE/UlDsTW:ERPo5ohWYvrveveQtTTeU

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 39 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SQLiDumper.exe
    "C:\Users\Admin\AppData\Local\Temp\SQLiDumper.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Local\Temp\SQLiDumper.exe
      "C:\Users\Admin\AppData\Local\Temp\SQLiDumper.exe" "http://www.embryohotel.com/room-detail.php?id=999999.9 union all select 1,2,[t],4,5,6,7,8,9,10,11,12,13" "MySQL Union"
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:3080
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\SkinSoft\VisualStyler\2.4.0.0\x64\ssapihook.dll
    Filesize

    67KB

    MD5

    8b003c3f98f8d08968ac5d3c1cc90a60

    SHA1

    68f8d418638a81839a2ad665909916cda8efe625

    SHA256

    d52a9c53f510237a194211aa3dc7d0f22f80fcc0593d9d77e0827ba6681b47e9

    SHA512

    429e97c74b8e45a43d09618972f04ba46a8075867a631543eb7b7cbbb55a719cbe2e0412f3b63b989741e3807d733b2a6f3ecb735278adc5e734e18e297c4015

    Download Submit

  • memory/1992-22-0x00007FFB6BFD0000-0x00007FFB6BFD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-47-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1992-3-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1992-23-0x00007FFB6C000000-0x00007FFB6C001000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-5-0x000001F2D3E50000-0x000001F2D3F52000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1992-7-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1992-0-0x00007FFBE0F83000-0x00007FFBE0F84000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-12-0x00007FFB6BF90000-0x00007FFB6BF91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-13-0x00007FFB6BFA0000-0x00007FFB6BFA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-14-0x00007FFB6B5D0000-0x00007FFB6B5D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-15-0x00007FFB6BFB0000-0x00007FFB6BFB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-16-0x00007FFB6BFC0000-0x00007FFB6BFC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-17-0x00007FFB6C010000-0x00007FFB6C011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-18-0x00007FFB6BF70000-0x00007FFB6BF71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-19-0x00007FFB6BF80000-0x00007FFB6BF81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-20-0x00007FFB6BFE0000-0x00007FFB6BFE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-21-0x00007FFB6BFF0000-0x00007FFB6BFF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-1-0x000001F2B5F20000-0x000001F2B621C000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1992-6-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1992-2-0x000001F2D06B0000-0x000001F2D0F05000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/1992-26-0x00007FFB69660000-0x00007FFB69661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-25-0x00007FFB69630000-0x00007FFB69631000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-27-0x00007FFB69640000-0x00007FFB69641000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-28-0x00007FFB69670000-0x00007FFB69671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-29-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1992-30-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1992-31-0x000001F2D5190000-0x000001F2D56B6000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1992-32-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1992-33-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1992-34-0x00007FFBE0F83000-0x00007FFBE0F84000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-35-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1992-36-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1992-37-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1992-45-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1992-46-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1992-24-0x00007FFB6C020000-0x00007FFB6C021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-76-0x000001FADB070000-0x000001FADB816000-memory.dmp

    Filesize

    7.6MB

    Download