Analysis

  • max time kernel
    143s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 00:24

General

  • Target

    SQLRayCLI.exe

  • Size

    4.6MB

  • MD5

    5513a3dc0c8872659886cf388fdab31e

  • SHA1

    75f3e3192f7e609a28f17411da685d384a8f1b99

  • SHA256

    9cfac085e4756ef55ffaba67307c1df15bfe14ea600065ad094f9c43c8499aa2

  • SHA512

    e2f11372d15f17b5059646f34707bb88ef37fbb26729fc5b82f86bfcc4372d8050f26bdd8cc799ea55c99a326b0b9122841af85581da9dbcd2d00ad925d13be2

  • SSDEEP

    98304:Gx6o7DEgTsuvi9fR106kiPZ5KjLQW9p0pxJ:Gx6YDxTlvqfR1Qzj0cWpr

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe
    "C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2768
    • \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
      "C:\Users\Admin\AppData\Local\Temp\sqlray_services.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\system32\conhost.exe
        conhost.exe
        3⤵
          PID:1396
      • \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
        "C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"
        2⤵
        • Executes dropped EXE
        PID:2860

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp

            Filesize

            1KB

            MD5

            0989e97671939f5b29ceae47a923b168

            SHA1

            555deb232516cbcd21f52ea4043e3a6ac2dd97f9

            SHA256

            ac6bb5ea2fbce08df97b58a4ff107335c22f54a9f45efe256b28e0bbd0708ca2

            SHA512

            22191f895fcf02437fd6cbdd4030787f7604a0640ef0359db8f42f5a6846de3d9049b05982bc1a7f731af89c74508c6453520199b6ad92204e9a622236299658

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

            Filesize

            7KB

            MD5

            e9185349e265b79cd29bdf6434d12b88

            SHA1

            7099053f518a746249e890e8b4c708a0956ac785

            SHA256

            192d7dd83d04fbec45fc6e3c37d78932c3dc480e3658bdd1a821d6cf6f4ef133

            SHA512

            9a7441ebcc8c5873a3d4c53bafc0eea6e31f64a156189bf3686e7c7e98fae63bbdac651c3fb2c2ac5f8eae8451bf48edc6566b82bd171e81f141ba9d8a896f51

          • \Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp

            Filesize

            1KB

            MD5

            86d23632843c402a3a34828bb99317c9

            SHA1

            ee7082dcee56cb61d0cae037078efb2a4b32eaae

            SHA256

            eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280

            SHA512

            9a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223

          • memory/1396-81-0x0000000001C20000-0x0000000001C2E000-memory.dmp

            Filesize

            56KB

          • memory/1396-76-0x0000000000060000-0x0000000000068000-memory.dmp

            Filesize

            32KB

          • memory/2696-51-0x00000000035F0000-0x0000000003C31000-memory.dmp

            Filesize

            6.3MB

          • memory/2696-38-0x00000000035F0000-0x0000000003C31000-memory.dmp

            Filesize

            6.3MB

          • memory/2696-8-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2696-7-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2696-5-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2696-19-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2696-18-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2696-20-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2696-0-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

          • memory/2696-21-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2696-23-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2696-3-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2696-65-0x00000000035F0000-0x0000000003A02000-memory.dmp

            Filesize

            4.1MB

          • memory/2696-1-0x0000000077311000-0x0000000077312000-memory.dmp

            Filesize

            4KB

          • memory/2696-4-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2696-64-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2696-2-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2696-62-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

          • memory/2696-36-0x00000000035F0000-0x0000000003C31000-memory.dmp

            Filesize

            6.3MB

          • memory/2696-6-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2792-26-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2792-22-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2792-27-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/2792-25-0x0000000002790000-0x0000000002798000-memory.dmp

            Filesize

            32KB

          • memory/2792-24-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

            Filesize

            2.9MB

          • memory/2860-82-0x0000000140000000-0x0000000140412000-memory.dmp

            Filesize

            4.1MB

          • memory/2860-58-0x00000000002F0000-0x00000000002F1000-memory.dmp

            Filesize

            4KB

          • memory/2860-70-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

            Filesize

            4KB

          • memory/3040-66-0x0000000140000000-0x0000000140641000-memory.dmp

            Filesize

            6.3MB

          • memory/3040-46-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

            Filesize

            4KB

          • memory/3040-68-0x0000000140000000-0x0000000140641000-memory.dmp

            Filesize

            6.3MB

          • memory/3040-67-0x0000000140000000-0x0000000140641000-memory.dmp

            Filesize

            6.3MB

          • memory/3040-78-0x0000000140000000-0x0000000140641000-memory.dmp

            Filesize

            6.3MB

          • memory/3040-43-0x00000000004F0000-0x00000000004F1000-memory.dmp

            Filesize

            4KB

          • memory/3040-75-0x00000000772C0000-0x0000000077469000-memory.dmp

            Filesize

            1.7MB

          • memory/3040-29-0x0000000000430000-0x00000000004D4000-memory.dmp

            Filesize

            656KB

          • memory/3040-31-0x00000000004E0000-0x00000000004E1000-memory.dmp

            Filesize

            4KB