Analysis
-
max time kernel
143s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 00:24
Static task
static1
Behavioral task
behavioral1
Sample
SQLRayCLI.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SQLRayCLI.exe
Resource
win10v2004-20241007-en
General
-
Target
SQLRayCLI.exe
-
Size
4.6MB
-
MD5
5513a3dc0c8872659886cf388fdab31e
-
SHA1
75f3e3192f7e609a28f17411da685d384a8f1b99
-
SHA256
9cfac085e4756ef55ffaba67307c1df15bfe14ea600065ad094f9c43c8499aa2
-
SHA512
e2f11372d15f17b5059646f34707bb88ef37fbb26729fc5b82f86bfcc4372d8050f26bdd8cc799ea55c99a326b0b9122841af85581da9dbcd2d00ad925d13be2
-
SSDEEP
98304:Gx6o7DEgTsuvi9fR106kiPZ5KjLQW9p0pxJ:Gx6YDxTlvqfR1Qzj0cWpr
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2792 powershell.exe 2768 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 3040 1D6.sqlraycli.tmp 2860 3AE.sqlraycli.tmp -
Loads dropped DLL 3 IoCs
pid Process 2696 SQLRayCLI.exe 2696 SQLRayCLI.exe 2908 Process not Found -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2696 set thread context of 3040 2696 SQLRayCLI.exe 34 PID 2696 set thread context of 2860 2696 SQLRayCLI.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2792 powershell.exe 2768 powershell.exe 3040 1D6.sqlraycli.tmp 3040 1D6.sqlraycli.tmp 3040 1D6.sqlraycli.tmp 3040 1D6.sqlraycli.tmp 3040 1D6.sqlraycli.tmp -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2792 2696 SQLRayCLI.exe 30 PID 2696 wrote to memory of 2792 2696 SQLRayCLI.exe 30 PID 2696 wrote to memory of 2792 2696 SQLRayCLI.exe 30 PID 2696 wrote to memory of 2768 2696 SQLRayCLI.exe 32 PID 2696 wrote to memory of 2768 2696 SQLRayCLI.exe 32 PID 2696 wrote to memory of 2768 2696 SQLRayCLI.exe 32 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 3040 2696 SQLRayCLI.exe 34 PID 2696 wrote to memory of 2860 2696 SQLRayCLI.exe 35 PID 2696 wrote to memory of 2860 2696 SQLRayCLI.exe 35 PID 2696 wrote to memory of 2860 2696 SQLRayCLI.exe 35 PID 2696 wrote to memory of 2860 2696 SQLRayCLI.exe 35 PID 2696 wrote to memory of 2860 2696 SQLRayCLI.exe 35 PID 2696 wrote to memory of 2860 2696 SQLRayCLI.exe 35 PID 2696 wrote to memory of 2860 2696 SQLRayCLI.exe 35 PID 2696 wrote to memory of 2860 2696 SQLRayCLI.exe 35 PID 2696 wrote to memory of 2860 2696 SQLRayCLI.exe 35 PID 2696 wrote to memory of 2860 2696 SQLRayCLI.exe 35 PID 2696 wrote to memory of 2860 2696 SQLRayCLI.exe 35 PID 2696 wrote to memory of 2860 2696 SQLRayCLI.exe 35 PID 2696 wrote to memory of 2860 2696 SQLRayCLI.exe 35 PID 2696 wrote to memory of 2860 2696 SQLRayCLI.exe 35 PID 3040 wrote to memory of 1396 3040 1D6.sqlraycli.tmp 37 PID 3040 wrote to memory of 1396 3040 1D6.sqlraycli.tmp 37 PID 3040 wrote to memory of 1396 3040 1D6.sqlraycli.tmp 37 PID 3040 wrote to memory of 1396 3040 1D6.sqlraycli.tmp 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
\??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp"C:\Users\Admin\AppData\Local\Temp\sqlray_services.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\conhost.execonhost.exe3⤵PID:1396
-
-
-
\??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp"C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"2⤵
- Executes dropped EXE
PID:2860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50989e97671939f5b29ceae47a923b168
SHA1555deb232516cbcd21f52ea4043e3a6ac2dd97f9
SHA256ac6bb5ea2fbce08df97b58a4ff107335c22f54a9f45efe256b28e0bbd0708ca2
SHA51222191f895fcf02437fd6cbdd4030787f7604a0640ef0359db8f42f5a6846de3d9049b05982bc1a7f731af89c74508c6453520199b6ad92204e9a622236299658
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e9185349e265b79cd29bdf6434d12b88
SHA17099053f518a746249e890e8b4c708a0956ac785
SHA256192d7dd83d04fbec45fc6e3c37d78932c3dc480e3658bdd1a821d6cf6f4ef133
SHA5129a7441ebcc8c5873a3d4c53bafc0eea6e31f64a156189bf3686e7c7e98fae63bbdac651c3fb2c2ac5f8eae8451bf48edc6566b82bd171e81f141ba9d8a896f51
-
Filesize
1KB
MD586d23632843c402a3a34828bb99317c9
SHA1ee7082dcee56cb61d0cae037078efb2a4b32eaae
SHA256eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280
SHA5129a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223