Analysis Overview
SHA256
53151501e631dda534f95bbcc84469c39ed1dc9781b6137bc7c14d174971de3a
Threat Level: Likely malicious
The file SQLRayCLI.rar was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 00:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 00:24
Reported
2024-11-11 00:26
Platform
win7-20240903-en
Max time kernel
143s
Max time network
128s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2696 set thread context of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe | \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp |
| PID 2696 set thread context of 2860 | N/A | C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe | \??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe
"C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force
\??\c:\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
"C:\Users\Admin\AppData\Local\Temp\sqlray_services.exe"
\??\c:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
"C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"
C:\Windows\system32\conhost.exe
conhost.exe
Network
Files
memory/2696-1-0x0000000077311000-0x0000000077312000-memory.dmp
memory/2696-0-0x0000000140000000-0x000000014011D000-memory.dmp
memory/2696-3-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/2696-4-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/2696-2-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/2696-5-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/2696-6-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/2696-8-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/2696-7-0x00000000772C0000-0x0000000077469000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | e9185349e265b79cd29bdf6434d12b88 |
| SHA1 | 7099053f518a746249e890e8b4c708a0956ac785 |
| SHA256 | 192d7dd83d04fbec45fc6e3c37d78932c3dc480e3658bdd1a821d6cf6f4ef133 |
| SHA512 | 9a7441ebcc8c5873a3d4c53bafc0eea6e31f64a156189bf3686e7c7e98fae63bbdac651c3fb2c2ac5f8eae8451bf48edc6566b82bd171e81f141ba9d8a896f51 |
memory/2696-19-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/2696-18-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/2696-20-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/2792-22-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/2696-21-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/2696-23-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/2792-24-0x000000001B5E0000-0x000000001B8C2000-memory.dmp
memory/2792-26-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/2792-25-0x0000000002790000-0x0000000002798000-memory.dmp
memory/2792-27-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/3040-29-0x0000000000430000-0x00000000004D4000-memory.dmp
\Users\Admin\AppData\Local\Temp\1D6.sqlraycli.tmp
| MD5 | 86d23632843c402a3a34828bb99317c9 |
| SHA1 | ee7082dcee56cb61d0cae037078efb2a4b32eaae |
| SHA256 | eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280 |
| SHA512 | 9a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223 |
memory/3040-31-0x00000000004E0000-0x00000000004E1000-memory.dmp
memory/2696-36-0x00000000035F0000-0x0000000003C31000-memory.dmp
memory/2696-38-0x00000000035F0000-0x0000000003C31000-memory.dmp
memory/3040-46-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp
memory/2696-62-0x0000000140000000-0x000000014011D000-memory.dmp
memory/2696-64-0x00000000772C0000-0x0000000077469000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3AE.sqlraycli.tmp
| MD5 | 0989e97671939f5b29ceae47a923b168 |
| SHA1 | 555deb232516cbcd21f52ea4043e3a6ac2dd97f9 |
| SHA256 | ac6bb5ea2fbce08df97b58a4ff107335c22f54a9f45efe256b28e0bbd0708ca2 |
| SHA512 | 22191f895fcf02437fd6cbdd4030787f7604a0640ef0359db8f42f5a6846de3d9049b05982bc1a7f731af89c74508c6453520199b6ad92204e9a622236299658 |
memory/2860-58-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2696-51-0x00000000035F0000-0x0000000003C31000-memory.dmp
memory/3040-43-0x00000000004F0000-0x00000000004F1000-memory.dmp
memory/3040-67-0x0000000140000000-0x0000000140641000-memory.dmp
memory/3040-66-0x0000000140000000-0x0000000140641000-memory.dmp
memory/2696-65-0x00000000035F0000-0x0000000003A02000-memory.dmp
memory/3040-68-0x0000000140000000-0x0000000140641000-memory.dmp
memory/2860-70-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp
memory/3040-78-0x0000000140000000-0x0000000140641000-memory.dmp
memory/1396-76-0x0000000000060000-0x0000000000068000-memory.dmp
memory/3040-75-0x00000000772C0000-0x0000000077469000-memory.dmp
memory/1396-81-0x0000000001C20000-0x0000000001C2E000-memory.dmp
memory/2860-82-0x0000000140000000-0x0000000140412000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 00:24
Reported
2024-11-11 00:27
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
158s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1204 set thread context of 4744 | N/A | C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe | \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp |
| PID 1204 set thread context of 524 | N/A | C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
| N/A | N/A | \??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe
"C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force
\??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
"C:\Users\Admin\AppData\Local\Temp\sqlray_services.exe"
\??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp
"C:\Users\Admin\AppData\Local\Temp\SQLRayCLI.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/1204-0-0x0000000140000000-0x000000014011D000-memory.dmp
memory/1204-1-0x00007FFFFF0AD000-0x00007FFFFF0AE000-memory.dmp
memory/1204-3-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp
memory/1204-2-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp
memory/1204-4-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp
memory/1204-5-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp
memory/1204-7-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp
memory/1204-8-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp
memory/1204-6-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k52izb4f.uky.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/780-18-0x000001C9E1BA0000-0x000001C9E1BC2000-memory.dmp
memory/780-28-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp
memory/780-29-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp
memory/780-30-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp
memory/4680-31-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp
memory/780-34-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/4680-38-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Temp\665.sqlraycli.tmp
| MD5 | 8fd1d495b09695f4fb95638213559464 |
| SHA1 | 8525bec9fcc14bfb53145f339b5498c7d5948563 |
| SHA256 | 21e178a283f66f767540ca84c2f2fe46bfe18add60a41f49a65ac4bdaae1f7a2 |
| SHA512 | 80239f149715fccd6e0d615ace999b483315ec9451664352aea5953a321435964757721e5694e4dfbb3b8aab001621112332617b99eb95994d616160838a82a4 |
memory/1204-47-0x0000000004880000-0x0000000004EC1000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\51F.sqlraycli.tmp
| MD5 | 86d23632843c402a3a34828bb99317c9 |
| SHA1 | ee7082dcee56cb61d0cae037078efb2a4b32eaae |
| SHA256 | eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280 |
| SHA512 | 9a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223 |
memory/4744-62-0x0000000140000000-0x0000000140641000-memory.dmp
memory/1204-64-0x0000000140000000-0x000000014011D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\B3D.sqlraycli.tmp
| MD5 | 0989e97671939f5b29ceae47a923b168 |
| SHA1 | 555deb232516cbcd21f52ea4043e3a6ac2dd97f9 |
| SHA256 | ac6bb5ea2fbce08df97b58a4ff107335c22f54a9f45efe256b28e0bbd0708ca2 |
| SHA512 | 22191f895fcf02437fd6cbdd4030787f7604a0640ef0359db8f42f5a6846de3d9049b05982bc1a7f731af89c74508c6453520199b6ad92204e9a622236299658 |
memory/1204-65-0x00007FFFFF010000-0x00007FFFFF205000-memory.dmp
memory/4744-50-0x0000000000110000-0x0000000000111000-memory.dmp
memory/4744-71-0x0000000140000000-0x0000000140641000-memory.dmp
memory/524-74-0x0000000140000000-0x0000000140412000-memory.dmp
memory/524-83-0x0000000140000000-0x0000000140412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\config.yml
| MD5 | b2f54e952a76f7a26a817e55ed74cbb8 |
| SHA1 | cfd0aaa620eb21e8b0e6983d1c9da71eea041131 |
| SHA256 | a35030e632ea165c675260d8b86dfaf24a460ebc514f39988b1cc073bc4f6878 |
| SHA512 | af1663e1092ef8158b07b6528f3d731a48d378434cc32c1aea8c74bd8e782aaa412abec63a462e224a40d8cc29d0db6b663c56c49c5544e8bcfbea74b3a4d535 |
memory/524-90-0x0000000140000000-0x0000000140412000-memory.dmp