Overview

overview

10

Static

static

10

SQLi Dumper V10.3.zip

windows11-21h2-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06-02-2025 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SQLi Dumper V10.3.zip

  • Size

    3.6MB

  • MD5

    e7841c492d87017888ead72f8e21cc64

  • SHA1

    f00d94831b114767f4522a7884adcfcb4a9d98ac

  • SHA256

    e5e082480d493d9d8f87ba60943f01d220e4f8f41b4af71e8dd0e5bd8169809b

  • SHA512

    50664d532fad265b32733da8e866894b58acf2760492e99f8cb7c638823c976cbc496a325d61e9729af42329c60e8648b30ebd43f292f8b985a78abbf5d0c926

  • SSDEEP

    98304:lZz5UUds8wXw00OaDX1+ulJ+4hG/jMuI9XtkYj0Lo7on4s:lZz548w10OOX1+uZh+j72H007Ps

Score
10/10
lockbitdiscoveryransomware

Malware Config

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Lockbit family
    lockbit
  • Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\SQLi Dumper V10.3.zip"
    1⤵
      PID:3376
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:5036
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4568
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\SQLi Dumper V10.3\" -spe -an -ai#7zMap13848:114:7zEvent18110
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4952
      • C:\Users\Admin\AppData\Local\Temp\SQLi Dumper V10.3\SqliDumperv10.3.exe
        "C:\Users\Admin\AppData\Local\Temp\SQLi Dumper V10.3\SqliDumperv10.3.exe"
        1⤵
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:460

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2499603254-3415597248-1508446358-1000\OOOOOOOOOOO
        Filesize

        129B

        MD5

        731408729a82b3705c52cd06b6904508

        SHA1

        2c32e8c2ff3ec3f5a185b5832f8840bcf12dc392

        SHA256

        227d148526743dc34db1f571674a1f02552941b92cfd97d9e36ed8a1cb695563

        SHA512

        60d3ca090eac2522ac3b889cdb94f34b249eb012b2d9e2b8887802629b2c64f6e9cf09634303dd2c6d5de9b43343dd6b33437cab0ed6c6043e88ce55d2b407ef

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f6cb85bc-06a0-4356-9c28-02229776d53f.down_data
        Filesize

        555KB

        MD5

        5683c0028832cae4ef93ca39c8ac5029

        SHA1

        248755e4e1db552e0b6f8651b04ca6d1b31a86fb

        SHA256

        855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

        SHA512

        aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SQLi Dumper V10.3\SqliDumperv10.3.exe
        Filesize

        146KB

        MD5

        3d49478072bf18339ef810c8ea7546b2

        SHA1

        c1047d72d4cdce21af4bb989ad1bee437edb7f80

        SHA256

        e3300e30997c5a355f02ca6972711b2ca843d00a393b62c75818a43c27ff128d

        SHA512

        f47f6a1c51b92cc34a1dc264bc2b151690f1c314c5f97b08530e9efd6929c860985f9410f411cb31e0f3acd75b8969e4791ca9fb080901f6f4cb70322255a91c

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2499603254-3415597248-1508446358-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        0d9e7fa76395d418bc3977980c1ea68a

        SHA1

        ff2b3a52b47129ac1103197a2c29d9b2ff66a985

        SHA256

        61b10267f48dbf0bc4d0c119c4b07a0dafe3cc269ac4452266ca52bc7a2f9275

        SHA512

        ab27479486754c054a2a60105c09f8a32c4991006fe276eddfc96550c33f796c038012880f80dc4b5deb4f38b7b8778e434516a4c7173cc9f745952c8f54e001

        Download Submit