File name:

sqlite3.dll

Full analysis: https://app.any.run/tasks/e4c54c9d-12fd-477f-8cbb-a20f8fb98912
Verdict: Malicious activity
Analysis date: November 28, 2023, 08:27:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5:

2BA363CB9C8ECA112DAA44CFB567E91E

SHA1:

37AF542FE44A189FB7EFB1702D567E516ABDFFFB

SHA256:

8BE3304FEC9D41D44012213DDBB28980D2570EDEEF3523B909AF2F97768A8D85

SSDEEP:

24576:ytXHPNHm9np5saIFYNDhDuLBEXiDcU/c4VTPXcjhYeUvubmbzjLY63:IXHPNHm9np5saIFYNDhDuLBEXiDcU/cC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • cmd.exe (PID: 1668)
  • SUSPICIOUS

    • Powershell version downgrade attack

      • powershell.exe (PID: 2168)
    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 2168)
    • Process drops SQLite DLL files

      • cmd.exe (PID: 1668)
  • INFO

    • Manual execution by a user

      • powershell.exe (PID: 2168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.3)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

SourceId: 2015-07-29 20:00:57 cf538e2783e468bbc25e7cb2a9ee64d3e0e80b2f
ProductVersion: 3.8.11.1
ProductName: SQLite
LegalCopyright: http://www.sqlite.org/copyright.html
InternalName: sqlite3
FileVersion: 3.8.11.1
FileDescription: SQLite is a software library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine.
CompanyName: SQLite Development Team
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 3.8.11.1
FileVersionNumber: 3.8.11.1
Subsystem: Windows command line
SubsystemVersion: 4
ImageVersion: 1
OSVersion: 4
EntryPoint: 0x1058
UninitializedDataSize: 1536
InitializedDataSize: 549376
CodeSize: 473088
LinkerVersion: 2.21
PEType: PE32
ImageFileCharacteristics: Executable, No line numbers, 32-bit, DLL
TimeStamp: 2015:07:29 22:08:18+02:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs powershell.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2876"C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Local\Temp\sqlite3.dll,sqlite3_aggregate_contextC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2168"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1668"C:\Windows\system32\cmd.exe"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
768
Read events
715
Write events
53
Delete events
0

Modification events

(PID) Process:(2168) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
1
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2168powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1c1a17.TMPbinary
MD5:16F6D260068B85896C0EBB2E1B2A60D1
SHA256:6E3B1EF1FB4736A9BF18FADF8E42935CC5053478B6F403A38EFBA8500E819984
2168powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:3C9EA70BE0EB9C07AB7B929F19966EB2
SHA256:9AD86CBABCCCD9B21DD789AA354DF25F0ECE29BAF284F5C81DE6A19A634E756F
1668cmd.exeC:\Users\admin\AppData\Local\Temp\sqlite3.dllexecutable
MD5:2BA363CB9C8ECA112DAA44CFB567E91E
SHA256:8BE3304FEC9D41D44012213DDBB28980D2570EDEEF3523B909AF2F97768A8D85
2168powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B11MPXG3CTDA0LD87IVU.tempbinary
MD5:3C9EA70BE0EB9C07AB7B929F19966EB2
SHA256:9AD86CBABCCCD9B21DD789AA354DF25F0ECE29BAF284F5C81DE6A19A634E756F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
2588
svchost.exe
239.255.255.250:1900
unknown

DNS requests

No data

Threats

No threats detected
No debug info