Overview
overview
10Static
static
e7184319f8...7e.exe
windows7-x64
10e7184319f8...7e.exe
windows10-1703-x64
10e7184319f8...7e.exe
windows10-2004-x64
10e7184319f8...7e.exe
windows11-21h2-x64
e7184319f8...7e.exe
android-10-x64
e7184319f8...7e.exe
android-11-x64
e7184319f8...7e.exe
android-9-x86
e7184319f8...7e.exe
macos-10.15-amd64
1e7184319f8...7e.exe
debian-9-armhf
e7184319f8...7e.exe
debian-9-mips
e7184319f8...7e.exe
debian-9-mipsel
e7184319f8...7e.exe
ubuntu-18.04-amd64
Analysis
-
max time kernel
1740s -
max time network
1798s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2022 02:33
Static task
static1
Behavioral task
behavioral1
Sample
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe
Resource
win10-20220718-en
Behavioral task
behavioral3
Sample
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe
Resource
win10v2004-20220721-en
Behavioral task
behavioral4
Sample
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe
Resource
win11-20220223-en
Behavioral task
behavioral5
Sample
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe
Resource
android-x64-20220621-en
Behavioral task
behavioral6
Sample
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe
Resource
android-x64-arm64-20220621-en
Behavioral task
behavioral7
Sample
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe
Resource
android-x86-arm-20220621-en
Behavioral task
behavioral8
Sample
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe
Resource
macos-20220504-en
Behavioral task
behavioral9
Sample
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral10
Sample
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral11
Sample
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral12
Sample
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe
Resource
ubuntu1804-amd64-en-20211208
General
-
Target
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe
-
Size
375KB
-
MD5
94e5d015983b0f92d45fe3e42b285607
-
SHA1
5ae548731a6310c2b7d7243b699d12109d4bb5ca
-
SHA256
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e
-
SHA512
cff6d560a86df3aa565c46e2ff6937d3039c8f82af7689d2db9b0c31e254ef523aed4c437ed06900c0381d68b2fd9eb9cda7e5e4696c2b6b5f40702449fcb800
Malware Config
Signatures
-
Gh0st RAT payload 11 IoCs
Processes:
resource yara_rule behavioral3/memory/2988-134-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral3/memory/2988-135-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral3/memory/2988-136-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral3/memory/1876-151-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral3/memory/1876-152-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral3/memory/3180-153-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral3/memory/1876-155-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral3/memory/4804-173-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral3/memory/4804-175-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral3/memory/1876-177-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral3/memory/4804-178-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat -
Executes dropped EXE 4 IoCs
Processes:
SQLSerasi.exeSQLSerasi.exeSQLSerasi.exeSQLSerasi.exepid process 3180 SQLSerasi.exe 1876 SQLSerasi.exe 4804 SQLSerasi.exe 5084 SQLSerasi.exe -
Processes:
resource yara_rule behavioral3/memory/2988-131-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral3/memory/2988-134-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral3/memory/2988-135-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral3/memory/2988-136-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral3/memory/1876-148-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral3/memory/1876-151-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral3/memory/1876-152-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral3/memory/3180-153-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral3/memory/1876-155-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral3/memory/4804-173-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral3/memory/4804-175-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral3/memory/1876-177-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral3/memory/4804-178-0x0000000010000000-0x0000000010362000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
SQLSerasi.exedescription ioc process File opened (read-only) \??\B: SQLSerasi.exe File opened (read-only) \??\H: SQLSerasi.exe File opened (read-only) \??\K: SQLSerasi.exe File opened (read-only) \??\Q: SQLSerasi.exe File opened (read-only) \??\R: SQLSerasi.exe File opened (read-only) \??\V: SQLSerasi.exe File opened (read-only) \??\Y: SQLSerasi.exe File opened (read-only) \??\E: SQLSerasi.exe File opened (read-only) \??\I: SQLSerasi.exe File opened (read-only) \??\L: SQLSerasi.exe File opened (read-only) \??\N: SQLSerasi.exe File opened (read-only) \??\P: SQLSerasi.exe File opened (read-only) \??\X: SQLSerasi.exe File opened (read-only) \??\G: SQLSerasi.exe File opened (read-only) \??\O: SQLSerasi.exe File opened (read-only) \??\T: SQLSerasi.exe File opened (read-only) \??\U: SQLSerasi.exe File opened (read-only) \??\W: SQLSerasi.exe File opened (read-only) \??\Z: SQLSerasi.exe File opened (read-only) \??\F: SQLSerasi.exe File opened (read-only) \??\J: SQLSerasi.exe File opened (read-only) \??\M: SQLSerasi.exe File opened (read-only) \??\S: SQLSerasi.exe -
Drops file in System32 directory 4 IoCs
Processes:
SQLSerasi.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies SQLSerasi.exe -
Drops file in Program Files directory 2 IoCs
Processes:
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exedescription ioc process File created C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5048 1876 WerFault.exe SQLSerasi.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SQLSerasi.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz SQLSerasi.exe -
Modifies data under HKEY_USERS 13 IoCs
Processes:
SQLSerasi.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SQLSerasi.exe Key created \REGISTRY\USER\.DEFAULT\Software SQLSerasi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SQLSerasi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SQLSerasi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum SQLSerasi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SQLSerasi.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
SQLSerasi.exepid process 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe 4804 SQLSerasi.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exeSQLSerasi.exeSQLSerasi.exeSQLSerasi.exeSQLSerasi.exedescription pid process Token: SeDebugPrivilege 2988 e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe Token: SeDebugPrivilege 3180 SQLSerasi.exe Token: SeDebugPrivilege 1876 SQLSerasi.exe Token: SeDebugPrivilege 1876 SQLSerasi.exe Token: SeDebugPrivilege 1876 SQLSerasi.exe Token: SeDebugPrivilege 4804 SQLSerasi.exe Token: SeDebugPrivilege 5084 SQLSerasi.exe Token: SeDebugPrivilege 4804 SQLSerasi.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exeSQLSerasi.exedescription pid process target process PID 2988 wrote to memory of 3180 2988 e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe SQLSerasi.exe PID 2988 wrote to memory of 3180 2988 e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe SQLSerasi.exe PID 2988 wrote to memory of 3180 2988 e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe SQLSerasi.exe PID 1876 wrote to memory of 4804 1876 SQLSerasi.exe SQLSerasi.exe PID 1876 wrote to memory of 4804 1876 SQLSerasi.exe SQLSerasi.exe PID 1876 wrote to memory of 4804 1876 SQLSerasi.exe SQLSerasi.exe PID 1876 wrote to memory of 5084 1876 SQLSerasi.exe SQLSerasi.exe PID 1876 wrote to memory of 5084 1876 SQLSerasi.exe SQLSerasi.exe PID 1876 wrote to memory of 5084 1876 SQLSerasi.exe SQLSerasi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe"C:\Users\Admin\AppData\Local\Temp\e7184319f8bcc00d6e9f17542b917c537d6e21e0f068c367d360c44afd7f817e.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 6682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1876 -ip 18761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exeFilesize
39.4MB
MD5c76a08483da34968a980f61c4ed213b2
SHA131c6a8bb95c024b52f3c8d62a61450741275d947
SHA256a3826acb079a1ba1b1117d8d0036f2d91b630ef2a7aabd39149510b700901b20
SHA512cb017094bd75a1ae72a40f3b84dc9fc2da093243d79d2c3b0a2975dc128a81d5a34b931b35c6699b415974e46be9c3e2b5f05f35d1c0c16fc333dde7e76366fe
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exeFilesize
39.4MB
MD5c76a08483da34968a980f61c4ed213b2
SHA131c6a8bb95c024b52f3c8d62a61450741275d947
SHA256a3826acb079a1ba1b1117d8d0036f2d91b630ef2a7aabd39149510b700901b20
SHA512cb017094bd75a1ae72a40f3b84dc9fc2da093243d79d2c3b0a2975dc128a81d5a34b931b35c6699b415974e46be9c3e2b5f05f35d1c0c16fc333dde7e76366fe
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exeFilesize
39.4MB
MD5c76a08483da34968a980f61c4ed213b2
SHA131c6a8bb95c024b52f3c8d62a61450741275d947
SHA256a3826acb079a1ba1b1117d8d0036f2d91b630ef2a7aabd39149510b700901b20
SHA512cb017094bd75a1ae72a40f3b84dc9fc2da093243d79d2c3b0a2975dc128a81d5a34b931b35c6699b415974e46be9c3e2b5f05f35d1c0c16fc333dde7e76366fe
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exeFilesize
39.4MB
MD5c76a08483da34968a980f61c4ed213b2
SHA131c6a8bb95c024b52f3c8d62a61450741275d947
SHA256a3826acb079a1ba1b1117d8d0036f2d91b630ef2a7aabd39149510b700901b20
SHA512cb017094bd75a1ae72a40f3b84dc9fc2da093243d79d2c3b0a2975dc128a81d5a34b931b35c6699b415974e46be9c3e2b5f05f35d1c0c16fc333dde7e76366fe
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exeFilesize
39.4MB
MD5c76a08483da34968a980f61c4ed213b2
SHA131c6a8bb95c024b52f3c8d62a61450741275d947
SHA256a3826acb079a1ba1b1117d8d0036f2d91b630ef2a7aabd39149510b700901b20
SHA512cb017094bd75a1ae72a40f3b84dc9fc2da093243d79d2c3b0a2975dc128a81d5a34b931b35c6699b415974e46be9c3e2b5f05f35d1c0c16fc333dde7e76366fe
-
memory/1876-151-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/1876-177-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/1876-148-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/1876-152-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/1876-154-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/1876-155-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/2988-140-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/2988-136-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/2988-135-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/2988-134-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/2988-131-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/2988-130-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/3180-153-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/3180-156-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/3180-143-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/3180-137-0x0000000000000000-mapping.dmp
-
memory/4804-157-0x0000000000000000-mapping.dmp
-
memory/4804-168-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/4804-173-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/4804-175-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/4804-176-0x0000000073E30000-0x0000000073E69000-memory.dmpFilesize
228KB
-
memory/4804-178-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/5084-159-0x0000000000000000-mapping.dmp
-
memory/5084-171-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/5084-174-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB