Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
12-08-2022 17:01
General
-
Target
c282162fbee56bf05d9c8953c453f874e9dbb4a73da28dbe8a489fe74d7523cd.exe
-
Size
375KB
-
MD5
f87e4ab1949e0cca97963fa33e4768b3
-
SHA1
53f9ea6ef090d6d980b2360e1ce365cb7ba0aa7e
-
SHA256
c282162fbee56bf05d9c8953c453f874e9dbb4a73da28dbe8a489fe74d7523cd
-
SHA512
62e22146ea28df86c90559c79d27f05fa3f5ab6fd64f70977eaa8817fcf054c62e9b298561d12991c16d0cb515bd81309b21656777109f270959fcee72101e84
Malware Config
Signatures
-
Gh0st RAT payload 8 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Executes dropped EXE 4 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory 4 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c282162fbee56bf05d9c8953c453f874e9dbb4a73da28dbe8a489fe74d7523cd.exe"C:\Users\Admin\AppData\Local\Temp\c282162fbee56bf05d9c8953c453f874e9dbb4a73da28dbe8a489fe74d7523cd.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 6442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 64 -ip 641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exeFilesize
39.4MB
MD5a4e93efa766a1075723c41075244fb83
SHA188f86833690692d521ca94109d2372d89d763f97
SHA256fc63196bc856914d5bf11a5663d1a6a7c7b03598fe24092abf7a540d3e272d5c
SHA512aba43f0eee659d87df47144ba5b5c8d4b96a0251d62e4eb32e8b8cd11be26a7e269bcab86569e551d67b49e664d3f43faaa68aeda52ce0098f2c44f2468730c1
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exeFilesize
39.4MB
MD5a4e93efa766a1075723c41075244fb83
SHA188f86833690692d521ca94109d2372d89d763f97
SHA256fc63196bc856914d5bf11a5663d1a6a7c7b03598fe24092abf7a540d3e272d5c
SHA512aba43f0eee659d87df47144ba5b5c8d4b96a0251d62e4eb32e8b8cd11be26a7e269bcab86569e551d67b49e664d3f43faaa68aeda52ce0098f2c44f2468730c1
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exeFilesize
39.4MB
MD5a4e93efa766a1075723c41075244fb83
SHA188f86833690692d521ca94109d2372d89d763f97
SHA256fc63196bc856914d5bf11a5663d1a6a7c7b03598fe24092abf7a540d3e272d5c
SHA512aba43f0eee659d87df47144ba5b5c8d4b96a0251d62e4eb32e8b8cd11be26a7e269bcab86569e551d67b49e664d3f43faaa68aeda52ce0098f2c44f2468730c1
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exeFilesize
39.4MB
MD5a4e93efa766a1075723c41075244fb83
SHA188f86833690692d521ca94109d2372d89d763f97
SHA256fc63196bc856914d5bf11a5663d1a6a7c7b03598fe24092abf7a540d3e272d5c
SHA512aba43f0eee659d87df47144ba5b5c8d4b96a0251d62e4eb32e8b8cd11be26a7e269bcab86569e551d67b49e664d3f43faaa68aeda52ce0098f2c44f2468730c1
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exeFilesize
39.4MB
MD5a4e93efa766a1075723c41075244fb83
SHA188f86833690692d521ca94109d2372d89d763f97
SHA256fc63196bc856914d5bf11a5663d1a6a7c7b03598fe24092abf7a540d3e272d5c
SHA512aba43f0eee659d87df47144ba5b5c8d4b96a0251d62e4eb32e8b8cd11be26a7e269bcab86569e551d67b49e664d3f43faaa68aeda52ce0098f2c44f2468730c1
-
memory/64-149-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/64-156-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/64-152-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/64-153-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/64-154-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/612-131-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/612-140-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/612-136-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/612-135-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/612-134-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/612-130-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/992-137-0x0000000000000000-mapping.dmp
-
memory/992-155-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/992-148-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB
-
memory/992-146-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/4580-160-0x0000000000000000-mapping.dmp
-
memory/4580-172-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/4584-157-0x0000000000000000-mapping.dmp
-
memory/4584-171-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/4584-173-0x0000000010000000-0x0000000010362000-memory.dmpFilesize
3.4MB