Analysis
-
max time kernel
131s -
max time network
142s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
07/09/2022, 04:41
Static task
static1
General
-
Target
5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe
-
Size
375KB
-
MD5
d940553fa5943895dda51d891e097d3e
-
SHA1
68cfa43d293f79be7fba788b1488e22e47e608a4
-
SHA256
5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f
-
SHA512
477dfdeebe270af99fa01264bb4fed203af8255e24aa1edbe67800a9e5be1eaa375d1505a965bc223cc16db3eeaf2dffda8e798cf330a7fc5a7c366c7f6f8360
-
SSDEEP
6144:Iv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:I4VOiF1WD7kE1dTYOi8V5u23zmWFy4
Malware Config
Signatures
-
Gh0st RAT payload 9 IoCs
resource yara_rule behavioral1/memory/2300-174-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2300-175-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2300-177-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3336-270-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3964-301-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3964-302-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4732-360-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3964-372-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4732-374-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat -
Executes dropped EXE 3 IoCs
pid Process 3336 SQLSerasi.exe 3964 SQLSerasi.exe 4732 SQLSerasi.exe -
resource yara_rule behavioral1/memory/2300-170-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2300-174-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2300-175-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2300-177-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3336-270-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3964-301-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3964-302-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4732-360-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3964-372-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4732-374-0x0000000010000000-0x0000000010362000-memory.dmp upx -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 SQLSerasi.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 SQLSerasi.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SQLSerasi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SQLSerasi.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2300 5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe Token: SeDebugPrivilege 3336 SQLSerasi.exe Token: SeDebugPrivilege 3964 SQLSerasi.exe Token: SeDebugPrivilege 3964 SQLSerasi.exe Token: SeDebugPrivilege 4732 SQLSerasi.exe Token: SeDebugPrivilege 4732 SQLSerasi.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2300 wrote to memory of 3336 2300 5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe 66 PID 2300 wrote to memory of 3336 2300 5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe 66 PID 2300 wrote to memory of 3336 2300 5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe 66 PID 3964 wrote to memory of 4732 3964 SQLSerasi.exe 68 PID 3964 wrote to memory of 4732 3964 SQLSerasi.exe 68 PID 3964 wrote to memory of 4732 3964 SQLSerasi.exe 68
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe"C:\Users\Admin\AppData\Local\Temp\5bbbd86660ce5489c53235c1d6fa3b18a42cc1ac4cd5243d2a0b7c0ad39a1a6f.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39.4MB
MD5e8d1c6ee48e26677db102c9d5bf4c7f5
SHA11660b5bc53508f401ec319d4b11b91a2fe9354f2
SHA25672c24d4efa2ddd4e65e36bfeeacace4283a8f70ddbee1db28ec573df93fc3b6f
SHA512166ae8bb7e2dbe67a6b0fc925668e1064ff1db28d4bd867319fa43410c35096dd7f7c5cdd83041efad4ef91ed6a65b4d7bbc9bd9655ff79c9a91381d0a90fde7
-
Filesize
39.4MB
MD5e8d1c6ee48e26677db102c9d5bf4c7f5
SHA11660b5bc53508f401ec319d4b11b91a2fe9354f2
SHA25672c24d4efa2ddd4e65e36bfeeacace4283a8f70ddbee1db28ec573df93fc3b6f
SHA512166ae8bb7e2dbe67a6b0fc925668e1064ff1db28d4bd867319fa43410c35096dd7f7c5cdd83041efad4ef91ed6a65b4d7bbc9bd9655ff79c9a91381d0a90fde7
-
Filesize
39.4MB
MD5e8d1c6ee48e26677db102c9d5bf4c7f5
SHA11660b5bc53508f401ec319d4b11b91a2fe9354f2
SHA25672c24d4efa2ddd4e65e36bfeeacace4283a8f70ddbee1db28ec573df93fc3b6f
SHA512166ae8bb7e2dbe67a6b0fc925668e1064ff1db28d4bd867319fa43410c35096dd7f7c5cdd83041efad4ef91ed6a65b4d7bbc9bd9655ff79c9a91381d0a90fde7
-
Filesize
39.4MB
MD5e8d1c6ee48e26677db102c9d5bf4c7f5
SHA11660b5bc53508f401ec319d4b11b91a2fe9354f2
SHA25672c24d4efa2ddd4e65e36bfeeacace4283a8f70ddbee1db28ec573df93fc3b6f
SHA512166ae8bb7e2dbe67a6b0fc925668e1064ff1db28d4bd867319fa43410c35096dd7f7c5cdd83041efad4ef91ed6a65b4d7bbc9bd9655ff79c9a91381d0a90fde7