Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2022, 01:05
Static task
static1
General
-
Target
440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe
-
Size
375KB
-
MD5
0279663d477cb9ab929b4bcce5939684
-
SHA1
40d0f0c4b28147e33802bf5ddd8fa63c1601235d
-
SHA256
440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24
-
SHA512
8bfb514867553b4c4296974853912f35dac63128c78b92e0e6c56f76991c99384150059d557154abfcd48677541223df8f8e5ef9706460d070746756ade4fddd
-
SSDEEP
6144:nv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:n4VOiF1WD7kE1dTYOi8V5u23zmWFy4
Malware Config
Signatures
-
Gh0st RAT payload 9 IoCs
resource yara_rule behavioral1/memory/968-136-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/968-137-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/968-138-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4440-149-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3540-154-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3540-155-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3540-157-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/1912-175-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/1912-176-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat -
Executes dropped EXE 4 IoCs
pid Process 4440 SQLSerasi.exe 3540 SQLSerasi.exe 1912 SQLSerasi.exe 2840 SQLSerasi.exe -
resource yara_rule behavioral1/memory/968-133-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/968-136-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/968-137-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/968-138-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4440-149-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3540-151-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3540-154-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3540-155-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3540-157-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/1912-175-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/1912-176-0x0000000010000000-0x0000000010362000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies SQLSerasi.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4548 3540 WerFault.exe 87 -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 SQLSerasi.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SQLSerasi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" SQLSerasi.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 968 440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe Token: SeDebugPrivilege 4440 SQLSerasi.exe Token: SeDebugPrivilege 3540 SQLSerasi.exe Token: SeDebugPrivilege 3540 SQLSerasi.exe Token: SeDebugPrivilege 3540 SQLSerasi.exe Token: SeDebugPrivilege 1912 SQLSerasi.exe Token: SeDebugPrivilege 1912 SQLSerasi.exe Token: SeDebugPrivilege 2840 SQLSerasi.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 968 wrote to memory of 4440 968 440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe 84 PID 968 wrote to memory of 4440 968 440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe 84 PID 968 wrote to memory of 4440 968 440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe 84 PID 3540 wrote to memory of 1912 3540 SQLSerasi.exe 89 PID 3540 wrote to memory of 1912 3540 SQLSerasi.exe 89 PID 3540 wrote to memory of 1912 3540 SQLSerasi.exe 89 PID 3540 wrote to memory of 2840 3540 SQLSerasi.exe 91 PID 3540 wrote to memory of 2840 3540 SQLSerasi.exe 91 PID 3540 wrote to memory of 2840 3540 SQLSerasi.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe"C:\Users\Admin\AppData\Local\Temp\440d0e072afc1ad0076581badee3a402d67ad73d03bcd8965dc54e047a401a24.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 6482⤵
- Program crash
PID:4548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3540 -ip 35401⤵PID:1408
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39.4MB
MD518679c5fa88b0f76fc882bb1e97807e2
SHA1c5b76db8170cb0e340d038ebcf5fd09d872ec395
SHA256d2cb511148b911498b4a4b38321efcda2deb232c26eb8f26b113109b1ee17658
SHA512a7a7e39106a6f1209c6c9f9ddf6530cb3a22aa1b05380f22c72a03b2c27d8cc4a0e165a78ae1e8c77b3c6729b29e30619a527567ac0129de86c3500a7b1fdf00
-
Filesize
39.4MB
MD518679c5fa88b0f76fc882bb1e97807e2
SHA1c5b76db8170cb0e340d038ebcf5fd09d872ec395
SHA256d2cb511148b911498b4a4b38321efcda2deb232c26eb8f26b113109b1ee17658
SHA512a7a7e39106a6f1209c6c9f9ddf6530cb3a22aa1b05380f22c72a03b2c27d8cc4a0e165a78ae1e8c77b3c6729b29e30619a527567ac0129de86c3500a7b1fdf00
-
Filesize
39.4MB
MD518679c5fa88b0f76fc882bb1e97807e2
SHA1c5b76db8170cb0e340d038ebcf5fd09d872ec395
SHA256d2cb511148b911498b4a4b38321efcda2deb232c26eb8f26b113109b1ee17658
SHA512a7a7e39106a6f1209c6c9f9ddf6530cb3a22aa1b05380f22c72a03b2c27d8cc4a0e165a78ae1e8c77b3c6729b29e30619a527567ac0129de86c3500a7b1fdf00
-
Filesize
39.4MB
MD518679c5fa88b0f76fc882bb1e97807e2
SHA1c5b76db8170cb0e340d038ebcf5fd09d872ec395
SHA256d2cb511148b911498b4a4b38321efcda2deb232c26eb8f26b113109b1ee17658
SHA512a7a7e39106a6f1209c6c9f9ddf6530cb3a22aa1b05380f22c72a03b2c27d8cc4a0e165a78ae1e8c77b3c6729b29e30619a527567ac0129de86c3500a7b1fdf00
-
Filesize
39.4MB
MD518679c5fa88b0f76fc882bb1e97807e2
SHA1c5b76db8170cb0e340d038ebcf5fd09d872ec395
SHA256d2cb511148b911498b4a4b38321efcda2deb232c26eb8f26b113109b1ee17658
SHA512a7a7e39106a6f1209c6c9f9ddf6530cb3a22aa1b05380f22c72a03b2c27d8cc4a0e165a78ae1e8c77b3c6729b29e30619a527567ac0129de86c3500a7b1fdf00