Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 12:43
Static task
static1
General
-
Target
1f914f75bf05660835d99af49efcb2ef3783493f485eb4570f57edb8d8a56207.exe
-
Size
375KB
-
MD5
fa68c58e2bc7dbf216f3a958627d2d35
-
SHA1
a4a014fec00ecea1a04e254470e6a5706e283e61
-
SHA256
1f914f75bf05660835d99af49efcb2ef3783493f485eb4570f57edb8d8a56207
-
SHA512
799dc3b685b960cb9e232e793132a8c8bf6ccc4e133203f2adcbe0430e269d52a9c96d687fcab0a8ef413a04e43624a162db130286176ec0a65465c8134d7942
-
SSDEEP
6144:tv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:t4VOiF1WD7kE1dTYOi8V5u23zmWFy4
Malware Config
Signatures
-
Gh0st RAT payload 9 IoCs
resource yara_rule behavioral1/memory/3560-136-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3560-137-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3560-138-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/900-154-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/900-155-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/5100-156-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/900-158-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/900-160-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3120-179-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat -
Executes dropped EXE 4 IoCs
pid Process 5100 SQLSerasi.exe 900 SQLSerasi.exe 3120 SQLSerasi.exe 4980 SQLSerasi.exe -
resource yara_rule behavioral1/memory/3560-133-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3560-136-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3560-137-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3560-138-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/900-151-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/900-154-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/900-155-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/5100-156-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/900-158-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/900-160-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3120-179-0x0000000010000000-0x0000000010362000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 1f914f75bf05660835d99af49efcb2ef3783493f485eb4570f57edb8d8a56207.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{6FD4B8A4-E028-456B-825D-B9A1D842EF14}.catalogItem svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 SQLSerasi.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E54F2523-F3AD-4B97-9927-E15647BC22FF}.catalogItem svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 1f914f75bf05660835d99af49efcb2ef3783493f485eb4570f57edb8d8a56207.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 1f914f75bf05660835d99af49efcb2ef3783493f485eb4570f57edb8d8a56207.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4888 900 WerFault.exe 79 -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 SQLSerasi.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SQLSerasi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" SQLSerasi.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3560 1f914f75bf05660835d99af49efcb2ef3783493f485eb4570f57edb8d8a56207.exe Token: SeDebugPrivilege 5100 SQLSerasi.exe Token: SeDebugPrivilege 900 SQLSerasi.exe Token: SeDebugPrivilege 900 SQLSerasi.exe Token: SeDebugPrivilege 900 SQLSerasi.exe Token: SeDebugPrivilege 4980 SQLSerasi.exe Token: SeDebugPrivilege 3120 SQLSerasi.exe Token: SeDebugPrivilege 3120 SQLSerasi.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3560 wrote to memory of 5100 3560 1f914f75bf05660835d99af49efcb2ef3783493f485eb4570f57edb8d8a56207.exe 78 PID 3560 wrote to memory of 5100 3560 1f914f75bf05660835d99af49efcb2ef3783493f485eb4570f57edb8d8a56207.exe 78 PID 3560 wrote to memory of 5100 3560 1f914f75bf05660835d99af49efcb2ef3783493f485eb4570f57edb8d8a56207.exe 78 PID 900 wrote to memory of 3120 900 SQLSerasi.exe 80 PID 900 wrote to memory of 3120 900 SQLSerasi.exe 80 PID 900 wrote to memory of 3120 900 SQLSerasi.exe 80 PID 900 wrote to memory of 4980 900 SQLSerasi.exe 81 PID 900 wrote to memory of 4980 900 SQLSerasi.exe 81 PID 900 wrote to memory of 4980 900 SQLSerasi.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f914f75bf05660835d99af49efcb2ef3783493f485eb4570f57edb8d8a56207.exe"C:\Users\Admin\AppData\Local\Temp\1f914f75bf05660835d99af49efcb2ef3783493f485eb4570f57edb8d8a56207.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 6282⤵
- Program crash
PID:4888
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 900 -ip 9001⤵PID:3220
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:32
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39.4MB
MD57ede4c43ade35c76e5bd040b2384172f
SHA1c05c153b3ebfa981784f5cc6e032a2780b5a4c33
SHA256b10b16fa169bc32184ace89c71fe8c43a0a85929b340a773e933305abb9b17bc
SHA512e533b2b75eb73b65a5734a51017b0449c3cb0e95e7b7f0ac932f35b4874a32fd17756074fc4cdbb1a1b2fe25cf671fde8bca5b40261b9540fa3df4201ee51493
-
Filesize
39.4MB
MD57ede4c43ade35c76e5bd040b2384172f
SHA1c05c153b3ebfa981784f5cc6e032a2780b5a4c33
SHA256b10b16fa169bc32184ace89c71fe8c43a0a85929b340a773e933305abb9b17bc
SHA512e533b2b75eb73b65a5734a51017b0449c3cb0e95e7b7f0ac932f35b4874a32fd17756074fc4cdbb1a1b2fe25cf671fde8bca5b40261b9540fa3df4201ee51493
-
Filesize
39.4MB
MD57ede4c43ade35c76e5bd040b2384172f
SHA1c05c153b3ebfa981784f5cc6e032a2780b5a4c33
SHA256b10b16fa169bc32184ace89c71fe8c43a0a85929b340a773e933305abb9b17bc
SHA512e533b2b75eb73b65a5734a51017b0449c3cb0e95e7b7f0ac932f35b4874a32fd17756074fc4cdbb1a1b2fe25cf671fde8bca5b40261b9540fa3df4201ee51493
-
Filesize
39.4MB
MD57ede4c43ade35c76e5bd040b2384172f
SHA1c05c153b3ebfa981784f5cc6e032a2780b5a4c33
SHA256b10b16fa169bc32184ace89c71fe8c43a0a85929b340a773e933305abb9b17bc
SHA512e533b2b75eb73b65a5734a51017b0449c3cb0e95e7b7f0ac932f35b4874a32fd17756074fc4cdbb1a1b2fe25cf671fde8bca5b40261b9540fa3df4201ee51493
-
Filesize
39.4MB
MD57ede4c43ade35c76e5bd040b2384172f
SHA1c05c153b3ebfa981784f5cc6e032a2780b5a4c33
SHA256b10b16fa169bc32184ace89c71fe8c43a0a85929b340a773e933305abb9b17bc
SHA512e533b2b75eb73b65a5734a51017b0449c3cb0e95e7b7f0ac932f35b4874a32fd17756074fc4cdbb1a1b2fe25cf671fde8bca5b40261b9540fa3df4201ee51493