Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
03/10/2022, 03:25
Static task
static1
General
-
Target
3d840979257b235dfdeb8960ceda886d4769ccf070f79ff7a4fb052fe3698687.exe
-
Size
375KB
-
MD5
66080f60e12b2b932c34818c43584cb3
-
SHA1
05fa1f8edf995a4804ad4ccdc38aacc2ea8dc605
-
SHA256
3d840979257b235dfdeb8960ceda886d4769ccf070f79ff7a4fb052fe3698687
-
SHA512
7e09c52cbc3769c647b49216f6f448f31774970b78925c8d8b965ab2d7085529e721975822f6862b3e696b4c473c6eb6522b4951611eb6725535a8bc651585ac
-
SSDEEP
6144:Zv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:Z4VOiF1WD7kE1dTYOi8V5u23zmWFy4
Malware Config
Signatures
-
Gh0st RAT payload 10 IoCs
resource yara_rule behavioral1/memory/2064-175-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2064-176-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2064-177-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2064-189-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3372-251-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/1264-303-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4732-359-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4732-362-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/1264-374-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4732-376-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat -
Executes dropped EXE 3 IoCs
pid Process 3372 SQLSerasi.exe 1264 SQLSerasi.exe 4732 SQLSerasi.exe -
resource yara_rule behavioral1/memory/2064-171-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2064-175-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2064-176-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2064-177-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2064-189-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3372-251-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/1264-303-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4732-359-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4732-362-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/1264-374-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4732-376-0x0000000010000000-0x0000000010362000-memory.dmp upx -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE SQLSerasi.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 3d840979257b235dfdeb8960ceda886d4769ccf070f79ff7a4fb052fe3698687.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 3d840979257b235dfdeb8960ceda886d4769ccf070f79ff7a4fb052fe3698687.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 SQLSerasi.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SQLSerasi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SQLSerasi.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2064 3d840979257b235dfdeb8960ceda886d4769ccf070f79ff7a4fb052fe3698687.exe Token: SeDebugPrivilege 3372 SQLSerasi.exe Token: SeDebugPrivilege 1264 SQLSerasi.exe Token: SeDebugPrivilege 1264 SQLSerasi.exe Token: SeDebugPrivilege 4732 SQLSerasi.exe Token: SeDebugPrivilege 4732 SQLSerasi.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2064 wrote to memory of 3372 2064 3d840979257b235dfdeb8960ceda886d4769ccf070f79ff7a4fb052fe3698687.exe 66 PID 2064 wrote to memory of 3372 2064 3d840979257b235dfdeb8960ceda886d4769ccf070f79ff7a4fb052fe3698687.exe 66 PID 2064 wrote to memory of 3372 2064 3d840979257b235dfdeb8960ceda886d4769ccf070f79ff7a4fb052fe3698687.exe 66 PID 1264 wrote to memory of 4732 1264 SQLSerasi.exe 68 PID 1264 wrote to memory of 4732 1264 SQLSerasi.exe 68 PID 1264 wrote to memory of 4732 1264 SQLSerasi.exe 68
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d840979257b235dfdeb8960ceda886d4769ccf070f79ff7a4fb052fe3698687.exe"C:\Users\Admin\AppData\Local\Temp\3d840979257b235dfdeb8960ceda886d4769ccf070f79ff7a4fb052fe3698687.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39.4MB
MD5639aed4293bccf269024ff4eb75c88ae
SHA1f1b160d7dff9aed93b840d87142512c9dd652a60
SHA25618eb36620c3ce13f4f32af1fd02610b11085047e2aa39cc9b850cb2bcb9a1af7
SHA512e316c4617cfd3ccb15f9d9b42b95b343dd5eb9879aaac071482e61caa9fae8856e94ed9a23a2426f7f5ac501cc9b5757a17834a4046393ef51fbc5c350243420
-
Filesize
39.4MB
MD5639aed4293bccf269024ff4eb75c88ae
SHA1f1b160d7dff9aed93b840d87142512c9dd652a60
SHA25618eb36620c3ce13f4f32af1fd02610b11085047e2aa39cc9b850cb2bcb9a1af7
SHA512e316c4617cfd3ccb15f9d9b42b95b343dd5eb9879aaac071482e61caa9fae8856e94ed9a23a2426f7f5ac501cc9b5757a17834a4046393ef51fbc5c350243420
-
Filesize
39.4MB
MD5639aed4293bccf269024ff4eb75c88ae
SHA1f1b160d7dff9aed93b840d87142512c9dd652a60
SHA25618eb36620c3ce13f4f32af1fd02610b11085047e2aa39cc9b850cb2bcb9a1af7
SHA512e316c4617cfd3ccb15f9d9b42b95b343dd5eb9879aaac071482e61caa9fae8856e94ed9a23a2426f7f5ac501cc9b5757a17834a4046393ef51fbc5c350243420
-
Filesize
39.4MB
MD5639aed4293bccf269024ff4eb75c88ae
SHA1f1b160d7dff9aed93b840d87142512c9dd652a60
SHA25618eb36620c3ce13f4f32af1fd02610b11085047e2aa39cc9b850cb2bcb9a1af7
SHA512e316c4617cfd3ccb15f9d9b42b95b343dd5eb9879aaac071482e61caa9fae8856e94ed9a23a2426f7f5ac501cc9b5757a17834a4046393ef51fbc5c350243420