Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
158s -
max time network
167s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
06/10/2022, 20:14
Static task
static1
General
-
Target
2fe92c85d11dc83adad69eee0357255b6a5336f32b6953a486dec667f7284e5c.exe
-
Size
375KB
-
MD5
6de5522ecf9f09f903ca4ff1a0822bd8
-
SHA1
203e3428c336184d7b223c22344f3a8ca23f0c65
-
SHA256
2fe92c85d11dc83adad69eee0357255b6a5336f32b6953a486dec667f7284e5c
-
SHA512
03c0d079776081f47ebb3e7033a817ae5e6b8ccf50528b02be6fb8aa5a6bfe6eede779574623f4f3fcf45b12bc2ddc555eeb6275a2da9abd42162a598a25313e
-
SSDEEP
6144:Wv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:W4VOiF1WD7kE1dTYOi8V5u23zmWFy4
Malware Config
Signatures
-
Gh0st RAT payload 7 IoCs
resource yara_rule behavioral1/memory/3836-170-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3836-171-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3836-174-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4444-252-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/5060-305-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4728-356-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4728-369-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat -
Executes dropped EXE 3 IoCs
pid Process 4444 SQLSerasi.exe 5060 SQLSerasi.exe 4728 SQLSerasi.exe -
resource yara_rule behavioral1/memory/3836-166-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3836-170-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3836-171-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3836-174-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4444-252-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/5060-305-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4728-356-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4728-369-0x0000000010000000-0x0000000010362000-memory.dmp upx -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 SQLSerasi.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 2fe92c85d11dc83adad69eee0357255b6a5336f32b6953a486dec667f7284e5c.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 2fe92c85d11dc83adad69eee0357255b6a5336f32b6953a486dec667f7284e5c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 SQLSerasi.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SQLSerasi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" SQLSerasi.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3836 2fe92c85d11dc83adad69eee0357255b6a5336f32b6953a486dec667f7284e5c.exe Token: SeDebugPrivilege 4444 SQLSerasi.exe Token: SeDebugPrivilege 5060 SQLSerasi.exe Token: SeDebugPrivilege 5060 SQLSerasi.exe Token: SeDebugPrivilege 4728 SQLSerasi.exe Token: SeDebugPrivilege 4728 SQLSerasi.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3836 wrote to memory of 4444 3836 2fe92c85d11dc83adad69eee0357255b6a5336f32b6953a486dec667f7284e5c.exe 66 PID 3836 wrote to memory of 4444 3836 2fe92c85d11dc83adad69eee0357255b6a5336f32b6953a486dec667f7284e5c.exe 66 PID 3836 wrote to memory of 4444 3836 2fe92c85d11dc83adad69eee0357255b6a5336f32b6953a486dec667f7284e5c.exe 66 PID 5060 wrote to memory of 4728 5060 SQLSerasi.exe 68 PID 5060 wrote to memory of 4728 5060 SQLSerasi.exe 68 PID 5060 wrote to memory of 4728 5060 SQLSerasi.exe 68
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fe92c85d11dc83adad69eee0357255b6a5336f32b6953a486dec667f7284e5c.exe"C:\Users\Admin\AppData\Local\Temp\2fe92c85d11dc83adad69eee0357255b6a5336f32b6953a486dec667f7284e5c.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39.4MB
MD53e32755114d81e57fdf1010e2def0d21
SHA1d0fc8a112749a7b4f05fefef53c42cf3033a9985
SHA25672dfe9f49fd4ffab8c7500d6a9ef9ce3e1f9e201e62d1016a73afd5f8a6059d3
SHA512564df36f065c84ce043eb23f36ac3447d7c89cf6362946d44e0058ed6d5c956f9c9029a6e06f72720a3b0065f1738df656c0d175bb7533c0ab0d2813413ac96e
-
Filesize
39.4MB
MD53e32755114d81e57fdf1010e2def0d21
SHA1d0fc8a112749a7b4f05fefef53c42cf3033a9985
SHA25672dfe9f49fd4ffab8c7500d6a9ef9ce3e1f9e201e62d1016a73afd5f8a6059d3
SHA512564df36f065c84ce043eb23f36ac3447d7c89cf6362946d44e0058ed6d5c956f9c9029a6e06f72720a3b0065f1738df656c0d175bb7533c0ab0d2813413ac96e
-
Filesize
39.4MB
MD53e32755114d81e57fdf1010e2def0d21
SHA1d0fc8a112749a7b4f05fefef53c42cf3033a9985
SHA25672dfe9f49fd4ffab8c7500d6a9ef9ce3e1f9e201e62d1016a73afd5f8a6059d3
SHA512564df36f065c84ce043eb23f36ac3447d7c89cf6362946d44e0058ed6d5c956f9c9029a6e06f72720a3b0065f1738df656c0d175bb7533c0ab0d2813413ac96e
-
Filesize
39.4MB
MD53e32755114d81e57fdf1010e2def0d21
SHA1d0fc8a112749a7b4f05fefef53c42cf3033a9985
SHA25672dfe9f49fd4ffab8c7500d6a9ef9ce3e1f9e201e62d1016a73afd5f8a6059d3
SHA512564df36f065c84ce043eb23f36ac3447d7c89cf6362946d44e0058ed6d5c956f9c9029a6e06f72720a3b0065f1738df656c0d175bb7533c0ab0d2813413ac96e