Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
07/10/2022, 04:43
Static task
static1
General
-
Target
741ef1dd52cf5fd0aec99dbeb3dcdfa36087209c9018460253a93a67b105a560.exe
-
Size
375KB
-
MD5
045f54824bd433f67d474fdbd94a8257
-
SHA1
43d3c8ba440591bb3d7bae145d9e69d455c2592a
-
SHA256
741ef1dd52cf5fd0aec99dbeb3dcdfa36087209c9018460253a93a67b105a560
-
SHA512
0f7c3616189a022e677685e2ade31a005cae43081146e5e3834e3c119248b8b0de7f0cecc4107db7d97209dfd9b6aee1612bf2e7dd06912d33e20578d2b1c3af
-
SSDEEP
6144:Cv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:C4VOiF1WD7kE1dTYOi8V5u23zmWFy4
Malware Config
Signatures
-
Gh0st RAT payload 8 IoCs
resource yara_rule behavioral1/memory/2656-174-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2656-175-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2656-177-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2336-247-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4080-301-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4204-359-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4080-371-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4204-373-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat -
Executes dropped EXE 3 IoCs
pid Process 2336 SQLSerasi.exe 4080 SQLSerasi.exe 4204 SQLSerasi.exe -
resource yara_rule behavioral1/memory/2656-170-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2656-174-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2656-175-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2656-177-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2336-247-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4080-301-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4204-359-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4080-371-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4204-373-0x0000000010000000-0x0000000010362000-memory.dmp upx -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 SQLSerasi.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 741ef1dd52cf5fd0aec99dbeb3dcdfa36087209c9018460253a93a67b105a560.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 741ef1dd52cf5fd0aec99dbeb3dcdfa36087209c9018460253a93a67b105a560.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SQLSerasi.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SQLSerasi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SQLSerasi.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2656 741ef1dd52cf5fd0aec99dbeb3dcdfa36087209c9018460253a93a67b105a560.exe Token: SeDebugPrivilege 2336 SQLSerasi.exe Token: SeDebugPrivilege 4080 SQLSerasi.exe Token: SeDebugPrivilege 4080 SQLSerasi.exe Token: SeDebugPrivilege 4204 SQLSerasi.exe Token: SeDebugPrivilege 4204 SQLSerasi.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2336 2656 741ef1dd52cf5fd0aec99dbeb3dcdfa36087209c9018460253a93a67b105a560.exe 66 PID 2656 wrote to memory of 2336 2656 741ef1dd52cf5fd0aec99dbeb3dcdfa36087209c9018460253a93a67b105a560.exe 66 PID 2656 wrote to memory of 2336 2656 741ef1dd52cf5fd0aec99dbeb3dcdfa36087209c9018460253a93a67b105a560.exe 66 PID 4080 wrote to memory of 4204 4080 SQLSerasi.exe 68 PID 4080 wrote to memory of 4204 4080 SQLSerasi.exe 68 PID 4080 wrote to memory of 4204 4080 SQLSerasi.exe 68
Processes
-
C:\Users\Admin\AppData\Local\Temp\741ef1dd52cf5fd0aec99dbeb3dcdfa36087209c9018460253a93a67b105a560.exe"C:\Users\Admin\AppData\Local\Temp\741ef1dd52cf5fd0aec99dbeb3dcdfa36087209c9018460253a93a67b105a560.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39.4MB
MD578bf95d590f54fc75d20ade2881d5501
SHA1da4be9bcf743025b5caaa9bc4221c48478361c31
SHA256cd12239a460c256424fc06aa3a91ec46fe283091a343e6a511a5d63547f9d1d8
SHA512975481c7940641da2a0fabe95cb8360b8b4728768f47987f7cc27671837c0bbab751486c37751c312e1adb160ffb74d1fb4a1de6c05aedb8f35a9e4a56cc1ffd
-
Filesize
39.4MB
MD578bf95d590f54fc75d20ade2881d5501
SHA1da4be9bcf743025b5caaa9bc4221c48478361c31
SHA256cd12239a460c256424fc06aa3a91ec46fe283091a343e6a511a5d63547f9d1d8
SHA512975481c7940641da2a0fabe95cb8360b8b4728768f47987f7cc27671837c0bbab751486c37751c312e1adb160ffb74d1fb4a1de6c05aedb8f35a9e4a56cc1ffd
-
Filesize
39.4MB
MD578bf95d590f54fc75d20ade2881d5501
SHA1da4be9bcf743025b5caaa9bc4221c48478361c31
SHA256cd12239a460c256424fc06aa3a91ec46fe283091a343e6a511a5d63547f9d1d8
SHA512975481c7940641da2a0fabe95cb8360b8b4728768f47987f7cc27671837c0bbab751486c37751c312e1adb160ffb74d1fb4a1de6c05aedb8f35a9e4a56cc1ffd
-
Filesize
39.4MB
MD578bf95d590f54fc75d20ade2881d5501
SHA1da4be9bcf743025b5caaa9bc4221c48478361c31
SHA256cd12239a460c256424fc06aa3a91ec46fe283091a343e6a511a5d63547f9d1d8
SHA512975481c7940641da2a0fabe95cb8360b8b4728768f47987f7cc27671837c0bbab751486c37751c312e1adb160ffb74d1fb4a1de6c05aedb8f35a9e4a56cc1ffd