Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/10/2022, 10:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f66dca8a4d3274b2ed67e1c54b0b92b778c782b37b873455146b3f7f0dace54.exe

  • Size

    375KB

  • MD5

    4a4ec92008973d2f90d9daa736a11cff

  • SHA1

    823b8b124ea5184b2563a4c2aee148782211ca17

  • SHA256

    1f66dca8a4d3274b2ed67e1c54b0b92b778c782b37b873455146b3f7f0dace54

  • SHA512

    ea24a8dd88345e75a22279442637d58ef764a3d062139f952bf0cc73286f6d9b736314b3c66fa7ae7f5349b1b83ee4744ee3f734096e53fa88da7c1ed07976a6

  • SSDEEP

    6144:mv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:m4VOiF1WD7kE1dTYOi8V5u23zmWFy4

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 8 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 4 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f66dca8a4d3274b2ed67e1c54b0b92b778c782b37b873455146b3f7f0dace54.exe
    "C:\Users\Admin\AppData\Local\Temp\1f66dca8a4d3274b2ed67e1c54b0b92b778c782b37b873455146b3f7f0dace54.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4840
  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4624
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 572
      2⤵
      • Program crash
      PID:308
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4236
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2456
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4624 -ip 4624
    1⤵
      PID:1048

    Network

    • flag-us
      DNS
      d.nxxxn.ga
      SQLSerasi.exe
      Remote address:
      8.8.8.8:53
      Request
      d.nxxxn.ga
      IN A
      Response
      d.nxxxn.ga
      IN A
      91.208.245.48
    • flag-us
      DNS
      r.pengyou.com
      SQLSerasi.exe
      Remote address:
      8.8.8.8:53
      Request
      r.pengyou.com
      IN A
      Response
      r.pengyou.com
      IN A
      0.0.0.1
    • 91.208.245.48:22251
      d.nxxxn.ga
      SQLSerasi.exe
      260 B
       5
    • 93.184.220.29:80
      322 B
       7
    • 104.46.162.224:443
      322 B
       7
    • 209.197.3.8:80
      322 B
       7
    • 209.197.3.8:80
      322 B
       7
    • 209.197.3.8:80
      322 B
       7
    • 104.80.225.205:443
      322 B
       7
    • 91.208.245.48:22251
      d.nxxxn.ga
      SQLSerasi.exe
      260 B
       5
    • 8.8.8.8:53
      d.nxxxn.ga
      dns
      SQLSerasi.exe
      56 B
       72 B
       1
      1

      DNS Request

      d.nxxxn.ga

      DNS Response

      91.208.245.48

    • 8.8.8.8:53
      r.pengyou.com
      dns
      SQLSerasi.exe
      59 B
       75 B
       1
      1

      DNS Request

      r.pengyou.com

      DNS Response

      0.0.0.1

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      Filesize

      39.4MB

      MD5

      3ac2585cf4f0ceab0487514dd281bae7

      SHA1

      9c873e1f3ed25fa96391623fc344f8b5752a38e7

      SHA256

      58e154bd8bfc62aecbe266d232d14f5fe930567f364939b00fb6f68c3f87e8c3

      SHA512

      c2c61aee38951ba362e646d3ae7344857c3678fa35343e195ed31ce810efd5a66f976b71ee6435cf5c61f90a816345687ce0ab9500b5500b7b5d8a0e48202068

      Download Submit

    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      Filesize

      39.4MB

      MD5

      3ac2585cf4f0ceab0487514dd281bae7

      SHA1

      9c873e1f3ed25fa96391623fc344f8b5752a38e7

      SHA256

      58e154bd8bfc62aecbe266d232d14f5fe930567f364939b00fb6f68c3f87e8c3

      SHA512

      c2c61aee38951ba362e646d3ae7344857c3678fa35343e195ed31ce810efd5a66f976b71ee6435cf5c61f90a816345687ce0ab9500b5500b7b5d8a0e48202068

      Download Submit

    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      Filesize

      39.4MB

      MD5

      3ac2585cf4f0ceab0487514dd281bae7

      SHA1

      9c873e1f3ed25fa96391623fc344f8b5752a38e7

      SHA256

      58e154bd8bfc62aecbe266d232d14f5fe930567f364939b00fb6f68c3f87e8c3

      SHA512

      c2c61aee38951ba362e646d3ae7344857c3678fa35343e195ed31ce810efd5a66f976b71ee6435cf5c61f90a816345687ce0ab9500b5500b7b5d8a0e48202068

      Download Submit

    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      Filesize

      39.4MB

      MD5

      3ac2585cf4f0ceab0487514dd281bae7

      SHA1

      9c873e1f3ed25fa96391623fc344f8b5752a38e7

      SHA256

      58e154bd8bfc62aecbe266d232d14f5fe930567f364939b00fb6f68c3f87e8c3

      SHA512

      c2c61aee38951ba362e646d3ae7344857c3678fa35343e195ed31ce810efd5a66f976b71ee6435cf5c61f90a816345687ce0ab9500b5500b7b5d8a0e48202068

      Download Submit

    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      Filesize

      39.4MB

      MD5

      3ac2585cf4f0ceab0487514dd281bae7

      SHA1

      9c873e1f3ed25fa96391623fc344f8b5752a38e7

      SHA256

      58e154bd8bfc62aecbe266d232d14f5fe930567f364939b00fb6f68c3f87e8c3

      SHA512

      c2c61aee38951ba362e646d3ae7344857c3678fa35343e195ed31ce810efd5a66f976b71ee6435cf5c61f90a816345687ce0ab9500b5500b7b5d8a0e48202068

      Download Submit

    • memory/2456-175-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2456-172-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/4236-173-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/4236-174-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/4624-149-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4624-152-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4624-158-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4624-156-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/4624-153-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4840-154-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4840-155-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/5100-132-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/5100-133-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/5100-136-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/5100-143-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/5100-137-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/5100-138-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.