Analysis
-
max time kernel
133s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2022, 12:24
Static task
static1
General
-
Target
9f18b7105df6cd2c31995ba0eecdc9e8edec0aaafe70bc283eb98c32bce9d1cb.exe
-
Size
375KB
-
MD5
aa901de8af4d8401092c3e8c9798fd0c
-
SHA1
dbed6973dab8c994a83fcbb5e536b4363d5f5803
-
SHA256
9f18b7105df6cd2c31995ba0eecdc9e8edec0aaafe70bc283eb98c32bce9d1cb
-
SHA512
069c9b1242fd8468b379557f86e035c0d4c53f6f99762a0abeab8f73a0ea5f112ee76b1e02c380543ee4dac2771fc9251bdc150743e802578a2e95d9385c624a
-
SSDEEP
6144:r4v5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:s4VOiF1WD7kE1dTYOi8V5u23zmWFy4
Malware Config
Signatures
-
Gh0st RAT payload 10 IoCs
resource yara_rule behavioral1/memory/3048-136-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3048-137-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3048-138-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/5016-152-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/5016-150-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4540-155-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4540-156-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4540-159-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/176-176-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/216-178-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat -
Executes dropped EXE 4 IoCs
pid Process 5016 SQLSerasi.exe 4540 SQLSerasi.exe 176 SQLSerasi.exe 216 SQLSerasi.exe -
resource yara_rule behavioral1/memory/3048-132-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3048-136-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3048-137-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3048-138-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/5016-152-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/5016-150-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4540-149-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4540-155-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4540-156-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4540-159-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/216-178-0x0000000010000000-0x0000000010362000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 9f18b7105df6cd2c31995ba0eecdc9e8edec0aaafe70bc283eb98c32bce9d1cb.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE SQLSerasi.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 9f18b7105df6cd2c31995ba0eecdc9e8edec0aaafe70bc283eb98c32bce9d1cb.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 9f18b7105df6cd2c31995ba0eecdc9e8edec0aaafe70bc283eb98c32bce9d1cb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 524 4540 WerFault.exe 84 -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SQLSerasi.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SQLSerasi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" SQLSerasi.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3048 9f18b7105df6cd2c31995ba0eecdc9e8edec0aaafe70bc283eb98c32bce9d1cb.exe Token: SeDebugPrivilege 5016 SQLSerasi.exe Token: SeDebugPrivilege 4540 SQLSerasi.exe Token: SeDebugPrivilege 4540 SQLSerasi.exe Token: SeDebugPrivilege 4540 SQLSerasi.exe Token: SeDebugPrivilege 176 SQLSerasi.exe Token: SeDebugPrivilege 216 SQLSerasi.exe Token: SeDebugPrivilege 216 SQLSerasi.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3048 wrote to memory of 5016 3048 9f18b7105df6cd2c31995ba0eecdc9e8edec0aaafe70bc283eb98c32bce9d1cb.exe 83 PID 3048 wrote to memory of 5016 3048 9f18b7105df6cd2c31995ba0eecdc9e8edec0aaafe70bc283eb98c32bce9d1cb.exe 83 PID 3048 wrote to memory of 5016 3048 9f18b7105df6cd2c31995ba0eecdc9e8edec0aaafe70bc283eb98c32bce9d1cb.exe 83 PID 4540 wrote to memory of 176 4540 SQLSerasi.exe 87 PID 4540 wrote to memory of 176 4540 SQLSerasi.exe 87 PID 4540 wrote to memory of 176 4540 SQLSerasi.exe 87 PID 4540 wrote to memory of 216 4540 SQLSerasi.exe 86 PID 4540 wrote to memory of 216 4540 SQLSerasi.exe 86 PID 4540 wrote to memory of 216 4540 SQLSerasi.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f18b7105df6cd2c31995ba0eecdc9e8edec0aaafe70bc283eb98c32bce9d1cb.exe"C:\Users\Admin\AppData\Local\Temp\9f18b7105df6cd2c31995ba0eecdc9e8edec0aaafe70bc283eb98c32bce9d1cb.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 6442⤵
- Program crash
PID:524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4540 -ip 45401⤵PID:1712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39.4MB
MD57cea0993c59ad0919ad51f05db20d42b
SHA17a9c0ba5a60be48af9c53bf4a82910e6fa10ac08
SHA256eb351764411c913503ec24eb2316b4684739f7f8c42b861bde33610281eafe46
SHA512e19182166ac16b8de587928e967f88cc832016f5dc840edaf171269dcb0e43e7f66551feaf1a4d17b4f6e1cce8ceaf1ad94a4b8c88e203ef267519801ae88e43
-
Filesize
39.4MB
MD57cea0993c59ad0919ad51f05db20d42b
SHA17a9c0ba5a60be48af9c53bf4a82910e6fa10ac08
SHA256eb351764411c913503ec24eb2316b4684739f7f8c42b861bde33610281eafe46
SHA512e19182166ac16b8de587928e967f88cc832016f5dc840edaf171269dcb0e43e7f66551feaf1a4d17b4f6e1cce8ceaf1ad94a4b8c88e203ef267519801ae88e43
-
Filesize
39.4MB
MD57cea0993c59ad0919ad51f05db20d42b
SHA17a9c0ba5a60be48af9c53bf4a82910e6fa10ac08
SHA256eb351764411c913503ec24eb2316b4684739f7f8c42b861bde33610281eafe46
SHA512e19182166ac16b8de587928e967f88cc832016f5dc840edaf171269dcb0e43e7f66551feaf1a4d17b4f6e1cce8ceaf1ad94a4b8c88e203ef267519801ae88e43
-
Filesize
39.4MB
MD57cea0993c59ad0919ad51f05db20d42b
SHA17a9c0ba5a60be48af9c53bf4a82910e6fa10ac08
SHA256eb351764411c913503ec24eb2316b4684739f7f8c42b861bde33610281eafe46
SHA512e19182166ac16b8de587928e967f88cc832016f5dc840edaf171269dcb0e43e7f66551feaf1a4d17b4f6e1cce8ceaf1ad94a4b8c88e203ef267519801ae88e43
-
Filesize
39.4MB
MD57cea0993c59ad0919ad51f05db20d42b
SHA17a9c0ba5a60be48af9c53bf4a82910e6fa10ac08
SHA256eb351764411c913503ec24eb2316b4684739f7f8c42b861bde33610281eafe46
SHA512e19182166ac16b8de587928e967f88cc832016f5dc840edaf171269dcb0e43e7f66551feaf1a4d17b4f6e1cce8ceaf1ad94a4b8c88e203ef267519801ae88e43