Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2022, 15:15
Static task
static1
General
-
Target
4d4bbcfc2687bab3270b8d5bcb52708ac64952e73c5890fc58cf244194f93010.exe
-
Size
375KB
-
MD5
915ad9039e7c2d790357ff8eb186c6d7
-
SHA1
b1eb5730bc31bda44f07b5539dadb7ed0c417c85
-
SHA256
4d4bbcfc2687bab3270b8d5bcb52708ac64952e73c5890fc58cf244194f93010
-
SHA512
35498d28c90596a4f546027216d9745753df1aa3852e49cdddc795247959df23c04792da782cbeb7748ad1d446dcfdfa9acfe6f93a4ba7c3b08b726ae085dec8
-
SSDEEP
6144:Cv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:C4VOiF1WD7kE1dTYOi8V5u23zmWFy4
Malware Config
Signatures
-
Gh0st RAT payload 10 IoCs
resource yara_rule behavioral1/memory/3208-136-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3208-137-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3208-138-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2716-153-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2716-154-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/1196-155-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/1196-157-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2716-160-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/3560-176-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/5044-180-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat -
Executes dropped EXE 4 IoCs
pid Process 1196 SQLSerasi.exe 2716 SQLSerasi.exe 3560 SQLSerasi.exe 5044 SQLSerasi.exe -
resource yara_rule behavioral1/memory/3208-133-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3208-136-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3208-137-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3208-138-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2716-150-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2716-153-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2716-154-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/1196-155-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2716-160-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/3560-176-0x0000000010000000-0x0000000010362000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 4d4bbcfc2687bab3270b8d5bcb52708ac64952e73c5890fc58cf244194f93010.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies SQLSerasi.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 4d4bbcfc2687bab3270b8d5bcb52708ac64952e73c5890fc58cf244194f93010.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe 4d4bbcfc2687bab3270b8d5bcb52708ac64952e73c5890fc58cf244194f93010.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 228 2716 WerFault.exe 82 -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 SQLSerasi.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SQLSerasi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" SQLSerasi.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3208 4d4bbcfc2687bab3270b8d5bcb52708ac64952e73c5890fc58cf244194f93010.exe Token: SeDebugPrivilege 1196 SQLSerasi.exe Token: SeDebugPrivilege 2716 SQLSerasi.exe Token: SeDebugPrivilege 2716 SQLSerasi.exe Token: SeDebugPrivilege 2716 SQLSerasi.exe Token: SeDebugPrivilege 3560 SQLSerasi.exe Token: SeDebugPrivilege 5044 SQLSerasi.exe Token: SeDebugPrivilege 3560 SQLSerasi.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3208 wrote to memory of 1196 3208 4d4bbcfc2687bab3270b8d5bcb52708ac64952e73c5890fc58cf244194f93010.exe 81 PID 3208 wrote to memory of 1196 3208 4d4bbcfc2687bab3270b8d5bcb52708ac64952e73c5890fc58cf244194f93010.exe 81 PID 3208 wrote to memory of 1196 3208 4d4bbcfc2687bab3270b8d5bcb52708ac64952e73c5890fc58cf244194f93010.exe 81 PID 2716 wrote to memory of 3560 2716 SQLSerasi.exe 85 PID 2716 wrote to memory of 3560 2716 SQLSerasi.exe 85 PID 2716 wrote to memory of 3560 2716 SQLSerasi.exe 85 PID 2716 wrote to memory of 5044 2716 SQLSerasi.exe 84 PID 2716 wrote to memory of 5044 2716 SQLSerasi.exe 84 PID 2716 wrote to memory of 5044 2716 SQLSerasi.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d4bbcfc2687bab3270b8d5bcb52708ac64952e73c5890fc58cf244194f93010.exe"C:\Users\Admin\AppData\Local\Temp\4d4bbcfc2687bab3270b8d5bcb52708ac64952e73c5890fc58cf244194f93010.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 5762⤵
- Program crash
PID:228
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2716 -ip 27161⤵PID:208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39.4MB
MD52a08f9f06fb677f707b3fa974ef37dc2
SHA15de47e3cf6ad2bcd3c2a0bad4816f8d8a512c24c
SHA25688b22d705e49ecde84c95adc156851480816d52df5eb9fbc944eb1be519edbdf
SHA512de6832e0248e69e2b20b2fb096734ebbd47b36f955a3125215d0de378b98d3f77220d22cc3622169aa57d1f0528cd1906d20bde59ab03e690b621cd05e76b15e
-
Filesize
39.4MB
MD52a08f9f06fb677f707b3fa974ef37dc2
SHA15de47e3cf6ad2bcd3c2a0bad4816f8d8a512c24c
SHA25688b22d705e49ecde84c95adc156851480816d52df5eb9fbc944eb1be519edbdf
SHA512de6832e0248e69e2b20b2fb096734ebbd47b36f955a3125215d0de378b98d3f77220d22cc3622169aa57d1f0528cd1906d20bde59ab03e690b621cd05e76b15e
-
Filesize
39.4MB
MD52a08f9f06fb677f707b3fa974ef37dc2
SHA15de47e3cf6ad2bcd3c2a0bad4816f8d8a512c24c
SHA25688b22d705e49ecde84c95adc156851480816d52df5eb9fbc944eb1be519edbdf
SHA512de6832e0248e69e2b20b2fb096734ebbd47b36f955a3125215d0de378b98d3f77220d22cc3622169aa57d1f0528cd1906d20bde59ab03e690b621cd05e76b15e
-
Filesize
39.4MB
MD52a08f9f06fb677f707b3fa974ef37dc2
SHA15de47e3cf6ad2bcd3c2a0bad4816f8d8a512c24c
SHA25688b22d705e49ecde84c95adc156851480816d52df5eb9fbc944eb1be519edbdf
SHA512de6832e0248e69e2b20b2fb096734ebbd47b36f955a3125215d0de378b98d3f77220d22cc3622169aa57d1f0528cd1906d20bde59ab03e690b621cd05e76b15e
-
Filesize
39.4MB
MD52a08f9f06fb677f707b3fa974ef37dc2
SHA15de47e3cf6ad2bcd3c2a0bad4816f8d8a512c24c
SHA25688b22d705e49ecde84c95adc156851480816d52df5eb9fbc944eb1be519edbdf
SHA512de6832e0248e69e2b20b2fb096734ebbd47b36f955a3125215d0de378b98d3f77220d22cc3622169aa57d1f0528cd1906d20bde59ab03e690b621cd05e76b15e