Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 18:21
Static task
static1
General
-
Target
bccbe0e2548da3747dba45f66e127f71f29acd6b5a7aceeddfaad0f8d5ed37d5.exe
-
Size
375KB
-
MD5
63165b30ddcb8563f60c447383be9e7e
-
SHA1
071cefb7740b09c22c1b560b1a4674cb7194eb4b
-
SHA256
bccbe0e2548da3747dba45f66e127f71f29acd6b5a7aceeddfaad0f8d5ed37d5
-
SHA512
811733f702856c3cf104d85f29e4008146a9f2913e6c30ed77002f78d2335f2b876f2241818960b453e0f3a9e88504d65b2a1c951795e1800dfa9060476a39ff
-
SSDEEP
6144:dv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:d4VOiF1WD7kE1dTYOi8V5u23zmWFy4
Malware Config
Signatures
-
Gh0st RAT payload 10 IoCs
resource yara_rule behavioral1/memory/2112-135-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2112-136-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2112-138-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4904-153-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4904-154-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4772-156-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4904-159-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2264-176-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4788-177-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4788-180-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat -
Executes dropped EXE 4 IoCs
pid Process 4772 SQLSerasi.exe 4904 SQLSerasi.exe 4788 SQLSerasi.exe 2264 SQLSerasi.exe -
resource yara_rule behavioral1/memory/2112-132-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2112-135-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2112-136-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2112-138-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4904-150-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4904-153-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4904-154-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4772-156-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4904-159-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2264-176-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4788-177-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4788-180-0x0000000010000000-0x0000000010362000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation bccbe0e2548da3747dba45f66e127f71f29acd6b5a7aceeddfaad0f8d5ed37d5.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies SQLSerasi.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 SQLSerasi.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe bccbe0e2548da3747dba45f66e127f71f29acd6b5a7aceeddfaad0f8d5ed37d5.exe File created C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe bccbe0e2548da3747dba45f66e127f71f29acd6b5a7aceeddfaad0f8d5ed37d5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4560 4904 WerFault.exe 82 -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 SQLSerasi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString SQLSerasi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 SQLSerasi.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SQLSerasi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SQLSerasi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SQLSerasi.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SQLSerasi.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2112 bccbe0e2548da3747dba45f66e127f71f29acd6b5a7aceeddfaad0f8d5ed37d5.exe Token: SeDebugPrivilege 4772 SQLSerasi.exe Token: SeDebugPrivilege 4904 SQLSerasi.exe Token: SeDebugPrivilege 4904 SQLSerasi.exe Token: SeDebugPrivilege 4904 SQLSerasi.exe Token: SeDebugPrivilege 2264 SQLSerasi.exe Token: SeDebugPrivilege 4788 SQLSerasi.exe Token: SeDebugPrivilege 4788 SQLSerasi.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2112 wrote to memory of 4772 2112 bccbe0e2548da3747dba45f66e127f71f29acd6b5a7aceeddfaad0f8d5ed37d5.exe 81 PID 2112 wrote to memory of 4772 2112 bccbe0e2548da3747dba45f66e127f71f29acd6b5a7aceeddfaad0f8d5ed37d5.exe 81 PID 2112 wrote to memory of 4772 2112 bccbe0e2548da3747dba45f66e127f71f29acd6b5a7aceeddfaad0f8d5ed37d5.exe 81 PID 4904 wrote to memory of 4788 4904 SQLSerasi.exe 83 PID 4904 wrote to memory of 4788 4904 SQLSerasi.exe 83 PID 4904 wrote to memory of 4788 4904 SQLSerasi.exe 83 PID 4904 wrote to memory of 2264 4904 SQLSerasi.exe 84 PID 4904 wrote to memory of 2264 4904 SQLSerasi.exe 84 PID 4904 wrote to memory of 2264 4904 SQLSerasi.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\bccbe0e2548da3747dba45f66e127f71f29acd6b5a7aceeddfaad0f8d5ed37d5.exe"C:\Users\Admin\AppData\Local\Temp\bccbe0e2548da3747dba45f66e127f71f29acd6b5a7aceeddfaad0f8d5ed37d5.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 4962⤵
- Program crash
PID:4560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4904 -ip 49041⤵PID:3384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39.4MB
MD5e2389b5ef09baea5d86973be86b088f3
SHA1b2a4e768021df2b331a49b3fdc25dd6f2322ebe6
SHA25625e721e04751dff95baede7ef531a23a9fcf90237cfed889760080bcf25ac91c
SHA512f229ac057d2fba7d684b3700fa1247f283fdbabefd5e1aaeae3f0302e9041a06e3f8f911722d10bb8bb96a3353cbb306d542cf1819407edc623de39c01e4ec29
-
Filesize
39.4MB
MD5e2389b5ef09baea5d86973be86b088f3
SHA1b2a4e768021df2b331a49b3fdc25dd6f2322ebe6
SHA25625e721e04751dff95baede7ef531a23a9fcf90237cfed889760080bcf25ac91c
SHA512f229ac057d2fba7d684b3700fa1247f283fdbabefd5e1aaeae3f0302e9041a06e3f8f911722d10bb8bb96a3353cbb306d542cf1819407edc623de39c01e4ec29
-
Filesize
39.4MB
MD5e2389b5ef09baea5d86973be86b088f3
SHA1b2a4e768021df2b331a49b3fdc25dd6f2322ebe6
SHA25625e721e04751dff95baede7ef531a23a9fcf90237cfed889760080bcf25ac91c
SHA512f229ac057d2fba7d684b3700fa1247f283fdbabefd5e1aaeae3f0302e9041a06e3f8f911722d10bb8bb96a3353cbb306d542cf1819407edc623de39c01e4ec29
-
Filesize
39.4MB
MD5e2389b5ef09baea5d86973be86b088f3
SHA1b2a4e768021df2b331a49b3fdc25dd6f2322ebe6
SHA25625e721e04751dff95baede7ef531a23a9fcf90237cfed889760080bcf25ac91c
SHA512f229ac057d2fba7d684b3700fa1247f283fdbabefd5e1aaeae3f0302e9041a06e3f8f911722d10bb8bb96a3353cbb306d542cf1819407edc623de39c01e4ec29
-
Filesize
39.4MB
MD5e2389b5ef09baea5d86973be86b088f3
SHA1b2a4e768021df2b331a49b3fdc25dd6f2322ebe6
SHA25625e721e04751dff95baede7ef531a23a9fcf90237cfed889760080bcf25ac91c
SHA512f229ac057d2fba7d684b3700fa1247f283fdbabefd5e1aaeae3f0302e9041a06e3f8f911722d10bb8bb96a3353cbb306d542cf1819407edc623de39c01e4ec29