Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    171s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    21-10-2021 21:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf.exe

  • Size

    617KB

  • MD5

    8febef9e39284335678e45955722d6a6

  • SHA1

    0f5de2557c7cef0c486157089cf2b761ca8839d7

  • SHA256

    7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf

  • SHA512

    e8b70e73b960b4fa3fa209baaf702990dc4a153cca85eca5a9586ab42dab82d99d6ecec15c9ed043cca2637710f2921f94b2a2b934c9960fe36514cdf4ceacbf

Score
10/10
asyncrat1persistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

1

C2

185.157.160.136:1973

Mutex

df4Rtg34dFjwr7ujp3

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    38

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 3 IoCs
    rat
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf.exe
    "C:\Users\Admin\AppData\Local\Temp\7fcb98579512e3df028c8199b530d8e027d55a871d2afb81aeb5994adac814bf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:1136
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1228
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qczzgn.exe"' & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3188
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qczzgn.exe"'
            4⤵
              PID:1040

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1040-132-0x0000000000000000-mapping.dmp
        Download
      • memory/1228-125-0x0000000005610000-0x0000000005611000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1228-120-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1228-121-0x000000000040C6BE-mapping.dmp
        Download
      • memory/1228-124-0x0000000005170000-0x0000000005171000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1228-126-0x0000000005BB0000-0x0000000005BB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1228-127-0x0000000005720000-0x0000000005721000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1228-128-0x0000000007810000-0x0000000007811000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1228-129-0x0000000005B90000-0x0000000005BAB000-memory.dmp
        Filesize

        108KB

        Download
      • memory/1228-130-0x00000000077E0000-0x00000000077E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3188-131-0x0000000000000000-mapping.dmp
        Download
      • memory/3516-118-0x00000000001D0000-0x00000000001D6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/3516-119-0x00000000001D0000-0x00000000001DA000-memory.dmp
        Filesize

        40KB

        Download