Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    125s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    26-01-2022 00:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bcb3f5843cba83b163c793e06e5d583a021da1c5794fdd7e484e6ad0f9655e8f.exe

  • Size

    624KB

  • MD5

    041e966e088ae931009805da96e4997d

  • SHA1

    09877b64628255c310a4dd310593a6c52b1db9dc

  • SHA256

    bcb3f5843cba83b163c793e06e5d583a021da1c5794fdd7e484e6ad0f9655e8f

  • SHA512

    c201f5b6c3a223e2064abcd7966edfd01f5df9f5e5d0c59a4d376141a86a60252e1c5cd6b1409d93dc6ee6ab886d271f5790ebae5d6721361f2f7a044dbf7290

Score
10/10
asyncratpersistencerat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcb3f5843cba83b163c793e06e5d583a021da1c5794fdd7e484e6ad0f9655e8f.exe
    "C:\Users\Admin\AppData\Local\Temp\bcb3f5843cba83b163c793e06e5d583a021da1c5794fdd7e484e6ad0f9655e8f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3992
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\btVAOWX.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3544
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\btVAOWX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1CD7.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2548
    • C:\Users\Admin\AppData\Local\Temp\bcb3f5843cba83b163c793e06e5d583a021da1c5794fdd7e484e6ad0f9655e8f.exe
      "C:\Users\Admin\AppData\Local\Temp\bcb3f5843cba83b163c793e06e5d583a021da1c5794fdd7e484e6ad0f9655e8f.exe"
      2⤵
        PID:1164
      • C:\Users\Admin\AppData\Local\Temp\bcb3f5843cba83b163c793e06e5d583a021da1c5794fdd7e484e6ad0f9655e8f.exe
        "C:\Users\Admin\AppData\Local\Temp\bcb3f5843cba83b163c793e06e5d583a021da1c5794fdd7e484e6ad0f9655e8f.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1716
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
      1⤵
        PID:3364
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe fb7cb331b29f03b4f8b8e38abd0a2f0c pENXZnoQfkS8lHBIlpwrEQ.0.1.0.0.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:3084
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k wusvcs -p
        1⤵
          PID:2260

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bcb3f5843cba83b163c793e06e5d583a021da1c5794fdd7e484e6ad0f9655e8f.exe.log
          MD5

          8ec831f3e3a3f77e4a7b9cd32b48384c

          SHA1

          d83f09fd87c5bd86e045873c231c14836e76a05c

          SHA256

          7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

          SHA512

          26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp1CD7.tmp
          MD5

          6a7b707ce24c5085dbb2328f00804285

          SHA1

          494ed4ee96b624ea39ee0ce0961bf9c2a1013189

          SHA256

          3b05a508796c5ab78374636b95d085c9b1ed59b7d085b3c33fb336fdd54f125f

          SHA512

          e33471cafb87d0052542136f6ba82767ae2ebeea8aea77f0dfe04e36ae03be2a39ee186f7ad024b2768d13a7392b21aad51100b521ed8fd66f792d7d5e63de6c

          Download Submit
        • memory/1716-148-0x0000000001980000-0x0000000001981000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1716-140-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/3544-146-0x0000000007420000-0x0000000007486000-memory.dmp
          Filesize

          408KB

          Download
        • memory/3544-149-0x00000000071E0000-0x00000000071FE000-memory.dmp
          Filesize

          120KB

          Download
        • memory/3544-161-0x00000000099E0000-0x00000000099E8000-memory.dmp
          Filesize

          32KB

          Download
        • memory/3544-139-0x0000000006E90000-0x0000000006EC6000-memory.dmp
          Filesize

          216KB

          Download
        • memory/3544-160-0x0000000009A90000-0x0000000009AAA000-memory.dmp
          Filesize

          104KB

          Download
        • memory/3544-159-0x0000000009990000-0x000000000999E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/3544-142-0x0000000006E30000-0x0000000006E40000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3544-143-0x0000000006E30000-0x0000000006E40000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3544-144-0x0000000007500000-0x0000000007B28000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/3544-145-0x0000000007380000-0x00000000073A2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/3544-158-0x00000000099F0000-0x0000000009A86000-memory.dmp
          Filesize

          600KB

          Download
        • memory/3544-147-0x0000000007490000-0x00000000074F6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/3544-157-0x00000000097C0000-0x00000000097CA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/3544-156-0x0000000009750000-0x000000000976A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/3544-150-0x0000000006E30000-0x0000000006E40000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3544-151-0x0000000008A30000-0x0000000008A62000-memory.dmp
          Filesize

          200KB

          Download
        • memory/3544-152-0x0000000071930000-0x000000007197C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/3544-153-0x00000000089F0000-0x0000000008A0E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/3544-154-0x000000007F2A0000-0x000000007F2A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3544-155-0x0000000009DA0000-0x000000000A41A000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/3992-135-0x0000000007B60000-0x0000000007BFC000-memory.dmp
          Filesize

          624KB

          Download
        • memory/3992-131-0x0000000005B20000-0x00000000060C4000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3992-130-0x0000000000B00000-0x0000000000BA2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/3992-132-0x0000000005610000-0x00000000056A2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/3992-133-0x0000000005570000-0x0000000005B14000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3992-134-0x0000000005580000-0x000000000558A000-memory.dmp
          Filesize

          40KB

          Download