Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    97s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    26-01-2022 08:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70f4d7dc4bcfe2a231f5407a9b37743ca1397f04f358a41416cc1ce17f3b4dea.exe

  • Size

    678KB

  • MD5

    85ab0f963311cda7e0c1e7028dd30e34

  • SHA1

    832d6afd5707a3dfda94db1587802a7afd5221ca

  • SHA256

    70f4d7dc4bcfe2a231f5407a9b37743ca1397f04f358a41416cc1ce17f3b4dea

  • SHA512

    283ac02efbef15f7c2652fc5d9ca75187856ca49f24cff32e2ab3d08611570d9a3b806b50a52c69099a681094b8a9ca5e48bb167b48fe2aa7fa7224eb62cbfbb

Score
10/10
asyncratpersistencerat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70f4d7dc4bcfe2a231f5407a9b37743ca1397f04f358a41416cc1ce17f3b4dea.exe
    "C:\Users\Admin\AppData\Local\Temp\70f4d7dc4bcfe2a231f5407a9b37743ca1397f04f358a41416cc1ce17f3b4dea.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WdXHeFBBaIZC.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4028
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WdXHeFBBaIZC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC6C.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3500
    • C:\Users\Admin\AppData\Local\Temp\70f4d7dc4bcfe2a231f5407a9b37743ca1397f04f358a41416cc1ce17f3b4dea.exe
      "C:\Users\Admin\AppData\Local\Temp\70f4d7dc4bcfe2a231f5407a9b37743ca1397f04f358a41416cc1ce17f3b4dea.exe"
      2⤵
        PID:3440
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
      1⤵
        PID:1856
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 6f294506f68a1d463797ac6025e94b56 r47ChdGul0a9kBdCP4mQbw.0.1.0.0.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:4052

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpEC6C.tmp
        MD5

        c63283a679ca38d8d1ec49aefd57e2be

        SHA1

        21dd035f8ca43749b608387930a4fc985e5422aa

        SHA256

        d821313f36f0dcd985687e0096dc2f1c67aac60af84ead546d0f7a5fa3bf2ab6

        SHA512

        140a25adf133303a44def83f99f198f9dad49b6c2e53db75d8fcd3338f69d4bf2e6c1fe4e8ac9a66f2bce2377f133b3369dd58791ccb1db7d97e74d3f97664b9

        Download Submit
      • memory/3404-134-0x0000000005ED0000-0x0000000006474000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3404-135-0x0000000005830000-0x00000000058C2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/3404-136-0x00000000057B0000-0x00000000057BA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/3404-137-0x0000000005920000-0x0000000005EC4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3404-138-0x0000000007D90000-0x0000000007E2C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/3404-133-0x0000000000D40000-0x0000000000DF2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/3440-143-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4028-149-0x0000000007DA0000-0x0000000007E06000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4028-152-0x0000000009410000-0x0000000009442000-memory.dmp
        Filesize

        200KB

        Download
      • memory/4028-145-0x0000000006FE0000-0x0000000006FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4028-146-0x0000000006FE2000-0x0000000006FE3000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4028-147-0x0000000007330000-0x0000000007352000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4028-148-0x0000000007CC0000-0x0000000007D26000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4028-141-0x0000000006E50000-0x0000000006E86000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4028-150-0x0000000008450000-0x000000000846E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4028-151-0x0000000006FE5000-0x0000000006FE7000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4028-144-0x0000000007620000-0x0000000007C48000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4028-153-0x00000000716E0000-0x000000007172C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/4028-154-0x0000000008A10000-0x0000000008A2E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4028-155-0x0000000009DB0000-0x000000000A42A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/4028-156-0x0000000009770000-0x000000000978A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4028-158-0x00000000097E0000-0x00000000097EA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4028-157-0x000000007FAA0000-0x000000007FAA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4028-159-0x00000000099F0000-0x0000000009A86000-memory.dmp
        Filesize

        600KB

        Download
      • memory/4028-160-0x00000000099A0000-0x00000000099AE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/4028-161-0x0000000009AB0000-0x0000000009ACA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4028-162-0x0000000009A90000-0x0000000009A98000-memory.dmp
        Filesize

        32KB

        Download