Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2022 03:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28c4083a9a96915103b28014fff927b1f02877d918c5580e52d792472a5a9c5d.exe

  • Size

    375KB

  • MD5

    c6009dfea58b71029a2639ce96c50457

  • SHA1

    b66f315f6bb744bdfe59999cfd2951af20731dc2

  • SHA256

    28c4083a9a96915103b28014fff927b1f02877d918c5580e52d792472a5a9c5d

  • SHA512

    35ed6e113790e9a433d092defaae15977d8927cc9aa7b25e12da7ce7099e59b6aff36c0b32c4a4b5ecb8894a49ef5b51820852caf91e693460fc9d9228f4360f

  • SSDEEP

    6144:/v5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:/4VOiF1WD7kE1dTYOi8V5u23zmWFy4

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 10 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 4 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28c4083a9a96915103b28014fff927b1f02877d918c5580e52d792472a5a9c5d.exe
    "C:\Users\Admin\AppData\Local\Temp\28c4083a9a96915103b28014fff927b1f02877d918c5580e52d792472a5a9c5d.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3344
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:856
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:432
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 576
      2⤵
      • Program crash
      PID:948
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2368 -ip 2368
    1⤵
      PID:3492

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      Filesize

      39.4MB

      MD5

      b29659258444736c405c96c7f587a39d

      SHA1

      766414cc23f000519e5fe1c97b738d84c974b214

      SHA256

      9461eeacd78a031f78ef5127a0cb4e1b220a663473018a43dadafd37905633ef

      SHA512

      3c6f4732b73cd681fd22f487ec83403e0751a80c1fc3ef03a639d0a46f3aa8975524e2c204191423b020a3c1e5de6f38cc454ee4d3cf0692852fef80c8274a1c

      Download Submit

    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      Filesize

      39.4MB

      MD5

      b29659258444736c405c96c7f587a39d

      SHA1

      766414cc23f000519e5fe1c97b738d84c974b214

      SHA256

      9461eeacd78a031f78ef5127a0cb4e1b220a663473018a43dadafd37905633ef

      SHA512

      3c6f4732b73cd681fd22f487ec83403e0751a80c1fc3ef03a639d0a46f3aa8975524e2c204191423b020a3c1e5de6f38cc454ee4d3cf0692852fef80c8274a1c

      Download Submit

    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      Filesize

      39.4MB

      MD5

      b29659258444736c405c96c7f587a39d

      SHA1

      766414cc23f000519e5fe1c97b738d84c974b214

      SHA256

      9461eeacd78a031f78ef5127a0cb4e1b220a663473018a43dadafd37905633ef

      SHA512

      3c6f4732b73cd681fd22f487ec83403e0751a80c1fc3ef03a639d0a46f3aa8975524e2c204191423b020a3c1e5de6f38cc454ee4d3cf0692852fef80c8274a1c

      Download Submit

    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      Filesize

      39.4MB

      MD5

      b29659258444736c405c96c7f587a39d

      SHA1

      766414cc23f000519e5fe1c97b738d84c974b214

      SHA256

      9461eeacd78a031f78ef5127a0cb4e1b220a663473018a43dadafd37905633ef

      SHA512

      3c6f4732b73cd681fd22f487ec83403e0751a80c1fc3ef03a639d0a46f3aa8975524e2c204191423b020a3c1e5de6f38cc454ee4d3cf0692852fef80c8274a1c

      Download Submit

    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      Filesize

      39.4MB

      MD5

      b29659258444736c405c96c7f587a39d

      SHA1

      766414cc23f000519e5fe1c97b738d84c974b214

      SHA256

      9461eeacd78a031f78ef5127a0cb4e1b220a663473018a43dadafd37905633ef

      SHA512

      3c6f4732b73cd681fd22f487ec83403e0751a80c1fc3ef03a639d0a46f3aa8975524e2c204191423b020a3c1e5de6f38cc454ee4d3cf0692852fef80c8274a1c

      Download Submit

    • memory/432-176-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/432-173-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/432-158-0x0000000000000000-mapping.dmp

      Download

    • memory/432-178-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/856-174-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/856-175-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/856-160-0x0000000000000000-mapping.dmp

      Download

    • memory/856-177-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2368-155-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2368-151-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2368-157-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/2368-159-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2368-154-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2840-148-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2840-150-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/2840-156-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/2840-139-0x0000000000000000-mapping.dmp

      Download

    • memory/3344-132-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/3344-142-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

      Download

    • memory/3344-138-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3344-136-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3344-137-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3344-133-0x0000000010000000-0x0000000010362000-memory.dmp

      Filesize

      3.4MB

      Download