Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20-09-2022 00:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2caa3bcc4146290a87ecde0f5e9f04df6d8b74d914c8370ee65bfd418ed4d111.exe

  • Size

    375KB

  • MD5

    ba7434f836ba253b0d9f9f2b8a9ada73

  • SHA1

    a1a108123493de1cee00a72e0db158fae6c271f0

  • SHA256

    2caa3bcc4146290a87ecde0f5e9f04df6d8b74d914c8370ee65bfd418ed4d111

  • SHA512

    b5bafb7dcfdb1aff410a77ae233c12d9c57c3ad684684c52b29cb7e2f4ea6920a403ca5dfa69cc35f891b52c98828609b97c8ba6563c7a13971250fe2cc6ef78

  • SSDEEP

    6144:Tv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:T4VOiF1WD7kE1dTYOi8V5u23zmWFy4

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 8 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 3 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2caa3bcc4146290a87ecde0f5e9f04df6d8b74d914c8370ee65bfd418ed4d111.exe
    "C:\Users\Admin\AppData\Local\Temp\2caa3bcc4146290a87ecde0f5e9f04df6d8b74d914c8370ee65bfd418ed4d111.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4564

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    Filesize

    39.4MB

    MD5

    4805d322fd40946c6d0f53387942b0f4

    SHA1

    4fbe3d59d8bce7d0a1f9b90aa86572cd83417e9f

    SHA256

    51046b4d81334282448c044b78787c5d0f2d8a96934483aa8b0e488cc90d31cf

    SHA512

    b8de58bc208c61b8713765650951abb2628dc038e6849fbb2d26b900aa2784f4fea0fd46c2a6e64f5c21d48c3eded5eb6d66ae6ff018051405c47c967904368e

    Download Submit

  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    Filesize

    39.4MB

    MD5

    4805d322fd40946c6d0f53387942b0f4

    SHA1

    4fbe3d59d8bce7d0a1f9b90aa86572cd83417e9f

    SHA256

    51046b4d81334282448c044b78787c5d0f2d8a96934483aa8b0e488cc90d31cf

    SHA512

    b8de58bc208c61b8713765650951abb2628dc038e6849fbb2d26b900aa2784f4fea0fd46c2a6e64f5c21d48c3eded5eb6d66ae6ff018051405c47c967904368e

    Download Submit

  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    Filesize

    39.4MB

    MD5

    4805d322fd40946c6d0f53387942b0f4

    SHA1

    4fbe3d59d8bce7d0a1f9b90aa86572cd83417e9f

    SHA256

    51046b4d81334282448c044b78787c5d0f2d8a96934483aa8b0e488cc90d31cf

    SHA512

    b8de58bc208c61b8713765650951abb2628dc038e6849fbb2d26b900aa2784f4fea0fd46c2a6e64f5c21d48c3eded5eb6d66ae6ff018051405c47c967904368e

    Download Submit

  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    Filesize

    39.4MB

    MD5

    4805d322fd40946c6d0f53387942b0f4

    SHA1

    4fbe3d59d8bce7d0a1f9b90aa86572cd83417e9f

    SHA256

    51046b4d81334282448c044b78787c5d0f2d8a96934483aa8b0e488cc90d31cf

    SHA512

    b8de58bc208c61b8713765650951abb2628dc038e6849fbb2d26b900aa2784f4fea0fd46c2a6e64f5c21d48c3eded5eb6d66ae6ff018051405c47c967904368e

    Download Submit

  • memory/2692-155-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-169-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-121-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2692-123-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-124-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-125-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-127-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-126-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-128-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-129-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-130-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-131-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-132-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-133-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-134-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-156-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-136-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-137-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-138-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-139-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-140-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-141-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-142-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-143-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-144-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-145-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-146-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-147-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-149-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-150-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-151-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-152-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-153-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-154-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-120-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-148-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-135-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-157-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-122-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-159-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-160-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-161-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-162-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-163-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-164-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-165-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-166-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-167-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-168-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-158-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-170-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2692-173-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-174-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2692-175-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2692-176-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-178-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2692-177-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-179-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-180-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-181-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-182-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-183-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-184-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-185-0x0000000077890000-0x0000000077A1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2692-191-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2892-188-0x0000000000000000-mapping.dmp

    Download

  • memory/2892-247-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2892-303-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4564-304-0x0000000000000000-mapping.dmp

    Download

  • memory/4564-359-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4564-372-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4564-373-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4900-301-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4900-370-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4900-371-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download