Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2022, 11:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f9e04fc9b76fe29933cd8e911dda1289323e9d15d3601fe25116b4a7b5c3f249.exe

  • Size

    375KB

  • MD5

    29d1cbeba8b4d013af041c1564c99962

  • SHA1

    e43fbcb36a13bbccacc7f7aab8bcdaf07215d7e6

  • SHA256

    f9e04fc9b76fe29933cd8e911dda1289323e9d15d3601fe25116b4a7b5c3f249

  • SHA512

    206ba54dfa84b47df84ca439e5485f3b00b7b9586d62d03bafce08c677d7588d5dc034f236582a5eb422aa7e47699ba5c531bebd11c7885f4f3e4e02aa4fb84d

  • SSDEEP

    6144:Pv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:P4VOiF1WD7kE1dTYOi8V5u23zmWFy4

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 9 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 4 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9e04fc9b76fe29933cd8e911dda1289323e9d15d3601fe25116b4a7b5c3f249.exe
    "C:\Users\Admin\AppData\Local\Temp\f9e04fc9b76fe29933cd8e911dda1289323e9d15d3601fe25116b4a7b5c3f249.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4528
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1412
  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3644
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4728
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4676
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 576
      2⤵
      • Program crash
      PID:4940
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3644 -ip 3644
    1⤵
      PID:936

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
            Filesize

            39.4MB

            MD5

            14afe636761291d58b321486d6814365

            SHA1

            033337d929f136b2416aa8147e7e5e2e37d0d210

            SHA256

            c594cd8100a75e1be23e2013c23ac6ada0956bac6aee7bdffdbf3e391aab7411

            SHA512

            52ebb86868b600b2d1e178eb08c2a3de2dd2149e013d7ad5ef808f694303d889fd5c875dfd79a62828af2173780e05ebd2a943d54ad046e35bee278f37edf17c

            Download Submit

          • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
            Filesize

            39.4MB

            MD5

            14afe636761291d58b321486d6814365

            SHA1

            033337d929f136b2416aa8147e7e5e2e37d0d210

            SHA256

            c594cd8100a75e1be23e2013c23ac6ada0956bac6aee7bdffdbf3e391aab7411

            SHA512

            52ebb86868b600b2d1e178eb08c2a3de2dd2149e013d7ad5ef808f694303d889fd5c875dfd79a62828af2173780e05ebd2a943d54ad046e35bee278f37edf17c

            Download Submit

          • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
            Filesize

            39.4MB

            MD5

            14afe636761291d58b321486d6814365

            SHA1

            033337d929f136b2416aa8147e7e5e2e37d0d210

            SHA256

            c594cd8100a75e1be23e2013c23ac6ada0956bac6aee7bdffdbf3e391aab7411

            SHA512

            52ebb86868b600b2d1e178eb08c2a3de2dd2149e013d7ad5ef808f694303d889fd5c875dfd79a62828af2173780e05ebd2a943d54ad046e35bee278f37edf17c

            Download Submit

          • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
            Filesize

            39.4MB

            MD5

            14afe636761291d58b321486d6814365

            SHA1

            033337d929f136b2416aa8147e7e5e2e37d0d210

            SHA256

            c594cd8100a75e1be23e2013c23ac6ada0956bac6aee7bdffdbf3e391aab7411

            SHA512

            52ebb86868b600b2d1e178eb08c2a3de2dd2149e013d7ad5ef808f694303d889fd5c875dfd79a62828af2173780e05ebd2a943d54ad046e35bee278f37edf17c

            Download Submit

          • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
            Filesize

            39.4MB

            MD5

            14afe636761291d58b321486d6814365

            SHA1

            033337d929f136b2416aa8147e7e5e2e37d0d210

            SHA256

            c594cd8100a75e1be23e2013c23ac6ada0956bac6aee7bdffdbf3e391aab7411

            SHA512

            52ebb86868b600b2d1e178eb08c2a3de2dd2149e013d7ad5ef808f694303d889fd5c875dfd79a62828af2173780e05ebd2a943d54ad046e35bee278f37edf17c

            Download Submit

          • memory/1412-148-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/1412-150-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/1412-157-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/3644-158-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/3644-156-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/3644-151-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/3644-154-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/3644-155-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/4528-135-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/4528-138-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/4528-137-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/4528-141-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/4528-132-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/4528-136-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/4676-173-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/4676-176-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/4676-175-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/4728-174-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/4728-177-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download