Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29-09-2022 04:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1063141a71a9f3b788d4be37ff25d52cb29f7ec8105fbd8b90129073e78cd033.exe

  • Size

    1.7MB

  • MD5

    47d2d449ec519d7d24feafff8088735f

  • SHA1

    75fd74fffc8a9da0ef33dce2a616fd2424e41b86

  • SHA256

    1063141a71a9f3b788d4be37ff25d52cb29f7ec8105fbd8b90129073e78cd033

  • SHA512

    9fd8f13e6fc0ddf3cd69eb23f5fd9982b1f9f2f361b4b37de445bceea18860bdf8ca9ef546302d927b8ad749f48789ff51fe4797a69106a82921e275b5ada08b

  • SSDEEP

    24576:Bn1MHQ7hZjEnBmMYYsB3J0zNMESsm/r8REOuPOEkU1johR:1NZjEnBmMAJGNusYr8REOuP3kUZohR

Score
10/10
asyncratpersistencerat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Async RAT payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1063141a71a9f3b788d4be37ff25d52cb29f7ec8105fbd8b90129073e78cd033.exe
    "C:\Users\Admin\AppData\Local\Temp\1063141a71a9f3b788d4be37ff25d52cb29f7ec8105fbd8b90129073e78cd033.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4904
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ufgzuj.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ufgzuj.exe"'
          4⤵
            PID:4048
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wfxvxt.exe"' & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3264
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wfxvxt.exe"'
            4⤵
              PID:5080
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ugonkh.exe"' & exit
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3420
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ugonkh.exe"'
              4⤵
                PID:4728

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Winlogon Helper DLL

        1
        T1004

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1148-162-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-149-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-122-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-123-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-124-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-125-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-126-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-127-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-128-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-129-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-130-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-131-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-132-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-133-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-134-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-135-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-136-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-137-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-138-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-139-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-140-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-141-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-142-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-160-0x0000000004D20000-0x0000000004DC6000-memory.dmp
          Filesize

          664KB

          Download
        • memory/1148-144-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-145-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-146-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-147-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-148-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-161-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-150-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-151-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-152-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-153-0x0000000000400000-0x00000000005B0000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1148-154-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-155-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-156-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-157-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-158-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-159-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-143-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-121-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-186-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-163-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-164-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-165-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-166-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-167-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-168-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-169-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-170-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-171-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-172-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-173-0x0000000004F50000-0x0000000004FE2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/1148-174-0x0000000004F00000-0x0000000004F22000-memory.dmp
          Filesize

          136KB

          Download
        • memory/1148-175-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-176-0x0000000004FE0000-0x0000000005330000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/1148-177-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-178-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-179-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-180-0x000000003CC70000-0x000000003CCD6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/1148-181-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-182-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-183-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-184-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-185-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-120-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-187-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-188-0x000000003D110000-0x000000003D1A2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/1148-189-0x000000003D6B0000-0x000000003DBAE000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/1148-190-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1148-191-0x0000000076FB0000-0x000000007713E000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/2844-305-0x0000000000000000-mapping.dmp
          Download
        • memory/3264-318-0x0000000000000000-mapping.dmp
          Download
        • memory/3420-331-0x0000000000000000-mapping.dmp
          Download
        • memory/4048-311-0x0000000000000000-mapping.dmp
          Download
        • memory/4728-337-0x0000000000000000-mapping.dmp
          Download
        • memory/4904-193-0x000000000040C7CE-mapping.dmp
          Download
        • memory/4904-242-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/4904-282-0x0000000005850000-0x00000000058EC000-memory.dmp
          Filesize

          624KB

          Download
        • memory/4904-291-0x00000000069D0000-0x0000000006A46000-memory.dmp
          Filesize

          472KB

          Download
        • memory/4904-294-0x0000000005B70000-0x0000000005B7C000-memory.dmp
          Filesize

          48KB

          Download
        • memory/4904-295-0x00000000069B0000-0x00000000069CE000-memory.dmp
          Filesize

          120KB

          Download
        • memory/5080-324-0x0000000000000000-mapping.dmp
          Download