Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    160s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/10/2022, 07:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    31b60fd32c79383e32ac420e87d054dad4c760e8088cdd8115ef6a25f2921bf9.exe

  • Size

    375KB

  • MD5

    bef8777c2e803a56cdee15a1cecd736e

  • SHA1

    4f4bf8842c3914bc15859c344180f290247d2796

  • SHA256

    31b60fd32c79383e32ac420e87d054dad4c760e8088cdd8115ef6a25f2921bf9

  • SHA512

    1113a1c336155addd1639d4a566c07cbedaa6118a6019e478425bd08e9b4cebab954223af9c6a18c7eed750956abdca61829753cd5b0f29471fbef5afd56efa9

  • SSDEEP

    6144:rv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:r4VOiF1WD7kE1dTYOi8V5u23zmWFy4

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 7 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 3 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31b60fd32c79383e32ac420e87d054dad4c760e8088cdd8115ef6a25f2921bf9.exe
    "C:\Users\Admin\AppData\Local\Temp\31b60fd32c79383e32ac420e87d054dad4c760e8088cdd8115ef6a25f2921bf9.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3764
  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4200
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1808

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
          Filesize

          39.4MB

          MD5

          05a37c9b132ccae85f83c6616b582978

          SHA1

          e92de32ff473cf9f428553b4d8a308ca7b237c40

          SHA256

          3a55543996bbd110a000743bec231ecbda3cb80c8c90db4b21f60c6b081b884d

          SHA512

          fc0c9eb66458f45b19805629a98d7e039d8cadc085288f2941f449b56fd101ac2b0d292d68448b7e73265428ecdcca4a684f5e345d70232d02b13c059794b3e5

          Download Submit

        • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
          Filesize

          39.4MB

          MD5

          05a37c9b132ccae85f83c6616b582978

          SHA1

          e92de32ff473cf9f428553b4d8a308ca7b237c40

          SHA256

          3a55543996bbd110a000743bec231ecbda3cb80c8c90db4b21f60c6b081b884d

          SHA512

          fc0c9eb66458f45b19805629a98d7e039d8cadc085288f2941f449b56fd101ac2b0d292d68448b7e73265428ecdcca4a684f5e345d70232d02b13c059794b3e5

          Download Submit

        • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
          Filesize

          39.4MB

          MD5

          05a37c9b132ccae85f83c6616b582978

          SHA1

          e92de32ff473cf9f428553b4d8a308ca7b237c40

          SHA256

          3a55543996bbd110a000743bec231ecbda3cb80c8c90db4b21f60c6b081b884d

          SHA512

          fc0c9eb66458f45b19805629a98d7e039d8cadc085288f2941f449b56fd101ac2b0d292d68448b7e73265428ecdcca4a684f5e345d70232d02b13c059794b3e5

          Download Submit

        • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
          Filesize

          39.4MB

          MD5

          05a37c9b132ccae85f83c6616b582978

          SHA1

          e92de32ff473cf9f428553b4d8a308ca7b237c40

          SHA256

          3a55543996bbd110a000743bec231ecbda3cb80c8c90db4b21f60c6b081b884d

          SHA512

          fc0c9eb66458f45b19805629a98d7e039d8cadc085288f2941f449b56fd101ac2b0d292d68448b7e73265428ecdcca4a684f5e345d70232d02b13c059794b3e5

          Download Submit

        • memory/1808-372-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/1808-359-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2972-154-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-158-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-123-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-124-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-125-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/2972-127-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-126-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-128-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-129-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-159-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-131-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-132-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-133-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-134-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-136-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-137-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-135-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-138-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-139-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-140-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-142-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-141-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-143-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-144-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-145-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-146-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-147-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-148-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-149-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-150-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-151-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-152-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-153-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-121-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-155-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-156-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-122-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-157-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-130-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-160-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-161-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-162-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-163-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-164-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-165-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-166-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-167-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-168-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2972-171-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-172-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2972-173-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2972-174-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2972-175-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-176-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-177-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-178-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-179-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/2972-180-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-181-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-182-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-183-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-184-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-193-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/2972-118-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-119-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2972-120-0x0000000077220000-0x00000000773AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3764-247-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/3764-246-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/3764-302-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/4200-301-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/4200-370-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/4200-371-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download