Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-10-2022 19:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a62e29d291617c2fe56bb602880f398acb546456912428e4c493f3122f6f5b1a.exe

  • Size

    375KB

  • MD5

    aa686d8290261376e6cef65e9187bccb

  • SHA1

    9141007472c3948b790adfc1811a9c892beea950

  • SHA256

    a62e29d291617c2fe56bb602880f398acb546456912428e4c493f3122f6f5b1a

  • SHA512

    46c7e3ed3b277dec3ce4ac2c7f0f134e6f9aa5164d3322259cf317170f60c58fbb2467e06f3f89e8d9116b5d7ed2c8bb3b248d7a50eb0c102df0005fecce0d7b

  • SSDEEP

    6144:Sv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:S4VOiF1WD7kE1dTYOi8V5u23zmWFy4

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 9 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a62e29d291617c2fe56bb602880f398acb546456912428e4c493f3122f6f5b1a.exe
    "C:\Users\Admin\AppData\Local\Temp\a62e29d291617c2fe56bb602880f398acb546456912428e4c493f3122f6f5b1a.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2944
  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:3100

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    Filesize

    39.4MB

    MD5

    494e46cbe86c461c408fbda8a35e8981

    SHA1

    6e8e0a75a30df10da621066cbb9c33ca27685df7

    SHA256

    fcf37b62592534aadc1b268cafa336b817f0fb55b1d5e315a246d1a89675da44

    SHA512

    db976e6c5c79dffd60d1ab88357d85aa059b15c57827c52d35f5656018f11bdcb8ef0ef3640ddb8e9ef714ef5970aee7deba7781ad630759600a6d5006901b1b

    Download Submit

  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    Filesize

    39.4MB

    MD5

    494e46cbe86c461c408fbda8a35e8981

    SHA1

    6e8e0a75a30df10da621066cbb9c33ca27685df7

    SHA256

    fcf37b62592534aadc1b268cafa336b817f0fb55b1d5e315a246d1a89675da44

    SHA512

    db976e6c5c79dffd60d1ab88357d85aa059b15c57827c52d35f5656018f11bdcb8ef0ef3640ddb8e9ef714ef5970aee7deba7781ad630759600a6d5006901b1b

    Download Submit

  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    Filesize

    39.4MB

    MD5

    494e46cbe86c461c408fbda8a35e8981

    SHA1

    6e8e0a75a30df10da621066cbb9c33ca27685df7

    SHA256

    fcf37b62592534aadc1b268cafa336b817f0fb55b1d5e315a246d1a89675da44

    SHA512

    db976e6c5c79dffd60d1ab88357d85aa059b15c57827c52d35f5656018f11bdcb8ef0ef3640ddb8e9ef714ef5970aee7deba7781ad630759600a6d5006901b1b

    Download Submit

  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    Filesize

    39.4MB

    MD5

    494e46cbe86c461c408fbda8a35e8981

    SHA1

    6e8e0a75a30df10da621066cbb9c33ca27685df7

    SHA256

    fcf37b62592534aadc1b268cafa336b817f0fb55b1d5e315a246d1a89675da44

    SHA512

    db976e6c5c79dffd60d1ab88357d85aa059b15c57827c52d35f5656018f11bdcb8ef0ef3640ddb8e9ef714ef5970aee7deba7781ad630759600a6d5006901b1b

    Download Submit

  • memory/2944-247-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2944-300-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/3100-366-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3100-357-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3100-356-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4368-151-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-157-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-125-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-126-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-128-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-127-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4368-129-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-130-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-124-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-133-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-132-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-135-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-136-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-134-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-137-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-139-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-140-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-141-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-142-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-138-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-131-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-143-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-144-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-145-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-146-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-147-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-148-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-149-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-150-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-122-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-152-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-153-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-154-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-155-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-156-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-123-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-158-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-159-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-160-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-161-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-162-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-163-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-164-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-165-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-166-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4368-169-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-171-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4368-170-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4368-172-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-173-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4368-174-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4368-175-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-176-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-177-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-178-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-179-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-180-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-181-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-182-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-189-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4368-116-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-121-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-120-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-119-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-118-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4368-117-0x0000000077520000-0x00000000776AE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4564-298-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4564-369-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4564-370-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

    Download