Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/10/2022, 01:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0f2c3d59bcd2118d60be5467886617363d8d68397c4dabeee6513c9a89658970.exe

  • Size

    375KB

  • MD5

    6c9e4d8fd012de8a3cbccb0830b1c248

  • SHA1

    bdc474687e59bb08f5dda5453d1c37a075fb7e1b

  • SHA256

    0f2c3d59bcd2118d60be5467886617363d8d68397c4dabeee6513c9a89658970

  • SHA512

    a198ec3196e92980f71106baa860588bb72ace77a5ea689565f5bae0f0326ab69681568b9c3846f8db02be5ab431f42c94d3cf4c6bb9caf2943e167de5f6a18c

  • SSDEEP

    6144:0v5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:04VOiF1WD7kE1dTYOi8V5u23zmWFy4

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 12 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 4 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f2c3d59bcd2118d60be5467886617363d8d68397c4dabeee6513c9a89658970.exe
    "C:\Users\Admin\AppData\Local\Temp\0f2c3d59bcd2118d60be5467886617363d8d68397c4dabeee6513c9a89658970.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1248
  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4448
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4276
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 660
      2⤵
      • Program crash
      PID:4108
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3208 -ip 3208
    1⤵
      PID:2020

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
            Filesize

            39.4MB

            MD5

            879e0e5f93ec6e3718985b2478ba5f21

            SHA1

            6eab78a9990f361ea69f5ef8a419f09821dba770

            SHA256

            71574f85b58d422ff31f4f736276b50b62c08d305f664fa3b608c5e77244d6ba

            SHA512

            475a21045ea015491be3d780ebe7638d4eb933e12a6f26a1c1846c592de36473637d83edaac226fb541c48d7d8813d9bedcf8c2c524e94282f6c0780f4c75ca2

            Download Submit

          • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
            Filesize

            39.4MB

            MD5

            879e0e5f93ec6e3718985b2478ba5f21

            SHA1

            6eab78a9990f361ea69f5ef8a419f09821dba770

            SHA256

            71574f85b58d422ff31f4f736276b50b62c08d305f664fa3b608c5e77244d6ba

            SHA512

            475a21045ea015491be3d780ebe7638d4eb933e12a6f26a1c1846c592de36473637d83edaac226fb541c48d7d8813d9bedcf8c2c524e94282f6c0780f4c75ca2

            Download Submit

          • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
            Filesize

            39.4MB

            MD5

            879e0e5f93ec6e3718985b2478ba5f21

            SHA1

            6eab78a9990f361ea69f5ef8a419f09821dba770

            SHA256

            71574f85b58d422ff31f4f736276b50b62c08d305f664fa3b608c5e77244d6ba

            SHA512

            475a21045ea015491be3d780ebe7638d4eb933e12a6f26a1c1846c592de36473637d83edaac226fb541c48d7d8813d9bedcf8c2c524e94282f6c0780f4c75ca2

            Download Submit

          • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
            Filesize

            39.4MB

            MD5

            879e0e5f93ec6e3718985b2478ba5f21

            SHA1

            6eab78a9990f361ea69f5ef8a419f09821dba770

            SHA256

            71574f85b58d422ff31f4f736276b50b62c08d305f664fa3b608c5e77244d6ba

            SHA512

            475a21045ea015491be3d780ebe7638d4eb933e12a6f26a1c1846c592de36473637d83edaac226fb541c48d7d8813d9bedcf8c2c524e94282f6c0780f4c75ca2

            Download Submit

          • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
            Filesize

            39.4MB

            MD5

            879e0e5f93ec6e3718985b2478ba5f21

            SHA1

            6eab78a9990f361ea69f5ef8a419f09821dba770

            SHA256

            71574f85b58d422ff31f4f736276b50b62c08d305f664fa3b608c5e77244d6ba

            SHA512

            475a21045ea015491be3d780ebe7638d4eb933e12a6f26a1c1846c592de36473637d83edaac226fb541c48d7d8813d9bedcf8c2c524e94282f6c0780f4c75ca2

            Download Submit

          • memory/800-138-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/800-143-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/800-137-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/800-136-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/800-133-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/800-132-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/1248-146-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/1248-147-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/1248-156-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/1248-159-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/3208-155-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/3208-151-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/3208-157-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/3208-179-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/3208-154-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/3208-158-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/4276-175-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/4276-177-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/4276-178-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/4448-176-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/4448-174-0x0000000000400000-0x0000000000469000-memory.dmp

            Filesize

            420KB

            Download

          • memory/4448-180-0x0000000010000000-0x0000000010362000-memory.dmp

            Filesize

            3.4MB

            Download