Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/10/2022, 03:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dcbefe5f882c228d2382ccdc6caac35cd790b1e82f402766527e0ad40c738b07.exe

  • Size

    375KB

  • MD5

    717134ce585b8c86a55912e9c116c0f4

  • SHA1

    3d4c8dc5556a594d841885289fb141b905192d1f

  • SHA256

    dcbefe5f882c228d2382ccdc6caac35cd790b1e82f402766527e0ad40c738b07

  • SHA512

    888d211049994f732f0615bf4a75d990eebca841e5e5f4d031fb87324fb924a2c192601be7387887585359c94a006927a24040921dc540778cd93cf9b9a8d9e1

  • SSDEEP

    6144:Bv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:B4VOiF1WD7kE1dTYOi8V5u23zmWFy4

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 9 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dcbefe5f882c228d2382ccdc6caac35cd790b1e82f402766527e0ad40c738b07.exe
    "C:\Users\Admin\AppData\Local\Temp\dcbefe5f882c228d2382ccdc6caac35cd790b1e82f402766527e0ad40c738b07.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4204
  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1776

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
          Filesize

          39.4MB

          MD5

          db3b2dc05fe0346f4328ddf594503879

          SHA1

          7bf61e616cc3864381ccac37372f060aed4d7103

          SHA256

          6a0163afd3825db673b8940c152e4f75811139a23e2a9843e2de12ffe3d9fec3

          SHA512

          171a64ce8e599272c5da18b326a9030d80e5abb297597e0de8db8617860925b30d58628a12e32e60608b41bfc566ffc770221fe8a119ef508f6e348ec60c6b03

          Download Submit

        • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
          Filesize

          39.4MB

          MD5

          db3b2dc05fe0346f4328ddf594503879

          SHA1

          7bf61e616cc3864381ccac37372f060aed4d7103

          SHA256

          6a0163afd3825db673b8940c152e4f75811139a23e2a9843e2de12ffe3d9fec3

          SHA512

          171a64ce8e599272c5da18b326a9030d80e5abb297597e0de8db8617860925b30d58628a12e32e60608b41bfc566ffc770221fe8a119ef508f6e348ec60c6b03

          Download Submit

        • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
          Filesize

          39.4MB

          MD5

          db3b2dc05fe0346f4328ddf594503879

          SHA1

          7bf61e616cc3864381ccac37372f060aed4d7103

          SHA256

          6a0163afd3825db673b8940c152e4f75811139a23e2a9843e2de12ffe3d9fec3

          SHA512

          171a64ce8e599272c5da18b326a9030d80e5abb297597e0de8db8617860925b30d58628a12e32e60608b41bfc566ffc770221fe8a119ef508f6e348ec60c6b03

          Download Submit

        • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
          Filesize

          39.4MB

          MD5

          db3b2dc05fe0346f4328ddf594503879

          SHA1

          7bf61e616cc3864381ccac37372f060aed4d7103

          SHA256

          6a0163afd3825db673b8940c152e4f75811139a23e2a9843e2de12ffe3d9fec3

          SHA512

          171a64ce8e599272c5da18b326a9030d80e5abb297597e0de8db8617860925b30d58628a12e32e60608b41bfc566ffc770221fe8a119ef508f6e348ec60c6b03

          Download Submit

        • memory/1776-375-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/1776-363-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2016-156-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/2016-169-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-125-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-126-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-127-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-128-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-129-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-130-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-131-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-132-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-159-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-134-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-135-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-136-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-137-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-138-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-139-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-140-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-141-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-142-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-143-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-144-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-145-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-146-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-147-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-148-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-150-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-149-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-152-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-151-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-153-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-154-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-155-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-123-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-161-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-158-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-133-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-124-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-157-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-163-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-162-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-164-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-165-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-166-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-167-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-168-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-160-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-170-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-171-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2016-174-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2016-175-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-176-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2016-177-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2016-178-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2016-179-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-180-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-181-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-182-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-183-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-184-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-185-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-186-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-187-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-190-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2016-202-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/2016-121-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/2016-120-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2016-122-0x0000000076FB0000-0x000000007713E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4204-277-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/4204-305-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/4892-304-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/4892-373-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/4892-374-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download