Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2022 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ce4aff682a4faa9c09793f5a0f09db075786fe2d3098acf7553c62df22fa766.exe

  • Size

    87KB

  • MD5

    1ac438d233f333474b959f8c0cb719af

  • SHA1

    9e64e2e4c3f295829a57810853a112b567209301

  • SHA256

    9ce4aff682a4faa9c09793f5a0f09db075786fe2d3098acf7553c62df22fa766

  • SHA512

    c5fb1dcf19be5dd5f1526b5a3572ae7fbd7efe63453cb7b5babd7d494d48b8c264d0c302658976a50b1b8d2f52874765631d6b9b64f5f1903bf674af81ca3990

  • SSDEEP

    1536:7UZggBc01k4Br4bk4OAsZ08PL4IBQF7EiMsf617xIatwIavbgoeaZ91x2uta:7UigBMRbBi/MGQF7EiMe6xZtqbgoeY9s

Score
10/10
asyncratsecurityhealthseurvicepersistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SecurityHealthSeurvice

C2

217.64.31.3:8437

Mutex

SecurityHealthSeurvice

Attributes
  • delay

    3

  • install

    false

  • install_file

    SecurityHealthSeurvice.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ce4aff682a4faa9c09793f5a0f09db075786fe2d3098acf7553c62df22fa766.exe
    "C:\Users\Admin\AppData\Local\Temp\9ce4aff682a4faa9c09793f5a0f09db075786fe2d3098acf7553c62df22fa766.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthSeurvic';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthSeurvic' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthSeurvic\SecurityHealthSeurvic.exe"' -PropertyType 'String'
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3448
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /C schtasks /create /tn \SecurityHealthSeurvic /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSeurvic\SecurityHealthSeurvic.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3768
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn \SecurityHealthSeurvic /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSeurvic\SecurityHealthSeurvic.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:532
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      #cmd
      2⤵
        PID:1164

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/532-136-0x0000000000000000-mapping.dmp
      Download
    • memory/1164-138-0x0000000000000000-mapping.dmp
      Download
    • memory/1164-139-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1556-133-0x00000000057E0000-0x0000000005D84000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1556-132-0x0000000000950000-0x000000000096C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/3448-144-0x0000000006230000-0x000000000624E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3448-146-0x00000000707E0000-0x000000007082C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3448-155-0x0000000007920000-0x0000000007942000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3448-140-0x00000000053F0000-0x0000000005A18000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3448-141-0x0000000005260000-0x0000000005282000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3448-142-0x0000000005B80000-0x0000000005BE6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3448-143-0x0000000005C00000-0x0000000005C66000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3448-134-0x0000000000000000-mapping.dmp
      Download
    • memory/3448-145-0x0000000006890000-0x00000000068C2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3448-137-0x0000000002900000-0x0000000002936000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3448-147-0x0000000006850000-0x000000000686E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3448-148-0x0000000007C40000-0x00000000082BA000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3448-149-0x00000000075E0000-0x00000000075FA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3448-150-0x0000000007630000-0x000000000763A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3448-151-0x0000000007840000-0x00000000078D6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/3448-152-0x00000000077F0000-0x00000000077FE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/3448-153-0x0000000007900000-0x000000000791A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3448-154-0x00000000078E0000-0x00000000078E8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3768-135-0x0000000000000000-mapping.dmp
      Download