1ee4dbdfad2e44218f82f796fc51121e8df372bc7ac9017207aa065762ed6a65

Analysis

max time kernel
90s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2022 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ee4dbdfad2e44218f82f796fc51121e8df372bc7ac9017207aa065762ed6a65.exe
Size

2.4MB
MD5

5518a8ce491829d2a13fc9529bc37472
SHA1

9e6d6157e6cb0608be8499ea2325a0f4b6414a90
SHA256

1ee4dbdfad2e44218f82f796fc51121e8df372bc7ac9017207aa065762ed6a65
SHA512

e870a5b74531c0b749a5641c29bbb587963cae93060deef83c0cb45d5f811fcc13abd178dd174eae2fb8df3bb30217e692377ad0e2e5dcb95445fce91d5fa50e
SSDEEP

49152:K7lhiByVv53/WnZoq133HCDlDCalQU0tRoqv7zvoQz+HiE4ql0H:K7lhi8lAHHuVCmuvokv7z+HiXw8

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4508	DrMain.exe
4620	winpcap_setup.exe

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
808	netsh.exe
4684	netsh.exe
4196	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1ee4dbdfad2e44218f82f796fc51121e8df372bc7ac9017207aa065762ed6a65.exe

Loads dropped DLL 4 IoCs

pid	Process
4508	DrMain.exe
4620	winpcap_setup.exe
4620	winpcap_setup.exe
4620	winpcap_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022e4f-148.dat	nsis_installer_1
behavioral2/files/0x0006000000022e4f-148.dat	nsis_installer_2
behavioral2/files/0x0006000000022e4f-149.dat	nsis_installer_1
behavioral2/files/0x0006000000022e4f-149.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4508	DrMain.exe
4508	DrMain.exe
4508	DrMain.exe
4508	DrMain.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 4508	2540	1ee4dbdfad2e44218f82f796fc51121e8df372bc7ac9017207aa065762ed6a65.exe	78
PID 2540 wrote to memory of 4508	2540	1ee4dbdfad2e44218f82f796fc51121e8df372bc7ac9017207aa065762ed6a65.exe	78
PID 2540 wrote to memory of 4508	2540	1ee4dbdfad2e44218f82f796fc51121e8df372bc7ac9017207aa065762ed6a65.exe	78
PID 4508 wrote to memory of 3280	4508	DrMain.exe	79
PID 4508 wrote to memory of 3280	4508	DrMain.exe	79
PID 4508 wrote to memory of 3280	4508	DrMain.exe	79
PID 3280 wrote to memory of 4196	3280	cmd.exe	81
PID 3280 wrote to memory of 4196	3280	cmd.exe	81
PID 3280 wrote to memory of 4196	3280	cmd.exe	81
PID 4508 wrote to memory of 4040	4508	DrMain.exe	82
PID 4508 wrote to memory of 4040	4508	DrMain.exe	82
PID 4508 wrote to memory of 4040	4508	DrMain.exe	82
PID 4040 wrote to memory of 808	4040	cmd.exe	84
PID 4040 wrote to memory of 808	4040	cmd.exe	84
PID 4040 wrote to memory of 808	4040	cmd.exe	84
PID 4508 wrote to memory of 4776	4508	DrMain.exe	85
PID 4508 wrote to memory of 4776	4508	DrMain.exe	85
PID 4508 wrote to memory of 4776	4508	DrMain.exe	85
PID 4776 wrote to memory of 4684	4776	cmd.exe	87
PID 4776 wrote to memory of 4684	4776	cmd.exe	87
PID 4776 wrote to memory of 4684	4776	cmd.exe	87
PID 4508 wrote to memory of 4620	4508	DrMain.exe	88
PID 4508 wrote to memory of 4620	4508	DrMain.exe	88
PID 4508 wrote to memory of 4620	4508	DrMain.exe	88

C:\Users\Admin\AppData\Local\Temp\1ee4dbdfad2e44218f82f796fc51121e8df372bc7ac9017207aa065762ed6a65.exe
"C:\Users\Admin\AppData\Local\Temp\1ee4dbdfad2e44218f82f796fc51121e8df372bc7ac9017207aa065762ed6a65.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2540
- C:\DCSM\DrUpdateClient\DrMain.exe
  "C:\DCSM\DrUpdateClient\DrMain.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c netsh advfirewall firewall delete rule name="Dr.COM Auth Client"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall delete rule name="Dr.COM Auth Client"
      4⤵
      Modifies Windows Firewall
      PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c netsh advfirewall firewall add rule name="Dr.COM Auth Client" dir=out action=allow protocol=UDP localport=61440 remoteport=61440
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Dr.COM Auth Client" dir=out action=allow protocol=UDP localport=61440 remoteport=61440
      4⤵
      Modifies Windows Firewall
      PID:808
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c netsh advfirewall firewall add rule name="Dr.COM Auth Client" dir=in action=allow protocol=UDP localport=61440 remoteport=61440
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Dr.COM Auth Client" dir=in action=allow protocol=UDP localport=61440 remoteport=61440
      4⤵
      Modifies Windows Firewall
      PID:4684
- - C:\DCSM\DrUpdateClient\winpcap_setup.exe
    "C:\DCSM\DrUpdateClient\winpcap_setup.exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DCSM\DrUpdateClient\DrClient.en

Filesize
23KB

MD5
99cd8a6bff9f6d1adaa6e9b315e38290

SHA1
9172887241da6afc9718284e887e974849961887

SHA256
489a376d45b643d5eb211ab9557a7dae7b083a1e6854e93403164aff318df00b

SHA512
e9edc848454de1578c77aa61abd58e204053d7675b59e39de739c8a8bcc38b6d6549900bca2c9d7fd7fe0229b7a9cf5bc8e4929aba7add9dd23d99cc8c1a47a0

Download Submit
C:\DCSM\DrUpdateClient\DrConfigure

Filesize
3KB

MD5
ef67dbeb10b8a2231f118aa31c718870

SHA1
0aaa3944f11b447bc2c0bf2405f4f4ce3997a230

SHA256
d53715c43a6dc8739cd36f0e1c787d769020c55217c620fb752ec7162f3f939f

SHA512
e23f0ecb644028e02c9132e4d7e26c3633ba247626c96d7bde911913ad8dc4a375ff8d470df4fafeeb1abd42eef50b924d55d7d83acadb02f3b03e00e4f7f1cd

Download Submit
C:\DCSM\DrUpdateClient\DrMain.exe

Filesize
320KB

MD5
bbfdd83944fce5c399a5c2366e6259e3

SHA1
5fe2a34c1501769eccfa87f232f0bdfb0d796e76

SHA256
f747afa8e1fd1d2d221e6b6f27d52c88fcacb3beefcec0e542392a38a55f3293

SHA512
5aa727831b8977bef406fc0901023b72ebd4d5713aa5698268c70a675b1ae3d92577642f65e6969dd6e119ac3093ab8aca089da7fe7d8d2b83dbbb8d9ab9c2e7

Download Submit
C:\DCSM\DrUpdateClient\DrMain.exe

Filesize
320KB

MD5
bbfdd83944fce5c399a5c2366e6259e3

SHA1
5fe2a34c1501769eccfa87f232f0bdfb0d796e76

SHA256
f747afa8e1fd1d2d221e6b6f27d52c88fcacb3beefcec0e542392a38a55f3293

SHA512
5aa727831b8977bef406fc0901023b72ebd4d5713aa5698268c70a675b1ae3d92577642f65e6969dd6e119ac3093ab8aca089da7fe7d8d2b83dbbb8d9ab9c2e7

Download Submit
C:\DCSM\DrUpdateClient\DrMianConfigure

Filesize
304B

MD5
b3a6660a5c074af9fbd8e943c36fc655

SHA1
6c6bfcc2d46f925d1f706731118acf700c2dcffb

SHA256
57995c14cf3081b760b7e9b83302531f1521362304450e0ea4bfbffe3d86a15c

SHA512
ae892d7f460a0fb952f9889ee97ac408434621ffdb68937d766c245d0ab07ae454b102978b17f6d1421c7d5e664d5f19e70f6d31d2f520cd5bfc244c43193428

Download Submit
C:\DCSM\DrUpdateClient\DrReport.dll

Filesize
152KB

MD5
ac30d93db734f259f64335692057d73e

SHA1
88564404417fbb104fa57ae158a9c51f369620eb

SHA256
ed0e2d7d1595a784ec0e8efb638ad8481014542acd919452354dc6d7ccfff34a

SHA512
e71774f00172e13a977f0046fe440a4eb621b7935fbcd4c7356a5d253e58f50d25ddee34f0f3492e3d0bed61997c3e8ae034605cac0c7d20191118a8f51d4b57

Download Submit
C:\DCSM\DrUpdateClient\DrReport.dll

Filesize
152KB

MD5
ac30d93db734f259f64335692057d73e

SHA1
88564404417fbb104fa57ae158a9c51f369620eb

SHA256
ed0e2d7d1595a784ec0e8efb638ad8481014542acd919452354dc6d7ccfff34a

SHA512
e71774f00172e13a977f0046fe440a4eb621b7935fbcd4c7356a5d253e58f50d25ddee34f0f3492e3d0bed61997c3e8ae034605cac0c7d20191118a8f51d4b57

Download Submit
C:\DCSM\DrUpdateClient\drauth_1x_dcsm.dll

Filesize
656KB

MD5
3198511e2c0ddd0d20c0f4e6f00bce24

SHA1
84bee5f5a4710a3881cbe381d0304843d26277d2

SHA256
4f7982cef6fb23e02cf790923289fc2d4958017e0958f0882525a44520cebcfd

SHA512
12d7823c0241dce69cac058db8e5fb627d1db12b73fc9dad5c766e9d68f57e194b19d14a1371191e0d1915801ed0594517a8580dc2d91ad872cc45954f741c87

Download Submit
C:\DCSM\DrUpdateClient\winpcap_setup.exe

Filesize
892KB

MD5
d87e86aa7ee90b48e5b4e8ac6caec303

SHA1
42976012da910aa997045937f33c913e2e429208

SHA256
68651f49ef80a02470286481cbeed2fcadabbac3785e2b47ddc0844ca7042628

SHA512
9a7719ef123a12271c7272fe94acfdba7b54b359e7f730e02e3557afb9c2341649a0c51f16e48381e415f887490fc2c3d0822e45a5587ffd3115183883ea8695

Download Submit
C:\DCSM\DrUpdateClient\winpcap_setup.exe

Filesize
892KB

MD5
d87e86aa7ee90b48e5b4e8ac6caec303

SHA1
42976012da910aa997045937f33c913e2e429208

SHA256
68651f49ef80a02470286481cbeed2fcadabbac3785e2b47ddc0844ca7042628

SHA512
9a7719ef123a12271c7272fe94acfdba7b54b359e7f730e02e3557afb9c2341649a0c51f16e48381e415f887490fc2c3d0822e45a5587ffd3115183883ea8695

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc7555.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc7555.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc7555.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit