dfsrdiag[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

dfsrdiag.exe
Size

2.3MB
MD5

85520079d7ce947e7ffbda8660e8eb06
SHA1

c2bd57da62657dd6fd4b47c2a3d84cb0bf015e26
SHA256

49867dad2f81d58c842f8ff6a3fbcbada0b368fb753a28e0a49ad24e7867d1f8
SHA512

b7142396ca2f9803691c54c5e77b89100805121350fb90ac85904504e4b0e89b28795b42b5757daf13f4bad210d000b3cb9f13d622318692b3f5671abc00405e
SSDEEP

49152:oEvQ2s8hRPIZ7pMkWeexNjwFm6zj6b73HMsWn9On7I5TKp51:oEvQ2s8hRPIZ7pMkWPzOa

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
dfsrdiag.exe

Files

dfsrdiag.exe
.exe windows x64

3b33f6cade6896fa67f2374e4b8e27c3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

LsaClose
LsaOpenPolicy
LsaQueryInformationPolicy
LsaFreeMemory
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW
LookupAccountSidW
GetUserNameW
OpenServiceW
ConvertSidToStringSidW
OpenSCManagerW
CloseServiceHandle
QueryServiceStatus
PerfSetULongLongCounterValue
PerfIncrementULongLongCounterValue
PerfDeleteInstance
CryptReleaseContext
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptCreateHash
CryptAcquireContextW
RegGetKeySecurity
RegCreateKeyExW
QueryServiceConfigW
ChangeServiceConfigW
ControlService
StartServiceW
RevertToSelf
ImpersonateLoggedOnUser
MakeAbsoluteSD
SetSecurityDescriptorControl
IsValidSecurityDescriptor
SetSecurityDescriptorDacl
ConvertSecurityDescriptorToStringSecurityDescriptorW
MakeSelfRelativeSD
GetSecurityDescriptorControl
InitializeSecurityDescriptor
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
AddAce
InitializeAcl
GetAclInformation
GetSidSubAuthorityCount
GetSidIdentifierAuthority
LookupAccountNameW
GetSidSubAuthority
InitializeSid
GetSidLengthRequired
GetLengthSid
IsValidSid
CopySid
DeregisterEventSource
ReportEventW
RegisterEventSourceW
WriteEncryptedFileRaw
ReadEncryptedFileRaw
CloseEncryptedFileRaw
OpenEncryptedFileRawW
DecryptFileW
GetAce
EqualSid
GetSecurityInfo
FreeSid
AllocateAndInitializeSid
ConvertStringSecurityDescriptorToSecurityDescriptorW
SetSecurityInfo
RegOpenKeyExW
RegDeleteValueW
RegSetKeySecurity
RegEnumKeyExW
RegQueryValueExW
RegSetValueExW
RegCloseKey
GetSecurityDescriptorLength

kernel32

FileTimeToSystemTime
DeleteFileW
CreateDirectoryW
GetFileAttributesW
ExpandEnvironmentStringsW
LeaveCriticalSection
EnterCriticalSection
ResetEvent
SetEvent
DeleteCriticalSection
GetTickCount
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
OutputDebugStringA
Sleep
GetCurrentProcess
CreateFileW
CloseHandle
GetLocalTime
SystemTimeToFileTime
GetDriveTypeW
FindFirstFileW
FindNextFileW
FindClose
GetCurrentDirectoryW
MoveFileExW
GetTimeFormatW
GetSystemTime
GetDateFormatW
TlsSetValue
FindFirstVolumeW
FindNextVolumeW
FindVolumeClose
GetVolumePathNamesForVolumeNameW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GetProcAddress
WaitForSingleObject
GetConsoleCP
SetThreadUILanguage
GetCurrentThreadId
GetLastError
HeapSetInformation
GetModuleHandleW
FreeLibrary
GetSystemTimeAsFileTime
GetComputerNameExW
OutputDebugStringW
GetComputerNameW
WideCharToMultiByte
GetFullPathNameW
LoadLibraryExW
DeviceIoControl
WakeAllConditionVariable
SleepConditionVariableSRW
SetFilePointerEx
GetFileInformationByHandle
BackupRead
BackupSeek
BackupWrite
CreateThread
GetExitCodeThread
VirtualAlloc
LocalAlloc
HeapAlloc
GetVolumePathNameW
TlsGetValue
VirtualFree
GetOverlappedResult
CancelIoEx
InitializeCriticalSection
GetFileSizeEx
ReadFile
MultiByteToWideChar
WriteFile
SetFileAttributesW
MoveFileW
RaiseException
SetEndOfFile
QueryPerformanceFrequency
GetProcessHeap
HeapFree
FormatMessageW
GetDynamicTimeZoneInformation
FlushFileBuffers
ExitProcess
InitializeCriticalSectionAndSpinCount
CreateSemaphoreW
ReleaseSemaphore
CreateEventW
GetVolumeInformationW
GetVolumeNameForVolumeMountPointW
GetSystemDirectoryW
ChangeTimerQueueTimer
DeleteTimerQueueTimer
QueueUserWorkItem
CreateTimerQueueTimer
LocalFree

msvcrt

towupper
iswspace
_ultow_s
??0bad_cast@@QEAA@PEBD@Z
??0bad_cast@@QEAA@AEBV0@@Z
??1bad_cast@@UEAA@XZ
_errno
wcsrchr
_ui64tow_s
ftell
fputc
ferror
fopen
fflush
fclose
fseek
strcpy_s
fwrite
fread
setlocale
___lc_handle_func
___lc_codepage_func
fgetc
fgetpos
fsetpos
setvbuf
ungetc
memset
abort
towlower
isupper
__crtLCMapStringA
islower
_vsnprintf
_wcslwr
fprintf
memmove_s
wcspbrk
wcschr
printf
strrchr
_wcstoui64
_wtol
wcsncmp
swscanf
_snwprintf_s
_wcsupr
_wcsnicmp
free
malloc
??0exception@@QEAA@AEBQEBDH@Z
_callnewh
_CxxThrowException
_XcptFilter
_amsg_exit
__wgetmainargs
__set_app_type
_exit
_cexit
__setusermatherr
_initterm
__C_specific_handler
_fmode
_commode
?terminate@@YAXXZ
_lock
_unlock
__dllonexit
_onexit
??1type_info@@UEAA@XZ
memmove
wcscspn
_wtoi64
_wtoi
wcsstr
__iob_func
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
memcpy
_itow
wcstok
__mb_cur_max
mbtowc
?what@exception@@UEBAPEBDXZ
_purecall
_wcsicmp
memcpy_s
??0exception@@QEAA@AEBV0@@Z
iswalpha
memcmp
__RTDynamicCast
wcsspn
_vsnwprintf
exit
__pctype_func
__CxxFrameHandler3
wcscmp

user32

LoadStringW

wldap32

ord18
ord12
ord118
ord13
ord73
ord88
ord14
ord16
ord145
ord69
ord113
ord157
ord27
ord122
ord91
ord36
ord203
ord94
ord173
ord179
ord100
ord54
ord301
ord309
ord310
ord304
ord41
ord140
ord79
ord142
ord224
ord26

dsparse

DsUnquoteRdnValueW

ntdsapi

DsGetDomainControllerInfoW
DsFreeNameResultW
DsUnBindW
DsBindW
DsCrackNamesW
DsFreeDomainControllerInfoW
DsWriteAccountSpnW

netapi32

NetApiBufferFree
DsRoleFreeMemory
NetShareGetInfo
DsGetDcNameW
DsRoleGetPrimaryDomainInformation
DsGetSiteNameW

secur32

GetComputerObjectNameW

ole32

CoImpersonateClient
CoCreateGuid
CoInitializeEx
CoRevertToSelf
CoCreateInstance
StringFromGUID2
CLSIDFromString
CoUninitialize
CoSetProxyBlanket
CoInitializeSecurity

oleaut32

SysStringByteLen
SafeArrayRedim
SysFreeString
VariantClear
SafeArrayCreate
SysStringLen
SysAllocString
SafeArrayGetLBound
SafeArrayUnlock
SafeArrayGetUBound
VariantInit
SafeArrayDestroy
SafeArrayLock
SafeArrayCopy
SysAllocStringLen
VariantChangeType
SysAllocStringByteLen
SafeArrayGetVartype

ntdll

RtlDosPathNameToNtPathName_U_WithStatus
RtlStringFromGUID
RtlAdjustPrivilege
RtlInitUnicodeStringEx
RtlFreeHeap
NtQuerySecurityObject
NtSetSecurityObject
NtQueryVolumeInformationFile
NtWaitForSingleObject
RtlInitUnicodeString
RtlDoesFileExists_U
NtOpenThreadToken
NtQueryDirectoryFile
NtFsControlFile
RtlGUIDFromString
NtCreateFile
NtSetInformationFile
NtOpenFile
RtlDosPathNameToNtPathName_U
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlGetDaclSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetOwnerSecurityDescriptor
RtlGetAce
RtlGetSaclSecurityDescriptor
RtlGetControlSecurityDescriptor
RtlLengthSecurityDescriptor
NtQueryInformationFile
RtlNtStatusToDosError
RtlFreeUnicodeString
RtlCreateSystemVolumeInformationFolder
NtClose
NtAdjustPrivilegesToken
RtlAllocateHeap

framedynos

??4WBEMTime@@QEAAAEBV0@AEBU_FILETIME@@@Z
??4WBEMTime@@QEAAAEBV0@QEAG@Z
?GetDMTF@WBEMTime@@QEBAPEAGH@Z
??4WBEMTime@@QEAAAEBV0@AEBU_SYSTEMTIME@@@Z
?GetFILETIME@WBEMTime@@QEBAHPEAU_FILETIME@@@Z
?SetDMTF@WBEMTime@@QEAAHQEAG@Z
?GetSYSTEMTIME@WBEMTime@@QEBAHPEAU_SYSTEMTIME@@@Z

shlwapi

PathIsRelativeW
PathFileExistsW

bcrypt

BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptDestroyHash
BCryptFinishHash
BCryptCreateHash
BCryptHashData
BCryptCloseAlgorithmProvider

mpr

WNetGetConnectionW

fltlib

FilterDetach
FilterAttach
FilterSendMessage

esent

JetBeginSessionA
JetAttachDatabaseA
JetOpenDatabaseA
JetMove
JetBeginTransaction2
JetDefragmentA
JetSetSessionContext
JetResetSessionContext
JetEndSession
JetCloseDatabase
JetOpenTableA
JetDeleteColumnA
JetCreateIndexA
JetDeleteIndexA
JetAddColumnA
JetRollback
JetCommitTransaction
JetCreateTableColumnIndexA
JetBeginTransaction
JetCreateDatabaseA
JetInit
JetCreateInstanceA
JetSetSystemParameterA
JetTerm2
JetDelete
JetRetrieveColumns
JetUpdate
JetSetColumns
JetPrepareUpdate
JetSeek
JetMakeKey
JetSetCurrentIndexA
JetGetColumnInfoA
JetCloseTable

clusapi

ClusterResourceControl
ClusterGroupControl
OpenClusterResource
OpenClusterGroup
OpenCluster
ClusterResourceTypeControl
ClusterResourceTypeCloseEnum
ClusterResourceTypeEnum
ClusterResourceTypeOpenEnum
ClusterResourceCloseEnum
ClusterResourceEnum
ClusterResourceOpenEnum
ClusterCloseEnum
ClusterEnum
ClusterOpenEnum
CloseClusterResource
CloseClusterGroup
CloseCluster
GetClusterResourceState

Sections

.text
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 646KB - Virtual size: 646KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 29KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3b33f6cade6896fa67f2374e4b8e27c3

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcrt

user32

wldap32

dsparse

ntdsapi

netapi32

secur32

ole32

oleaut32

ntdll

framedynos

shlwapi

bcrypt

mpr

fltlib

esent

clusapi

Sections

.text Size: 1.5MB - Virtual size: 1.5MB

.rdata Size: 646KB - Virtual size: 646KB

.data Size: 29KB - Virtual size: 43KB

.pdata Size: 49KB - Virtual size: 49KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 7KB - Virtual size: 7KB

.text
Size: 1.5MB - Virtual size: 1.5MB

.rdata
Size: 646KB - Virtual size: 646KB

.data
Size: 29KB - Virtual size: 43KB

.pdata
Size: 49KB - Virtual size: 49KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 7KB - Virtual size: 7KB