952c89e629280ad52d9eba9383941522304e36c0054a523bfb0bb97db2d8c546

Analysis

max time kernel
604s
max time network
457s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Drehmal Installer.exe
Size

168.5MB
MD5

5274cbfb208ee9610d3193e4c61c35f7
SHA1

954257060465a7038dd94952cb3964e5a0699735
SHA256

869e7c9698da35ba3b45d8a456814db6926534ea5e6d80302f0aaf69283230cb
SHA512

f28dc65c609683b375d61f55d5f940a41c691d7c5e64335886121675faf7b23a98cac04ec7e187e28cc92eb8915d8c65dfeda1cc0d7505820358683698c8733a
SSDEEP

1572864:IWx5TrBkvBGddEgdqUVQAa/6MdFvokPLkKrIA5wsMj+zBujIqMIqw6ep80FQK7y3:AwmBiWD+eCIxB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	Drehmal Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	Drehmal Installer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Drehmal Installer.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Drehmal Installer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3908	Drehmal Installer.exe
3908	Drehmal Installer.exe
3908	Drehmal Installer.exe
3908	Drehmal Installer.exe
4400	Drehmal Installer.exe
4400	Drehmal Installer.exe
4400	Drehmal Installer.exe
4400	Drehmal Installer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe
Token: SeShutdownPrivilege	3908	Drehmal Installer.exe
Token: SeCreatePagefilePrivilege	3908	Drehmal Installer.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 2684	3908	Drehmal Installer.exe	87
PID 3908 wrote to memory of 4744	3908	Drehmal Installer.exe	88
PID 3908 wrote to memory of 4744	3908	Drehmal Installer.exe	88
PID 3908 wrote to memory of 3372	3908	Drehmal Installer.exe	89
PID 3908 wrote to memory of 3372	3908	Drehmal Installer.exe	89
PID 3908 wrote to memory of 4400	3908	Drehmal Installer.exe	98
PID 3908 wrote to memory of 4400	3908	Drehmal Installer.exe	98

C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Drehmal Installer" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1704 --field-trial-handle=1712,i,8449906081159121420,9711812778648525467,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Drehmal Installer" --mojo-platform-channel-handle=2212 --field-trial-handle=1712,i,8449906081159121420,9711812778648525467,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Drehmal Installer" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2472 --field-trial-handle=1712,i,8449906081159121420,9711812778648525467,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3372
- C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Drehmal Installer.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Drehmal Installer" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3120 --field-trial-handle=1712,i,8449906081159121420,9711812778648525467,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Drehmal Installer\Network\Network Persistent State

Filesize
300B

MD5
0703653a33d15f0590879e0e3aadb6d3

SHA1
91d3601ba31cffe428bea19a2e529c26ddf0c587

SHA256
ac8b39c40e182162914a71cec4693d90beecd33f0bc9c28c7c1622e52bbdb539

SHA512
5d7e8ac00a622a593e67fefaf4199115dd7ac46689cabb65b400875449f84e5ac4bf2d1c47c8eb0c3f8c4f47e1ca97f50b7d301881ff99460bca636e9aa1c2e8

Download Submit
C:\Users\Admin\AppData\Roaming\Drehmal Installer\Network\Network Persistent State~RFe591eaa.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/4400-84-0x00000160E2E30000-0x00000160E2E31000-memory.dmp

Filesize
4KB

Download
memory/4400-79-0x00000160E2E30000-0x00000160E2E31000-memory.dmp

Filesize
4KB

Download
memory/4400-80-0x00000160E2E30000-0x00000160E2E31000-memory.dmp

Filesize
4KB

Download
memory/4400-78-0x00000160E2E30000-0x00000160E2E31000-memory.dmp

Filesize
4KB

Download
memory/4400-85-0x00000160E2E30000-0x00000160E2E31000-memory.dmp

Filesize
4KB

Download
memory/4400-86-0x00000160E2E30000-0x00000160E2E31000-memory.dmp

Filesize
4KB

Download
memory/4400-87-0x00000160E2E30000-0x00000160E2E31000-memory.dmp

Filesize
4KB

Download
memory/4400-88-0x00000160E2E30000-0x00000160E2E31000-memory.dmp

Filesize
4KB

Download
memory/4400-90-0x00000160E2E30000-0x00000160E2E31000-memory.dmp

Filesize
4KB

Download
memory/4400-89-0x00000160E2E30000-0x00000160E2E31000-memory.dmp

Filesize
4KB

Download