Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2024 05:19
Static task
static1
Behavioral task
behavioral1
Sample
c94efa3dac9d5a32f94e0e3c65006c1557f24d94da1d60b817b39753d94c87a7N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c94efa3dac9d5a32f94e0e3c65006c1557f24d94da1d60b817b39753d94c87a7N.exe
Resource
win10v2004-20241007-en
General
-
Target
c94efa3dac9d5a32f94e0e3c65006c1557f24d94da1d60b817b39753d94c87a7N.exe
-
Size
2.1MB
-
MD5
7df7fd9c447aa10d3675ba7a6bfefd30
-
SHA1
3ef3b6422701ade8fac899f9800fbf54b0efdfac
-
SHA256
c94efa3dac9d5a32f94e0e3c65006c1557f24d94da1d60b817b39753d94c87a7
-
SHA512
bf06650279a7063cd9793e3e03f814f9ab29535c10f62ac65ddf7400c704ec1bf577ac1e382af3efe5d8e24f0472a2cff1ad5856dbba3fbb8ff9b9ee11371243
-
SSDEEP
24576:R79hHoOJrXeLF4Q9GZPEREpsD4f/H49wFd1SNpxtAxHusOtkwI/+P5T5MSDb5Bhr:R7IOldQaDc4f1Fd1SLZDx5McBn/e0C3i
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 4920 netsh.exe 2804 netsh.exe 4032 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation c94efa3dac9d5a32f94e0e3c65006c1557f24d94da1d60b817b39753d94c87a7N.exe -
Executes dropped EXE 3 IoCs
pid Process 3532 drmain.exe 1880 DrUpdate.exe 2632 DrClient.exe -
Loads dropped DLL 9 IoCs
pid Process 3532 drmain.exe 1880 DrUpdate.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DrUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drmain.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c94efa3dac9d5a32f94e0e3c65006c1557f24d94da1d60b817b39753d94c87a7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DrClient.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 3532 drmain.exe 3532 drmain.exe 3532 drmain.exe 3532 drmain.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe 2632 DrClient.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2632 DrClient.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2632 DrClient.exe 2632 DrClient.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2632 DrClient.exe 2632 DrClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2632 DrClient.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3020 wrote to memory of 3532 3020 c94efa3dac9d5a32f94e0e3c65006c1557f24d94da1d60b817b39753d94c87a7N.exe 82 PID 3020 wrote to memory of 3532 3020 c94efa3dac9d5a32f94e0e3c65006c1557f24d94da1d60b817b39753d94c87a7N.exe 82 PID 3020 wrote to memory of 3532 3020 c94efa3dac9d5a32f94e0e3c65006c1557f24d94da1d60b817b39753d94c87a7N.exe 82 PID 3532 wrote to memory of 2748 3532 drmain.exe 83 PID 3532 wrote to memory of 2748 3532 drmain.exe 83 PID 3532 wrote to memory of 2748 3532 drmain.exe 83 PID 2748 wrote to memory of 4920 2748 cmd.exe 85 PID 2748 wrote to memory of 4920 2748 cmd.exe 85 PID 2748 wrote to memory of 4920 2748 cmd.exe 85 PID 3532 wrote to memory of 1392 3532 drmain.exe 87 PID 3532 wrote to memory of 1392 3532 drmain.exe 87 PID 3532 wrote to memory of 1392 3532 drmain.exe 87 PID 1392 wrote to memory of 2804 1392 cmd.exe 89 PID 1392 wrote to memory of 2804 1392 cmd.exe 89 PID 1392 wrote to memory of 2804 1392 cmd.exe 89 PID 3532 wrote to memory of 228 3532 drmain.exe 90 PID 3532 wrote to memory of 228 3532 drmain.exe 90 PID 3532 wrote to memory of 228 3532 drmain.exe 90 PID 228 wrote to memory of 4032 228 cmd.exe 92 PID 228 wrote to memory of 4032 228 cmd.exe 92 PID 228 wrote to memory of 4032 228 cmd.exe 92 PID 3532 wrote to memory of 1880 3532 drmain.exe 93 PID 3532 wrote to memory of 1880 3532 drmain.exe 93 PID 3532 wrote to memory of 1880 3532 drmain.exe 93 PID 3532 wrote to memory of 2632 3532 drmain.exe 94 PID 3532 wrote to memory of 2632 3532 drmain.exe 94 PID 3532 wrote to memory of 2632 3532 drmain.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\c94efa3dac9d5a32f94e0e3c65006c1557f24d94da1d60b817b39753d94c87a7N.exe"C:\Users\Admin\AppData\Local\Temp\c94efa3dac9d5a32f94e0e3c65006c1557f24d94da1d60b817b39753d94c87a7N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Drcom\DrUpdateClient\drmain.exe"C:\Drcom\DrUpdateClient\drmain.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c netsh advfirewall firewall delete rule name="Dr.COM Auth Client"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="Dr.COM Auth Client"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4920
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c netsh advfirewall firewall add rule name="Dr.COM Auth Client" dir=out action=allow protocol=UDP localport=61440 remoteport=614403⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Dr.COM Auth Client" dir=out action=allow protocol=UDP localport=61440 remoteport=614404⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2804
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c netsh advfirewall firewall add rule name="Dr.COM Auth Client" dir=in action=allow protocol=UDP localport=61440 remoteport=614403⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Dr.COM Auth Client" dir=in action=allow protocol=UDP localport=61440 remoteport=614404⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4032
-
-
-
C:\Drcom\DrUpdateClient\DrUpdate.exe"C:\Drcom\DrUpdateClient\DrUpdate.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1880
-
-
C:\Drcom\DrUpdateClient\DrClient.exe"C:\Drcom\DrUpdateClient\DrClient.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2632
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD599cd8a6bff9f6d1adaa6e9b315e38290
SHA19172887241da6afc9718284e887e974849961887
SHA256489a376d45b643d5eb211ab9557a7dae7b083a1e6854e93403164aff318df00b
SHA512e9edc848454de1578c77aa61abd58e204053d7675b59e39de739c8a8bcc38b6d6549900bca2c9d7fd7fe0229b7a9cf5bc8e4929aba7add9dd23d99cc8c1a47a0
-
Filesize
536KB
MD524871dcbcc9153984528f9ac497bbe9b
SHA187edb70a90b84afcdc4f9b337ddc05ed084dfb29
SHA256afa72071b88f8e5fe69aa34353adc0d121b0910b01417f8c761eeac170ff8942
SHA5124510c6063ddca5dddc904a1e168b56e5fef73aa904e28c6011c9d07e619d1c0c3c0148698d84445080f7505f773f1f3599ed33fa8759209813fea4128c080fdb
-
Filesize
2KB
MD53eb66eafeee76f97cc2b161be001fa41
SHA1f12d405b8a169825e5e672c150044b2d07a36a98
SHA2563a0af2d9567a6ab466cd8f21902a9b58c52cff0ab61a67b849eef7adacf95c2f
SHA51292813262f91fdb84cd761d8feb4f23531b0183e69a3f65991031ae45ca51c36e490985dc68c49653023cc27d9df35eda5645c0bf3a28942eb945c997352a1d00
-
Filesize
152KB
MD5ac30d93db734f259f64335692057d73e
SHA188564404417fbb104fa57ae158a9c51f369620eb
SHA256ed0e2d7d1595a784ec0e8efb638ad8481014542acd919452354dc6d7ccfff34a
SHA512e71774f00172e13a977f0046fe440a4eb621b7935fbcd4c7356a5d253e58f50d25ddee34f0f3492e3d0bed61997c3e8ae034605cac0c7d20191118a8f51d4b57
-
Filesize
192KB
MD5cb614d3e36ad03571c7026fba1cc97a6
SHA1eb3f017b3046fba91d9005230d4a65a4417768cb
SHA256fdf513479fdef17a9c23319e8649587f84f81a808848a2aae3f627a1219ea075
SHA5120a9cb845892a8f5a8e6dd005e6f195acf4860aea0cccb287f0f60127624823c392850c39c774bbc93be5eb1f685a68b6d2f6ba9e0a111cf28fca0856c1513ddd
-
Filesize
292KB
MD5d7952b36dcb7d42a98fdfffa72456705
SHA1d35b0765ba99bd0e29e7ced705a158cbaef0916c
SHA256530c8c59123038e2d5908735fb5f082cdac83946726b1dc4e64578865c15cd5c
SHA512ab2b1dcb99f6a50c163efd2faed194eba3017ce43f0091ad67136c69e6cf04e34432b668d144d03496652610584e602de12f983559d0cef5b6fabb775b686ad1
-
Filesize
328KB
MD541e22e8d0974bbd57572b30ca80109fa
SHA1116155f26bfbd517f568150f67a0a840c4371400
SHA256ad4a9917f05a106a27f2141cc69f3ccdb9040bcd72a220c7710eb073a5180dbd
SHA512a2da8416f42034a772e30c033845ef28af6edf276c0131f12f36c9b7e371f278d928386684b020a7230ddeca950b35afc10e71022143f4bd48e9b0e431bd9ad0
-
Filesize
148KB
MD579a059b72bc93f39e3e814277b574bcf
SHA1d9693162f081f68436cca1aae15b353fda7c8cf3
SHA2567932106a8752fe59ed10aaf8d7da1969c329e4075e0c665351167387f0ae5703
SHA512feda9ba9edf5b2762e5f4df17bf5ca77601099d3806dbeac202860db7b6863b155e0eddc2564fca6134058568745118598c29b7f23b61b8fcb843dea37cb9149
-
Filesize
588KB
MD5abb0976c457f4f04753c9e44b6b2f5d4
SHA1cf512bc20cf2d17ac36739443dea5238b302244f
SHA256bf844936cf66a28524b0f19c840de3433fa5d664fa9bf09d47835e3010e0e25a
SHA512438de143d8f418917537f7a064e39574b711c7ab68dee3a110b3f45401f04c71818edad34ca002f26f691a0cfa05a93e4cc23b89bcbe26bb26ea58622849fed2
-
Filesize
10KB
MD5db17d069c98d52c82cc32144c207fdfa
SHA1fee8475de6397e35773399d76c849a610e67d29b
SHA256089ff5c4202f00f377c623f44c3beddb892c2efb1c356fa56a6c4541366acd6b
SHA5120b1aa0de09c4faaf334c4dd97521e02deabdeeb0e7f946adf50b784573ce982ecdb90f10ffc65f33bc22d1f12c679d3101be5096f7e01d25ba98dfadc110f418
-
Filesize
200KB
MD5831d12c932cad9bdea9e2354daed2624
SHA19c7085736d341f9604ae29ac13bb2d2c1ee0082c
SHA2561ad2d553799f03e25a2e67d0c0962a218cd4691361adace1015493e17058d45e
SHA5125032c458913aa599e9da352b0ce48b48f839b796a7f40aef79e294806dafec5c0dacfaca11af5630de29ce18d79c42e08ad3df647ca5d108be5c09bb0ae95d95
-
Filesize
232KB
MD5bf64244abf4b81b40d755e730cae5856
SHA1f4c32e36d2547149266c6ba6c9dd8fc531c8a93c
SHA2569a9736d6b9c07f9f28cf69d2d90a2ffe3e4f3127187fca644b80d14d672e7ed5
SHA512a9714b83639c3b4e827c57a631fafced52ad10012df4562a9786bc54c81e33d2d9da78e11cedfaab68391dcc6090b6e2cc49dc61603a15707f9ce6ed2e3ea3b0
-
Filesize
608KB
MD560f2d44e749208d1532e06643b407db2
SHA1baaa6a7ae90aa6d3921df741c783d0229b5fe8bd
SHA2569f8e831b283645595da02c7a14ba77f6085d69f5b9c1cb525bc287020864f215
SHA51262329d1da4293109ccafef70099a6f521248e039874962eac3631039da594f0e63e2cbc2a2967147f298b92e52b688280f5ac17e0c25e405adea8283cc1e26f4
-
Filesize
158B
MD560d80bc84e718369c6b607283fa3b255
SHA178c14c34792f22bc24ede9b66c17347bc797405f
SHA2564182d389407be0d5aba10f0b8c29dbc6b3bc31a1e025ecdc9fee7706461c0cce
SHA51240f3c434310388f768b5c480bc13806a36c300489b7f85f8248c5d0cf47c27cc02bbcf342da61a0256e1ed8e2ecc57d1a83e7363313fbf44c500bd7b311353a1
-
Filesize
366B
MD54b3b33d3f05573930f8fe489e6b07e89
SHA1bcef5597e6e5bb6fbdacdc061cddc6dc2edadeff
SHA256cd5e8c7465c8de5c9f5cb1830e2c0fe455b54d62a741583ca383f89faaf64d9a
SHA512a59c5c171e1dcd71a85de61cc7603c4e6c2e3904deec680d842dfe8e1d55882f5dbbf5ae9285e3c0df9719648a54f5a01f60cdbc11a2921f9a2a11011a5c4f6e
-
Filesize
4KB
MD5b2a113465eedaf40091a34455f592459
SHA10791738e45c743accb077743aae92065ac35c404
SHA2569dd2919f64b30d23e9c822fef762e446659aab50d4447bf8686556c7fd606697
SHA51243f23be42005a385f7a969c9dc16f50f04ec7983dd3170778293ce8ae089349cc23cc17ef489b30eb162720f285c8a69462d94f1a2412945a515ba73b4b7aef5
-
Filesize
90B
MD530211f1b8c0d30697b3c704b8d7d37c4
SHA1af98ef2ce5d400a84f0714bf95b992afa45e19da
SHA2563a85e731bd545e66c48f81d4b71e5866c900ee1c9ae1738ab27902dfd6da5e7e
SHA512f6e41971931b0cae76eae285038d2659ccfda79afc7e1666faee28acf658225f8b0ab4dd38ceb436ac5dba6dbd976b7b7b5da76cd586bb58b61a34715358f279
-
Filesize
66B
MD558f6d5b42617d3a38065f3fab59800dd
SHA1f0699de5993461a5a4ddfb9dbc672557164ac555
SHA256afaa7a5234abbe0a0557e611625de501b775853beb6bdc2b3842c279dd78bbbd
SHA5124d6b3b61c6f89d0de313c3d82d5ae1701245c820066419bf215b5685d76c531c76af1bed82e5a37fad40642ae4448cdab14ea18afee053c4f26b7d2aadffa7c8
-
Filesize
90B
MD5f14c285a594d9d538be27b4c2fddbaf1
SHA1b8bc8b14585c3f5d5f290989085c58a7a621d13b
SHA256d2fa3ebcc117af5c2fef60c61d37e4a0963f011aee508ea175da147a0245c9b8
SHA51276d7ac286b3a84d7e985e64c7d76910ec9b38d7923754bf2f0f97751106ec937184a772ce5762c40d2024d39d8f7bace1c6245fd9cf922d9dc0608b0ba1e4643
-
Filesize
1KB
MD51510563f1e60f8709a08b6b65fd3a3a3
SHA1d3467e88445aa14dcf0808ba3b12c987cf6decaa
SHA256d907a5ef9f65b8c0e10a06f6f27320c4a2dddbdd489f41ec7a58bed184a14885
SHA5122fc4eb8b6edc1cb337ed74585443872df92993c21848ee6099f4a257680fb58e8a10845b9670c21e0696ee322a9535d6a855db09ad481a1929a624ec57dec419
-
Filesize
366B
MD5c1b6b1202fd377fc1fd20bf975c2fe49
SHA1566808083efabe6a9d03fd255d6aac7113b9e991
SHA2565fb365134156c4015649d57367411d5bc98bbc6936511883f9d8bfe22e96069f
SHA512956592f2129c077eec4edbbaf62d5a4b2876d012609163699d53efa2e3df7a11643410e843df502506eaecb829cb5ff4fe9d74cd1ce50a2cf36554cadeac8ddc