Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 05:19

General

  • Target

    c94efa3dac9d5a32f94e0e3c65006c1557f24d94da1d60b817b39753d94c87a7N.exe

  • Size

    2.1MB

  • MD5

    7df7fd9c447aa10d3675ba7a6bfefd30

  • SHA1

    3ef3b6422701ade8fac899f9800fbf54b0efdfac

  • SHA256

    c94efa3dac9d5a32f94e0e3c65006c1557f24d94da1d60b817b39753d94c87a7

  • SHA512

    bf06650279a7063cd9793e3e03f814f9ab29535c10f62ac65ddf7400c704ec1bf577ac1e382af3efe5d8e24f0472a2cff1ad5856dbba3fbb8ff9b9ee11371243

  • SSDEEP

    24576:R79hHoOJrXeLF4Q9GZPEREpsD4f/H49wFd1SNpxtAxHusOtkwI/+P5T5MSDb5Bhr:R7IOldQaDc4f1Fd1SLZDx5McBn/e0C3i

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c94efa3dac9d5a32f94e0e3c65006c1557f24d94da1d60b817b39753d94c87a7N.exe
    "C:\Users\Admin\AppData\Local\Temp\c94efa3dac9d5a32f94e0e3c65006c1557f24d94da1d60b817b39753d94c87a7N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Drcom\DrUpdateClient\drmain.exe
      "C:\Drcom\DrUpdateClient\drmain.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3532
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c netsh advfirewall firewall delete rule name="Dr.COM Auth Client"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall delete rule name="Dr.COM Auth Client"
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4920
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c netsh advfirewall firewall add rule name="Dr.COM Auth Client" dir=out action=allow protocol=UDP localport=61440 remoteport=61440
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1392
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall add rule name="Dr.COM Auth Client" dir=out action=allow protocol=UDP localport=61440 remoteport=61440
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2804
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c netsh advfirewall firewall add rule name="Dr.COM Auth Client" dir=in action=allow protocol=UDP localport=61440 remoteport=61440
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:228
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall add rule name="Dr.COM Auth Client" dir=in action=allow protocol=UDP localport=61440 remoteport=61440
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4032
      • C:\Drcom\DrUpdateClient\DrUpdate.exe
        "C:\Drcom\DrUpdateClient\DrUpdate.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1880
      • C:\Drcom\DrUpdateClient\DrClient.exe
        "C:\Drcom\DrUpdateClient\DrClient.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Drcom\DrUpdateClient\DrClient.en

    Filesize

    23KB

    MD5

    99cd8a6bff9f6d1adaa6e9b315e38290

    SHA1

    9172887241da6afc9718284e887e974849961887

    SHA256

    489a376d45b643d5eb211ab9557a7dae7b083a1e6854e93403164aff318df00b

    SHA512

    e9edc848454de1578c77aa61abd58e204053d7675b59e39de739c8a8bcc38b6d6549900bca2c9d7fd7fe0229b7a9cf5bc8e4929aba7add9dd23d99cc8c1a47a0

  • C:\Drcom\DrUpdateClient\DrClient.exe

    Filesize

    536KB

    MD5

    24871dcbcc9153984528f9ac497bbe9b

    SHA1

    87edb70a90b84afcdc4f9b337ddc05ed084dfb29

    SHA256

    afa72071b88f8e5fe69aa34353adc0d121b0910b01417f8c761eeac170ff8942

    SHA512

    4510c6063ddca5dddc904a1e168b56e5fef73aa904e28c6011c9d07e619d1c0c3c0148698d84445080f7505f773f1f3599ed33fa8759209813fea4128c080fdb

  • C:\Drcom\DrUpdateClient\DrConfigure

    Filesize

    2KB

    MD5

    3eb66eafeee76f97cc2b161be001fa41

    SHA1

    f12d405b8a169825e5e672c150044b2d07a36a98

    SHA256

    3a0af2d9567a6ab466cd8f21902a9b58c52cff0ab61a67b849eef7adacf95c2f

    SHA512

    92813262f91fdb84cd761d8feb4f23531b0183e69a3f65991031ae45ca51c36e490985dc68c49653023cc27d9df35eda5645c0bf3a28942eb945c997352a1d00

  • C:\Drcom\DrUpdateClient\DrReport.dll

    Filesize

    152KB

    MD5

    ac30d93db734f259f64335692057d73e

    SHA1

    88564404417fbb104fa57ae158a9c51f369620eb

    SHA256

    ed0e2d7d1595a784ec0e8efb638ad8481014542acd919452354dc6d7ccfff34a

    SHA512

    e71774f00172e13a977f0046fe440a4eb621b7935fbcd4c7356a5d253e58f50d25ddee34f0f3492e3d0bed61997c3e8ae034605cac0c7d20191118a8f51d4b57

  • C:\Drcom\DrUpdateClient\DrResources

    Filesize

    192KB

    MD5

    cb614d3e36ad03571c7026fba1cc97a6

    SHA1

    eb3f017b3046fba91d9005230d4a65a4417768cb

    SHA256

    fdf513479fdef17a9c23319e8649587f84f81a808848a2aae3f627a1219ea075

    SHA512

    0a9cb845892a8f5a8e6dd005e6f195acf4860aea0cccb287f0f60127624823c392850c39c774bbc93be5eb1f685a68b6d2f6ba9e0a111cf28fca0856c1513ddd

  • C:\Drcom\DrUpdateClient\DrUpdate.exe

    Filesize

    292KB

    MD5

    d7952b36dcb7d42a98fdfffa72456705

    SHA1

    d35b0765ba99bd0e29e7ced705a158cbaef0916c

    SHA256

    530c8c59123038e2d5908735fb5f082cdac83946726b1dc4e64578865c15cd5c

    SHA512

    ab2b1dcb99f6a50c163efd2faed194eba3017ce43f0091ad67136c69e6cf04e34432b668d144d03496652610584e602de12f983559d0cef5b6fabb775b686ad1

  • C:\Drcom\DrUpdateClient\TcpIPDogL.dr

    Filesize

    328KB

    MD5

    41e22e8d0974bbd57572b30ca80109fa

    SHA1

    116155f26bfbd517f568150f67a0a840c4371400

    SHA256

    ad4a9917f05a106a27f2141cc69f3ccdb9040bcd72a220c7710eb073a5180dbd

    SHA512

    a2da8416f42034a772e30c033845ef28af6edf276c0131f12f36c9b7e371f278d928386684b020a7230ddeca950b35afc10e71022143f4bd48e9b0e431bd9ad0

  • C:\Drcom\DrUpdateClient\WebSiteModule.dll

    Filesize

    148KB

    MD5

    79a059b72bc93f39e3e814277b574bcf

    SHA1

    d9693162f081f68436cca1aae15b353fda7c8cf3

    SHA256

    7932106a8752fe59ed10aaf8d7da1969c329e4075e0c665351167387f0ae5703

    SHA512

    feda9ba9edf5b2762e5f4df17bf5ca77601099d3806dbeac202860db7b6863b155e0eddc2564fca6134058568745118598c29b7f23b61b8fcb843dea37cb9149

  • C:\Drcom\DrUpdateClient\drauth_0x.dll

    Filesize

    588KB

    MD5

    abb0976c457f4f04753c9e44b6b2f5d4

    SHA1

    cf512bc20cf2d17ac36739443dea5238b302244f

    SHA256

    bf844936cf66a28524b0f19c840de3433fa5d664fa9bf09d47835e3010e0e25a

    SHA512

    438de143d8f418917537f7a064e39574b711c7ab68dee3a110b3f45401f04c71818edad34ca002f26f691a0cfa05a93e4cc23b89bcbe26bb26ea58622849fed2

  • C:\Drcom\DrUpdateClient\drcomrulesvr.drsc

    Filesize

    10KB

    MD5

    db17d069c98d52c82cc32144c207fdfa

    SHA1

    fee8475de6397e35773399d76c849a610e67d29b

    SHA256

    089ff5c4202f00f377c623f44c3beddb892c2efb1c356fa56a6c4541366acd6b

    SHA512

    0b1aa0de09c4faaf334c4dd97521e02deabdeeb0e7f946adf50b784573ce982ecdb90f10ffc65f33bc22d1f12c679d3101be5096f7e01d25ba98dfadc110f418

  • C:\Drcom\DrUpdateClient\drcopy.exe

    Filesize

    200KB

    MD5

    831d12c932cad9bdea9e2354daed2624

    SHA1

    9c7085736d341f9604ae29ac13bb2d2c1ee0082c

    SHA256

    1ad2d553799f03e25a2e67d0c0962a218cd4691361adace1015493e17058d45e

    SHA512

    5032c458913aa599e9da352b0ce48b48f839b796a7f40aef79e294806dafec5c0dacfaca11af5630de29ce18d79c42e08ad3df647ca5d108be5c09bb0ae95d95

  • C:\Drcom\DrUpdateClient\drmain.exe

    Filesize

    232KB

    MD5

    bf64244abf4b81b40d755e730cae5856

    SHA1

    f4c32e36d2547149266c6ba6c9dd8fc531c8a93c

    SHA256

    9a9736d6b9c07f9f28cf69d2d90a2ffe3e4f3127187fca644b80d14d672e7ed5

    SHA512

    a9714b83639c3b4e827c57a631fafced52ad10012df4562a9786bc54c81e33d2d9da78e11cedfaab68391dcc6090b6e2cc49dc61603a15707f9ce6ed2e3ea3b0

  • C:\Drcom\DrUpdateClient\sqlite3.dll

    Filesize

    608KB

    MD5

    60f2d44e749208d1532e06643b407db2

    SHA1

    baaa6a7ae90aa6d3921df741c783d0229b5fe8bd

    SHA256

    9f8e831b283645595da02c7a14ba77f6085d69f5b9c1cb525bc287020864f215

    SHA512

    62329d1da4293109ccafef70099a6f521248e039874962eac3631039da594f0e63e2cbc2a2967147f298b92e52b688280f5ac17e0c25e405adea8283cc1e26f4

  • C:\Drcom\DrUpdateClient\temp\DrClientSkin_temp\LogoutDlg_top.bmp

    Filesize

    158B

    MD5

    60d80bc84e718369c6b607283fa3b255

    SHA1

    78c14c34792f22bc24ede9b66c17347bc797405f

    SHA256

    4182d389407be0d5aba10f0b8c29dbc6b3bc31a1e025ecdc9fee7706461c0cce

    SHA512

    40f3c434310388f768b5c480bc13806a36c300489b7f85f8248c5d0cf47c27cc02bbcf342da61a0256e1ed8e2ecc57d1a83e7363313fbf44c500bd7b311353a1

  • C:\Drcom\DrUpdateClient\temp\DrClientSkin_temp\LogoutDlg_tr.bmp

    Filesize

    366B

    MD5

    4b3b33d3f05573930f8fe489e6b07e89

    SHA1

    bcef5597e6e5bb6fbdacdc061cddc6dc2edadeff

    SHA256

    cd5e8c7465c8de5c9f5cb1830e2c0fe455b54d62a741583ca383f89faaf64d9a

    SHA512

    a59c5c171e1dcd71a85de61cc7603c4e6c2e3904deec680d842dfe8e1d55882f5dbbf5ae9285e3c0df9719648a54f5a01f60cdbc11a2921f9a2a11011a5c4f6e

  • C:\Drcom\DrUpdateClient\temp\DrClientSkin_temp\MainDlg_head_n.bmp

    Filesize

    4KB

    MD5

    b2a113465eedaf40091a34455f592459

    SHA1

    0791738e45c743accb077743aae92065ac35c404

    SHA256

    9dd2919f64b30d23e9c822fef762e446659aab50d4447bf8686556c7fd606697

    SHA512

    43f23be42005a385f7a969c9dc16f50f04ec7983dd3170778293ce8ae089349cc23cc17ef489b30eb162720f285c8a69462d94f1a2412945a515ba73b4b7aef5

  • C:\Drcom\DrUpdateClient\temp\DrClientSkin_temp\PopMsgDlg_bl.bmp

    Filesize

    90B

    MD5

    30211f1b8c0d30697b3c704b8d7d37c4

    SHA1

    af98ef2ce5d400a84f0714bf95b992afa45e19da

    SHA256

    3a85e731bd545e66c48f81d4b71e5866c900ee1c9ae1738ab27902dfd6da5e7e

    SHA512

    f6e41971931b0cae76eae285038d2659ccfda79afc7e1666faee28acf658225f8b0ab4dd38ceb436ac5dba6dbd976b7b7b5da76cd586bb58b61a34715358f279

  • C:\Drcom\DrUpdateClient\temp\DrClientSkin_temp\PopMsgDlg_bottom.bmp

    Filesize

    66B

    MD5

    58f6d5b42617d3a38065f3fab59800dd

    SHA1

    f0699de5993461a5a4ddfb9dbc672557164ac555

    SHA256

    afaa7a5234abbe0a0557e611625de501b775853beb6bdc2b3842c279dd78bbbd

    SHA512

    4d6b3b61c6f89d0de313c3d82d5ae1701245c820066419bf215b5685d76c531c76af1bed82e5a37fad40642ae4448cdab14ea18afee053c4f26b7d2aadffa7c8

  • C:\Drcom\DrUpdateClient\temp\DrClientSkin_temp\PopMsgDlg_br.bmp

    Filesize

    90B

    MD5

    f14c285a594d9d538be27b4c2fddbaf1

    SHA1

    b8bc8b14585c3f5d5f290989085c58a7a621d13b

    SHA256

    d2fa3ebcc117af5c2fef60c61d37e4a0963f011aee508ea175da147a0245c9b8

    SHA512

    76d7ac286b3a84d7e985e64c7d76910ec9b38d7923754bf2f0f97751106ec937184a772ce5762c40d2024d39d8f7bace1c6245fd9cf922d9dc0608b0ba1e4643

  • C:\Drcom\DrUpdateClient\temp\DrClientSkin_temp\PopMsgDlg_center.bmp

    Filesize

    1KB

    MD5

    1510563f1e60f8709a08b6b65fd3a3a3

    SHA1

    d3467e88445aa14dcf0808ba3b12c987cf6decaa

    SHA256

    d907a5ef9f65b8c0e10a06f6f27320c4a2dddbdd489f41ec7a58bed184a14885

    SHA512

    2fc4eb8b6edc1cb337ed74585443872df92993c21848ee6099f4a257680fb58e8a10845b9670c21e0696ee322a9535d6a855db09ad481a1929a624ec57dec419

  • C:\Drcom\DrUpdateClient\temp\DrClientSkin_temp\logoutDlg_tl.bmp

    Filesize

    366B

    MD5

    c1b6b1202fd377fc1fd20bf975c2fe49

    SHA1

    566808083efabe6a9d03fd255d6aac7113b9e991

    SHA256

    5fb365134156c4015649d57367411d5bc98bbc6936511883f9d8bfe22e96069f

    SHA512

    956592f2129c077eec4edbbaf62d5a4b2876d012609163699d53efa2e3df7a11643410e843df502506eaecb829cb5ff4fe9d74cd1ce50a2cf36554cadeac8ddc

  • memory/2632-319-0x0000000003A70000-0x0000000003A97000-memory.dmp

    Filesize

    156KB

  • memory/2632-79-0x0000000000920000-0x00000000009BD000-memory.dmp

    Filesize

    628KB

  • memory/2632-82-0x00000000009C0000-0x0000000000A58000-memory.dmp

    Filesize

    608KB