Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2025, 05:05
Static task
static1
Behavioral task
behavioral1
Sample
250515-e2plhafp5v.dll
Resource
win10v2004-20250502-en
General
-
Target
250515-e2plhafp5v.dll
-
Size
1.9MB
-
MD5
04463233364b1cc3f51e1f51e42a37c8
-
SHA1
daee90d3e230444d0711d2d2c4ca97bd40a53b35
-
SHA256
68d435607aa9bbc1fb27b084a7851140e77afe279443c65f027d4277e888752f
-
SHA512
7aad8a1d5c80e7360a0632dc4fbe553e77e39eb22b79d780dbfd4dd999b4e267658c74b68a50e160a810c6156c0d62814650675ef3fab830480b3a6210236486
-
SSDEEP
12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/3520-4-0x0000000001340000-0x0000000001341000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
pid Process 3832 msra.exe 1856 rdpshell.exe 3472 OptionalFeatures.exe 3408 rdpshell.exe -
Loads dropped DLL 4 IoCs
pid Process 3832 msra.exe 1856 rdpshell.exe 3472 OptionalFeatures.exe 3408 rdpshell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oumwobogo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3951986358-4006919840-1009690842-1000\\Jhe2Q10Jhye\\rdpshell.exe" Process not Found -
Checks whether UAC is enabled 1 TTPs 5 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OptionalFeatures.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpshell.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msra.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpshell.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4292 rundll32.exe 4292 rundll32.exe 4292 rundll32.exe 4292 rundll32.exe 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found 3520 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3520 Process not Found -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found Token: SeShutdownPrivilege 3520 Process not Found Token: SeCreatePagefilePrivilege 3520 Process not Found -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3520 wrote to memory of 6028 3520 Process not Found 96 PID 3520 wrote to memory of 6028 3520 Process not Found 96 PID 3520 wrote to memory of 3832 3520 Process not Found 97 PID 3520 wrote to memory of 3832 3520 Process not Found 97 PID 3520 wrote to memory of 5436 3520 Process not Found 99 PID 3520 wrote to memory of 5436 3520 Process not Found 99 PID 3520 wrote to memory of 1856 3520 Process not Found 100 PID 3520 wrote to memory of 1856 3520 Process not Found 100 PID 3520 wrote to memory of 3656 3520 Process not Found 101 PID 3520 wrote to memory of 3656 3520 Process not Found 101 PID 3520 wrote to memory of 5812 3520 Process not Found 103 PID 3520 wrote to memory of 5812 3520 Process not Found 103 PID 3520 wrote to memory of 3472 3520 Process not Found 104 PID 3520 wrote to memory of 3472 3520 Process not Found 104 PID 3656 wrote to memory of 3408 3656 cmd.exe 105 PID 3656 wrote to memory of 3408 3656 cmd.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\250515-e2plhafp5v.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4292
-
C:\Windows\system32\msra.exeC:\Windows\system32\msra.exe1⤵PID:6028
-
C:\Users\Admin\AppData\Local\ASZRydCa1\msra.exeC:\Users\Admin\AppData\Local\ASZRydCa1\msra.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3832
-
C:\Windows\system32\rdpshell.exeC:\Windows\system32\rdpshell.exe1⤵PID:5436
-
C:\Users\Admin\AppData\Local\Bd8\rdpshell.exeC:\Users\Admin\AppData\Local\Bd8\rdpshell.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3951986358-4006919840-1009690842-1000\Jhe2Q10Jhye\rdpshell.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3951986358-4006919840-1009690842-1000\Jhe2Q10Jhye\rdpshell.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3951986358-4006919840-1009690842-1000\Jhe2Q10Jhye\rdpshell.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3408
-
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵PID:5812
-
C:\Users\Admin\AppData\Local\PWS\OptionalFeatures.exeC:\Users\Admin\AppData\Local\PWS\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3472
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5b04c89c04cbf3fac70d2c0bbfa3918d2
SHA1b28a8f1ad5fbef216dc18d0061e1e119df72d93e
SHA256fc4905a0ee1e254886d7971f873cc420839e5786e8c0414d4120ab1b1480d950
SHA512abd9334dd9bbe4620ca8c2bb1f991f92cf6548ef9ec878e204a3da4d745a0bc96f387f1153e0e88ca616b7ea628ea06f9dbb2f03bf642824c04d81e0b23cc14a
-
Filesize
579KB
MD5dcda3b7b8eb0bfbccb54b4d6a6844ad6
SHA1316a2925e451f739f45e31bc233a95f91bf775fa
SHA256011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae
SHA51218e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5
-
Filesize
1.9MB
MD566b5445922bc8ad5c932a30ed2675a75
SHA1757b115c01695cbf90d29d519fb84a3185af073d
SHA2567f66a4d2c5fa45e9276119c8a3f629aacaaedad18f5d2d8bc3e1651c4fed3393
SHA512f0a247ce25e98e74ba3f0d4a6b4885545001f07d3c824edbc234a6c1587277fa580d73da1beb9fe8916f7a5eaabf0e260cfa84ec4ee3e28090ad527f7b8bd8df
-
Filesize
468KB
MD5428066713f225bb8431340fa670671d4
SHA147f6878ff33317c3fc09c494df729a463bda174c
SHA256da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd
SHA512292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737
-
Filesize
110KB
MD5d6cd8bef71458804dbc33b88ace56372
SHA1a18b58445be2492c5d37abad69b5aa0d29416a60
SHA256fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8
SHA5121bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d
-
Filesize
1.9MB
MD57dfc22966716deacda8bd06585e967ed
SHA1575f7cca70a1cc51036016451d933ea2a061247c
SHA25641935b87d13f78826ecfdd1936d4dcf71eaf522e200c74a64855cb4370cb1b18
SHA512d5230086cb3d4fdb5edef27a6ff45e174d303a277f62a3696b8a81f6fb84ff7be45105bb0d0253291d6637cb9a31ebe66216a6a471df071c567112500c371439
-
Filesize
1KB
MD506cfbb99e9f0e80be91284007822d629
SHA14f979cf920af3f66d5b80a8e48e550332a542937
SHA256287d4c0b9c3b6ba55e7f45bfa664e058cc08944670d8fffdd62baaeb1a4cfdab
SHA51217425f26cfdcda4343fe134a09cf2362b0af45efaa9b149d01a480e6c4d850421508e0fd75d5880ea4092c1e8c504a8041717c1f19dde47069f603d458c4afee