Malware Analysis Report

2025-05-28 17:25

Sample ID 250515-fq99hagk3s
Target 250515-e2plhafp5v.bin
SHA256 68d435607aa9bbc1fb27b084a7851140e77afe279443c65f027d4277e888752f
Tags
dridex botnet defense_evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68d435607aa9bbc1fb27b084a7851140e77afe279443c65f027d4277e888752f

Threat Level: Known bad

The file 250515-e2plhafp5v.bin was found to be: Known bad.

Malicious Activity Summary

dridex botnet defense_evasion payload persistence trojan

Dridex

Dridex family

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 05:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 05:05

Reported

2025-05-15 05:08

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\250515-e2plhafp5v.dll,#1

Signatures

Dridex

botnet dridex

Dridex family

dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oumwobogo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3951986358-4006919840-1009690842-1000\\Jhe2Q10Jhye\\rdpshell.exe" N/A N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\PWS\OptionalFeatures.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3951986358-4006919840-1009690842-1000\Jhe2Q10Jhye\rdpshell.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ASZRydCa1\msra.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Bd8\rdpshell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 6028 N/A N/A C:\Windows\system32\msra.exe
PID 3520 wrote to memory of 6028 N/A N/A C:\Windows\system32\msra.exe
PID 3520 wrote to memory of 3832 N/A N/A C:\Users\Admin\AppData\Local\ASZRydCa1\msra.exe
PID 3520 wrote to memory of 3832 N/A N/A C:\Users\Admin\AppData\Local\ASZRydCa1\msra.exe
PID 3520 wrote to memory of 5436 N/A N/A C:\Windows\system32\rdpshell.exe
PID 3520 wrote to memory of 5436 N/A N/A C:\Windows\system32\rdpshell.exe
PID 3520 wrote to memory of 1856 N/A N/A C:\Users\Admin\AppData\Local\Bd8\rdpshell.exe
PID 3520 wrote to memory of 1856 N/A N/A C:\Users\Admin\AppData\Local\Bd8\rdpshell.exe
PID 3520 wrote to memory of 3656 N/A N/A C:\Windows\system32\cmd.exe
PID 3520 wrote to memory of 3656 N/A N/A C:\Windows\system32\cmd.exe
PID 3520 wrote to memory of 5812 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3520 wrote to memory of 5812 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3520 wrote to memory of 3472 N/A N/A C:\Users\Admin\AppData\Local\PWS\OptionalFeatures.exe
PID 3520 wrote to memory of 3472 N/A N/A C:\Users\Admin\AppData\Local\PWS\OptionalFeatures.exe
PID 3656 wrote to memory of 3408 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3951986358-4006919840-1009690842-1000\Jhe2Q10Jhye\rdpshell.exe
PID 3656 wrote to memory of 3408 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3951986358-4006919840-1009690842-1000\Jhe2Q10Jhye\rdpshell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\250515-e2plhafp5v.dll,#1

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\ASZRydCa1\msra.exe

C:\Users\Admin\AppData\Local\ASZRydCa1\msra.exe

C:\Windows\system32\rdpshell.exe

C:\Windows\system32\rdpshell.exe

C:\Users\Admin\AppData\Local\Bd8\rdpshell.exe

C:\Users\Admin\AppData\Local\Bd8\rdpshell.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3951986358-4006919840-1009690842-1000\Jhe2Q10Jhye\rdpshell.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\PWS\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\PWS\OptionalFeatures.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3951986358-4006919840-1009690842-1000\Jhe2Q10Jhye\rdpshell.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3951986358-4006919840-1009690842-1000\Jhe2Q10Jhye\rdpshell.exe

Network

Country Destination Domain Proto
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp

Files

memory/4292-0-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/4292-3-0x000002B1634C0000-0x000002B1634C7000-memory.dmp

memory/3520-6-0x00007FFC7FB8A000-0x00007FFC7FB8B000-memory.dmp

memory/3520-4-0x0000000001340000-0x0000000001341000-memory.dmp

memory/3520-17-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-16-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-15-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-52-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-14-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-13-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-50-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-49-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-12-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-45-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-11-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-10-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-9-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-8-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-7-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-25-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-21-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-18-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-19-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-61-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-83-0x00007FFC819C0000-0x00007FFC819D0000-memory.dmp

memory/3520-82-0x00000000012D0000-0x00000000012D7000-memory.dmp

C:\Users\Admin\AppData\Local\ASZRydCa1\NDFAPI.DLL

MD5 b04c89c04cbf3fac70d2c0bbfa3918d2
SHA1 b28a8f1ad5fbef216dc18d0061e1e119df72d93e
SHA256 fc4905a0ee1e254886d7971f873cc420839e5786e8c0414d4120ab1b1480d950
SHA512 abd9334dd9bbe4620ca8c2bb1f991f92cf6548ef9ec878e204a3da4d745a0bc96f387f1153e0e88ca616b7ea628ea06f9dbb2f03bf642824c04d81e0b23cc14a

memory/3832-93-0x000001AECC9F0000-0x000001AECC9F7000-memory.dmp

C:\Users\Admin\AppData\Local\ASZRydCa1\msra.exe

MD5 dcda3b7b8eb0bfbccb54b4d6a6844ad6
SHA1 316a2925e451f739f45e31bc233a95f91bf775fa
SHA256 011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae
SHA512 18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

memory/3520-60-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-59-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-58-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-57-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-56-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-55-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-54-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-53-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-51-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-48-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-47-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-46-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-44-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-43-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-42-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-41-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-40-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-38-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-39-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-37-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-36-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-35-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-34-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-33-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-32-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-31-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-30-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-29-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-28-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-27-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-26-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-24-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-23-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3520-22-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/4292-20-0x0000000140000000-0x00000001401DF000-memory.dmp

C:\Users\Admin\AppData\Local\Bd8\rdpshell.exe

MD5 428066713f225bb8431340fa670671d4
SHA1 47f6878ff33317c3fc09c494df729a463bda174c
SHA256 da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd
SHA512 292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

C:\Users\Admin\AppData\Local\Bd8\WTSAPI32.dll

MD5 66b5445922bc8ad5c932a30ed2675a75
SHA1 757b115c01695cbf90d29d519fb84a3185af073d
SHA256 7f66a4d2c5fa45e9276119c8a3f629aacaaedad18f5d2d8bc3e1651c4fed3393
SHA512 f0a247ce25e98e74ba3f0d4a6b4885545001f07d3c824edbc234a6c1587277fa580d73da1beb9fe8916f7a5eaabf0e260cfa84ec4ee3e28090ad527f7b8bd8df

memory/1856-110-0x000002809D510000-0x000002809D517000-memory.dmp

C:\Users\Admin\AppData\Local\PWS\appwiz.cpl

MD5 7dfc22966716deacda8bd06585e967ed
SHA1 575f7cca70a1cc51036016451d933ea2a061247c
SHA256 41935b87d13f78826ecfdd1936d4dcf71eaf522e200c74a64855cb4370cb1b18
SHA512 d5230086cb3d4fdb5edef27a6ff45e174d303a277f62a3696b8a81f6fb84ff7be45105bb0d0253291d6637cb9a31ebe66216a6a471df071c567112500c371439

C:\Users\Admin\AppData\Local\PWS\OptionalFeatures.exe

MD5 d6cd8bef71458804dbc33b88ace56372
SHA1 a18b58445be2492c5d37abad69b5aa0d29416a60
SHA256 fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8
SHA512 1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mtazevzulblvkh.lnk

MD5 06cfbb99e9f0e80be91284007822d629
SHA1 4f979cf920af3f66d5b80a8e48e550332a542937
SHA256 287d4c0b9c3b6ba55e7f45bfa664e058cc08944670d8fffdd62baaeb1a4cfdab
SHA512 17425f26cfdcda4343fe134a09cf2362b0af45efaa9b149d01a480e6c4d850421508e0fd75d5880ea4092c1e8c504a8041717c1f19dde47069f603d458c4afee