Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2025, 04:55
Static task
static1
Behavioral task
behavioral1
Sample
250516-e2p72agq3s.dll
Resource
win10v2004-20250502-en
General
-
Target
250516-e2p72agq3s.dll
-
Size
2.2MB
-
MD5
0541b42d9e97b0f7bc762f924f49ca8e
-
SHA1
861f752b3c8e4427c442f89dc586f2eb38d79084
-
SHA256
a50b69d11bcdf868ddab7695ee3cbb4e1847ab3104f5befa0b7ce55933835d59
-
SHA512
23f4e2a6aa4ca22565a5c59991f526b21f78ce1c69d48858ab32bb72ead479b3eebefe02a840c10a92de7f3aa4140bd4fb7971a01f0fcb5340c820d4991b1150
-
SSDEEP
12288:NVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:UfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/3292-4-0x00000000030D0000-0x00000000030D1000-memory.dmp dridex_stager_shellcode -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UMq Process not Found File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UMq\FVEWIZ.dll Process not Found File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UMq\BitLockerWizardElev.exe Process not Found -
Executes dropped EXE 4 IoCs
pid Process 5072 DeviceEnroller.exe 3364 DeviceEnroller.exe 1628 BitLockerWizardElev.exe 2416 DeviceEnroller.exe -
Loads dropped DLL 4 IoCs
pid Process 5072 DeviceEnroller.exe 3364 DeviceEnroller.exe 1628 BitLockerWizardElev.exe 2416 DeviceEnroller.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qbiudqgjxnqjgk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\User\\DOCUME~1\\1033\\6u31\\DEVICE~1.EXE" Process not Found -
Checks whether UAC is enabled 1 TTPs 5 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeviceEnroller.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeviceEnroller.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DeviceEnroller.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BitLockerWizardElev.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 924 rundll32.exe 924 rundll32.exe 924 rundll32.exe 924 rundll32.exe 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3292 Process not Found -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found Token: SeShutdownPrivilege 3292 Process not Found Token: SeCreatePagefilePrivilege 3292 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3292 Process not Found -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3292 wrote to memory of 4208 3292 Process not Found 88 PID 3292 wrote to memory of 4208 3292 Process not Found 88 PID 3292 wrote to memory of 5072 3292 Process not Found 89 PID 3292 wrote to memory of 5072 3292 Process not Found 89 PID 3292 wrote to memory of 1364 3292 Process not Found 93 PID 3292 wrote to memory of 1364 3292 Process not Found 93 PID 3292 wrote to memory of 3364 3292 Process not Found 94 PID 3292 wrote to memory of 3364 3292 Process not Found 94 PID 3292 wrote to memory of 1100 3292 Process not Found 96 PID 3292 wrote to memory of 1100 3292 Process not Found 96 PID 3292 wrote to memory of 2620 3292 Process not Found 98 PID 3292 wrote to memory of 2620 3292 Process not Found 98 PID 3292 wrote to memory of 1628 3292 Process not Found 99 PID 3292 wrote to memory of 1628 3292 Process not Found 99 PID 1100 wrote to memory of 2416 1100 cmd.exe 100 PID 1100 wrote to memory of 2416 1100 cmd.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\250516-e2p72agq3s.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:924
-
C:\Windows\system32\DeviceEnroller.exeC:\Windows\system32\DeviceEnroller.exe1⤵PID:4208
-
C:\Users\Admin\AppData\Local\LE9i\DeviceEnroller.exeC:\Users\Admin\AppData\Local\LE9i\DeviceEnroller.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5072
-
C:\Windows\system32\DeviceEnroller.exeC:\Windows\system32\DeviceEnroller.exe1⤵PID:1364
-
C:\Users\Admin\AppData\Local\Qxhuae1o2\DeviceEnroller.exeC:\Users\Admin\AppData\Local\Qxhuae1o2\DeviceEnroller.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\DOCUME~1\1033\6u31\DEVICE~1.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\DOCUME~1\1033\6u31\DeviceEnroller.exeC:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\DOCUME~1\1033\6u31\DEVICE~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2416
-
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵PID:2620
-
C:\Users\Admin\AppData\Local\qku4oWV7\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\qku4oWV7\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1628
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
448KB
MD5946d9474533f58d2613078fd14ca7473
SHA1c2620ac9522fa3702a6a03299b930d6044aa5e49
SHA256cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb
SHA5123653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1
-
Filesize
2.2MB
MD518c3f18613c053538493d5b2ffeac75d
SHA17bc86887987dc9725356988308bc4c4da2f7f347
SHA25672555988638c100f97911a46a23f7f4ed4b2e2cd6b81ce2369dca4ff987d525f
SHA512223a9065d86a674b4eeab5c0bdf1ca07998b1fbd25d4e1297742bb2e8b1b69254687a8b05b29695c14d7118df32cc295afaee81b123c6c2c6b9b488153a02b23
-
Filesize
2.2MB
MD531ec9904a350aafc8a71ff17d76387cf
SHA18c5d028a0f7b0fcec833d5672feaa2e6d25ba413
SHA256d7c131c092ead0c74f8115bc98526babe29f5ed649919719ff589b8d05f68b48
SHA512f9de7a4de1f0fbed3b488bf60f5aef48f298c7a7da326bc5cff94f10f9399812eb9ed2d3aef4beb4bcf9b4562b7a7888baca26709b8f665c36dcd579cf9fd810
-
Filesize
100KB
MD58ac5a3a20cf18ae2308c64fd707eeb81
SHA131f2f0bdc2eb3e0d2a6cd626ea8ed71262865544
SHA256803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5
SHA51285d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b
-
Filesize
2.2MB
MD5967f84428ac591d08afe0cd9fc70da3b
SHA1f5289be864be2e57c02d151676afc418c6b78763
SHA25650857fac111c2a19bfc75fb4fc008db0df9a2570e6cb23e31c9df6d45bc60223
SHA5126fde012f87bd39760e09fdbfe7b5970eaea02058900e362ca5bdd25a5c46b9a7cea47a794175cef5450885390253712129783988d2aea23139d5f627f2fc77ef
-
Filesize
1KB
MD586dc9b50a8d1f1de9eb8b9f219885da9
SHA1abdb177f78971fc8082857f2b98c72f1c9c1335b
SHA25622189c808f7342cc52b9b9cedfb1e36f312b7dc2672c9a814bf4584b507b4680
SHA5124c00039bad24c2c298301fe5c7d239d8d7dea6e5197a125f0f99bfe4536e5ae541488cfbf13bb72f494519dbd9667e6cf4bfbf4c519b6d15ec589129b8cd46a6