Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/05/2025, 04:55

General

  • Target

    250516-e2p72agq3s.dll

  • Size

    2.2MB

  • MD5

    0541b42d9e97b0f7bc762f924f49ca8e

  • SHA1

    861f752b3c8e4427c442f89dc586f2eb38d79084

  • SHA256

    a50b69d11bcdf868ddab7695ee3cbb4e1847ab3104f5befa0b7ce55933835d59

  • SHA512

    23f4e2a6aa4ca22565a5c59991f526b21f78ce1c69d48858ab32bb72ead479b3eebefe02a840c10a92de7f3aa4140bd4fb7971a01f0fcb5340c820d4991b1150

  • SSDEEP

    12288:NVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:UfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex family
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\250516-e2p72agq3s.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:924
  • C:\Windows\system32\DeviceEnroller.exe
    C:\Windows\system32\DeviceEnroller.exe
    1⤵
      PID:4208
    • C:\Users\Admin\AppData\Local\LE9i\DeviceEnroller.exe
      C:\Users\Admin\AppData\Local\LE9i\DeviceEnroller.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:5072
    • C:\Windows\system32\DeviceEnroller.exe
      C:\Windows\system32\DeviceEnroller.exe
      1⤵
        PID:1364
      • C:\Users\Admin\AppData\Local\Qxhuae1o2\DeviceEnroller.exe
        C:\Users\Admin\AppData\Local\Qxhuae1o2\DeviceEnroller.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3364
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\DOCUME~1\1033\6u31\DEVICE~1.EXE
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\DOCUME~1\1033\6u31\DeviceEnroller.exe
          C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\DOCUME~1\1033\6u31\DEVICE~1.EXE
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2416
      • C:\Windows\system32\BitLockerWizardElev.exe
        C:\Windows\system32\BitLockerWizardElev.exe
        1⤵
          PID:2620
        • C:\Users\Admin\AppData\Local\qku4oWV7\BitLockerWizardElev.exe
          C:\Users\Admin\AppData\Local\qku4oWV7\BitLockerWizardElev.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1628

        Network

              MITRE ATT&CK Enterprise v16

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\LE9i\DeviceEnroller.exe

                Filesize

                448KB

                MD5

                946d9474533f58d2613078fd14ca7473

                SHA1

                c2620ac9522fa3702a6a03299b930d6044aa5e49

                SHA256

                cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb

                SHA512

                3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

              • C:\Users\Admin\AppData\Local\LE9i\XmlLite.dll

                Filesize

                2.2MB

                MD5

                18c3f18613c053538493d5b2ffeac75d

                SHA1

                7bc86887987dc9725356988308bc4c4da2f7f347

                SHA256

                72555988638c100f97911a46a23f7f4ed4b2e2cd6b81ce2369dca4ff987d525f

                SHA512

                223a9065d86a674b4eeab5c0bdf1ca07998b1fbd25d4e1297742bb2e8b1b69254687a8b05b29695c14d7118df32cc295afaee81b123c6c2c6b9b488153a02b23

              • C:\Users\Admin\AppData\Local\Qxhuae1o2\XmlLite.dll

                Filesize

                2.2MB

                MD5

                31ec9904a350aafc8a71ff17d76387cf

                SHA1

                8c5d028a0f7b0fcec833d5672feaa2e6d25ba413

                SHA256

                d7c131c092ead0c74f8115bc98526babe29f5ed649919719ff589b8d05f68b48

                SHA512

                f9de7a4de1f0fbed3b488bf60f5aef48f298c7a7da326bc5cff94f10f9399812eb9ed2d3aef4beb4bcf9b4562b7a7888baca26709b8f665c36dcd579cf9fd810

              • C:\Users\Admin\AppData\Local\qku4oWV7\BitLockerWizardElev.exe

                Filesize

                100KB

                MD5

                8ac5a3a20cf18ae2308c64fd707eeb81

                SHA1

                31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

                SHA256

                803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

                SHA512

                85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

              • C:\Users\Admin\AppData\Local\qku4oWV7\FVEWIZ.dll

                Filesize

                2.2MB

                MD5

                967f84428ac591d08afe0cd9fc70da3b

                SHA1

                f5289be864be2e57c02d151676afc418c6b78763

                SHA256

                50857fac111c2a19bfc75fb4fc008db0df9a2570e6cb23e31c9df6d45bc60223

                SHA512

                6fde012f87bd39760e09fdbfe7b5970eaea02058900e362ca5bdd25a5c46b9a7cea47a794175cef5450885390253712129783988d2aea23139d5f627f2fc77ef

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Blvbmxtedwvmqje.lnk

                Filesize

                1KB

                MD5

                86dc9b50a8d1f1de9eb8b9f219885da9

                SHA1

                abdb177f78971fc8082857f2b98c72f1c9c1335b

                SHA256

                22189c808f7342cc52b9b9cedfb1e36f312b7dc2672c9a814bf4584b507b4680

                SHA512

                4c00039bad24c2c298301fe5c7d239d8d7dea6e5197a125f0f99bfe4536e5ae541488cfbf13bb72f494519dbd9667e6cf4bfbf4c519b6d15ec589129b8cd46a6

              • memory/924-0-0x000001C65BFF0000-0x000001C65BFF7000-memory.dmp

                Filesize

                28KB

              • memory/924-1-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/924-7-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/1628-132-0x00000261EE470000-0x00000261EE477000-memory.dmp

                Filesize

                28KB

              • memory/3292-36-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-31-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-89-0x00007FF953DA0000-0x00007FF953DB0000-memory.dmp

                Filesize

                64KB

              • memory/3292-88-0x0000000002D20000-0x0000000002D27000-memory.dmp

                Filesize

                28KB

              • memory/3292-63-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-62-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-61-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-59-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-58-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-57-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-56-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-55-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-54-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-52-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-51-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-50-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-49-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-48-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-47-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-45-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-44-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-43-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-42-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-41-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-40-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-37-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-39-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-35-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-34-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-33-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-32-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-64-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-29-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-27-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-28-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-25-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-24-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-23-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-21-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-20-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-19-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-18-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-17-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-16-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-60-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-15-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-14-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-53-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-13-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-12-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-46-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-11-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-38-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-9-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-30-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-8-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-26-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-22-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-10-0x0000000140000000-0x000000014022F000-memory.dmp

                Filesize

                2.2MB

              • memory/3292-4-0x00000000030D0000-0x00000000030D1000-memory.dmp

                Filesize

                4KB

              • memory/3292-5-0x00007FF95257A000-0x00007FF95257B000-memory.dmp

                Filesize

                4KB

              • memory/3364-110-0x000001CCBC870000-0x000001CCBC877000-memory.dmp

                Filesize

                28KB

              • memory/5072-98-0x0000017B7E970000-0x0000017B7E977000-memory.dmp

                Filesize

                28KB