Malware Analysis Report

2025-05-28 17:25

Sample ID 250516-fkj55ahl3v
Target 250516-e2p72agq3s.bin
SHA256 a50b69d11bcdf868ddab7695ee3cbb4e1847ab3104f5befa0b7ce55933835d59
Tags
dridex botnet defense_evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a50b69d11bcdf868ddab7695ee3cbb4e1847ab3104f5befa0b7ce55933835d59

Threat Level: Known bad

The file 250516-e2p72agq3s.bin was found to be: Known bad.

Malicious Activity Summary

dridex botnet defense_evasion payload persistence trojan

Dridex

Dridex family

Dridex Shellcode

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-16 04:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-16 04:55

Reported

2025-05-16 04:58

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\250516-e2p72agq3s.dll,#1

Signatures

Dridex

botnet dridex

Dridex family

dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UMq N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UMq\FVEWIZ.dll N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UMq\BitLockerWizardElev.exe N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qbiudqgjxnqjgk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\User\\DOCUME~1\\1033\\6u31\\DEVICE~1.EXE" N/A N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\DOCUME~1\1033\6u31\DeviceEnroller.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LE9i\DeviceEnroller.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Qxhuae1o2\DeviceEnroller.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\qku4oWV7\BitLockerWizardElev.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 4208 N/A N/A C:\Windows\system32\DeviceEnroller.exe
PID 3292 wrote to memory of 4208 N/A N/A C:\Windows\system32\DeviceEnroller.exe
PID 3292 wrote to memory of 5072 N/A N/A C:\Users\Admin\AppData\Local\LE9i\DeviceEnroller.exe
PID 3292 wrote to memory of 5072 N/A N/A C:\Users\Admin\AppData\Local\LE9i\DeviceEnroller.exe
PID 3292 wrote to memory of 1364 N/A N/A C:\Windows\system32\DeviceEnroller.exe
PID 3292 wrote to memory of 1364 N/A N/A C:\Windows\system32\DeviceEnroller.exe
PID 3292 wrote to memory of 3364 N/A N/A C:\Users\Admin\AppData\Local\Qxhuae1o2\DeviceEnroller.exe
PID 3292 wrote to memory of 3364 N/A N/A C:\Users\Admin\AppData\Local\Qxhuae1o2\DeviceEnroller.exe
PID 3292 wrote to memory of 1100 N/A N/A C:\Windows\system32\cmd.exe
PID 3292 wrote to memory of 1100 N/A N/A C:\Windows\system32\cmd.exe
PID 3292 wrote to memory of 2620 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 3292 wrote to memory of 2620 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 3292 wrote to memory of 1628 N/A N/A C:\Users\Admin\AppData\Local\qku4oWV7\BitLockerWizardElev.exe
PID 3292 wrote to memory of 1628 N/A N/A C:\Users\Admin\AppData\Local\qku4oWV7\BitLockerWizardElev.exe
PID 1100 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\DOCUME~1\1033\6u31\DeviceEnroller.exe
PID 1100 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\DOCUME~1\1033\6u31\DeviceEnroller.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\250516-e2p72agq3s.dll,#1

C:\Windows\system32\DeviceEnroller.exe

C:\Windows\system32\DeviceEnroller.exe

C:\Users\Admin\AppData\Local\LE9i\DeviceEnroller.exe

C:\Users\Admin\AppData\Local\LE9i\DeviceEnroller.exe

C:\Windows\system32\DeviceEnroller.exe

C:\Windows\system32\DeviceEnroller.exe

C:\Users\Admin\AppData\Local\Qxhuae1o2\DeviceEnroller.exe

C:\Users\Admin\AppData\Local\Qxhuae1o2\DeviceEnroller.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\DOCUME~1\1033\6u31\DEVICE~1.EXE

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\qku4oWV7\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\qku4oWV7\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\DOCUME~1\1033\6u31\DeviceEnroller.exe

C:\Users\Admin\AppData\Roaming\MICROS~1\TEMPLA~1\LIVECO~1\16\User\DOCUME~1\1033\6u31\DEVICE~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp

Files

memory/924-0-0x000001C65BFF0000-0x000001C65BFF7000-memory.dmp

memory/924-1-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-5-0x00007FF95257A000-0x00007FF95257B000-memory.dmp

memory/3292-4-0x00000000030D0000-0x00000000030D1000-memory.dmp

memory/3292-10-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-39-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-64-0x0000000140000000-0x000000014022F000-memory.dmp

C:\Users\Admin\AppData\Local\LE9i\XmlLite.dll

MD5 18c3f18613c053538493d5b2ffeac75d
SHA1 7bc86887987dc9725356988308bc4c4da2f7f347
SHA256 72555988638c100f97911a46a23f7f4ed4b2e2cd6b81ce2369dca4ff987d525f
SHA512 223a9065d86a674b4eeab5c0bdf1ca07998b1fbd25d4e1297742bb2e8b1b69254687a8b05b29695c14d7118df32cc295afaee81b123c6c2c6b9b488153a02b23

memory/5072-98-0x0000017B7E970000-0x0000017B7E977000-memory.dmp

C:\Users\Admin\AppData\Local\LE9i\DeviceEnroller.exe

MD5 946d9474533f58d2613078fd14ca7473
SHA1 c2620ac9522fa3702a6a03299b930d6044aa5e49
SHA256 cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb
SHA512 3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

memory/3292-89-0x00007FF953DA0000-0x00007FF953DB0000-memory.dmp

memory/3292-88-0x0000000002D20000-0x0000000002D27000-memory.dmp

memory/3292-63-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-62-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-61-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-59-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-58-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-57-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-56-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-55-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-54-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-52-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-51-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-50-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-49-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-48-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-47-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-45-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-44-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-43-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-42-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-41-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-40-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-37-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-36-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-35-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-34-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-33-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-32-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-31-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-29-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-27-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-28-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-25-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-24-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-23-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-21-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-20-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-19-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-18-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-17-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-16-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-60-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-15-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-14-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-53-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-13-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-12-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-46-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-11-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-38-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-9-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-30-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-8-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-26-0x0000000140000000-0x000000014022F000-memory.dmp

memory/3292-22-0x0000000140000000-0x000000014022F000-memory.dmp

memory/924-7-0x0000000140000000-0x000000014022F000-memory.dmp

C:\Users\Admin\AppData\Local\Qxhuae1o2\XmlLite.dll

MD5 31ec9904a350aafc8a71ff17d76387cf
SHA1 8c5d028a0f7b0fcec833d5672feaa2e6d25ba413
SHA256 d7c131c092ead0c74f8115bc98526babe29f5ed649919719ff589b8d05f68b48
SHA512 f9de7a4de1f0fbed3b488bf60f5aef48f298c7a7da326bc5cff94f10f9399812eb9ed2d3aef4beb4bcf9b4562b7a7888baca26709b8f665c36dcd579cf9fd810

memory/3364-110-0x000001CCBC870000-0x000001CCBC877000-memory.dmp

C:\Users\Admin\AppData\Local\qku4oWV7\BitLockerWizardElev.exe

MD5 8ac5a3a20cf18ae2308c64fd707eeb81
SHA1 31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544
SHA256 803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5
SHA512 85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

C:\Users\Admin\AppData\Local\qku4oWV7\FVEWIZ.dll

MD5 967f84428ac591d08afe0cd9fc70da3b
SHA1 f5289be864be2e57c02d151676afc418c6b78763
SHA256 50857fac111c2a19bfc75fb4fc008db0df9a2570e6cb23e31c9df6d45bc60223
SHA512 6fde012f87bd39760e09fdbfe7b5970eaea02058900e362ca5bdd25a5c46b9a7cea47a794175cef5450885390253712129783988d2aea23139d5f627f2fc77ef

memory/1628-132-0x00000261EE470000-0x00000261EE477000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Blvbmxtedwvmqje.lnk

MD5 86dc9b50a8d1f1de9eb8b9f219885da9
SHA1 abdb177f78971fc8082857f2b98c72f1c9c1335b
SHA256 22189c808f7342cc52b9b9cedfb1e36f312b7dc2672c9a814bf4584b507b4680
SHA512 4c00039bad24c2c298301fe5c7d239d8d7dea6e5197a125f0f99bfe4536e5ae541488cfbf13bb72f494519dbd9667e6cf4bfbf4c519b6d15ec589129b8cd46a6