Malware Analysis Report

2025-05-28 17:25

Sample ID 250516-mm4qwaen7z
Target 250516-mhyztssqw8.bin
SHA256 7686f055f8b252f4896523a8991be23fdd27da4cd1c71e012c6f9643c3ba587a
Tags
dridex botnet defense_evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7686f055f8b252f4896523a8991be23fdd27da4cd1c71e012c6f9643c3ba587a

Threat Level: Known bad

The file 250516-mhyztssqw8.bin was found to be: Known bad.

Malicious Activity Summary

dridex botnet defense_evasion payload persistence trojan

Dridex

Dridex family

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-16 10:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-16 10:35

Reported

2025-05-16 10:38

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\250516-mhyztssqw8.dll

Signatures

Dridex

botnet dridex

Dridex family

dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oifecqo = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Java\\R8aLkWmX\\RecoveryDrive.exe" N/A N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xWFyOjH2\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DS94\RecoveryDrive.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\tfdRDWBc\mblctr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\Sun\Java\R8aLkWmX\RecoveryDrive.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3416 wrote to memory of 2920 N/A N/A C:\Windows\system32\MusNotifyIcon.exe
PID 3416 wrote to memory of 2920 N/A N/A C:\Windows\system32\MusNotifyIcon.exe
PID 3416 wrote to memory of 3704 N/A N/A C:\Users\Admin\AppData\Local\xWFyOjH2\MusNotifyIcon.exe
PID 3416 wrote to memory of 3704 N/A N/A C:\Users\Admin\AppData\Local\xWFyOjH2\MusNotifyIcon.exe
PID 3416 wrote to memory of 4568 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3416 wrote to memory of 4568 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3416 wrote to memory of 3512 N/A N/A C:\Users\Admin\AppData\Local\DS94\RecoveryDrive.exe
PID 3416 wrote to memory of 3512 N/A N/A C:\Users\Admin\AppData\Local\DS94\RecoveryDrive.exe
PID 3416 wrote to memory of 4428 N/A N/A C:\Windows\system32\cmd.exe
PID 3416 wrote to memory of 4428 N/A N/A C:\Windows\system32\cmd.exe
PID 3416 wrote to memory of 2532 N/A N/A C:\Windows\system32\mblctr.exe
PID 3416 wrote to memory of 2532 N/A N/A C:\Windows\system32\mblctr.exe
PID 3416 wrote to memory of 1824 N/A N/A C:\Users\Admin\AppData\Local\tfdRDWBc\mblctr.exe
PID 3416 wrote to memory of 1824 N/A N/A C:\Users\Admin\AppData\Local\tfdRDWBc\mblctr.exe
PID 4428 wrote to memory of 4328 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Sun\Java\R8aLkWmX\RecoveryDrive.exe
PID 4428 wrote to memory of 4328 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Sun\Java\R8aLkWmX\RecoveryDrive.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\250516-mhyztssqw8.dll

C:\Windows\system32\MusNotifyIcon.exe

C:\Windows\system32\MusNotifyIcon.exe

C:\Users\Admin\AppData\Local\xWFyOjH2\MusNotifyIcon.exe

C:\Users\Admin\AppData\Local\xWFyOjH2\MusNotifyIcon.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\DS94\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\DS94\RecoveryDrive.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Sun\Java\R8aLkWmX\RecoveryDrive.exe

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Users\Admin\AppData\Local\tfdRDWBc\mblctr.exe

C:\Users\Admin\AppData\Local\tfdRDWBc\mblctr.exe

C:\Users\Admin\AppData\Roaming\Sun\Java\R8aLkWmX\RecoveryDrive.exe

C:\Users\Admin\AppData\Roaming\Sun\Java\R8aLkWmX\RecoveryDrive.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp

Files

memory/3500-0-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3500-3-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3500-4-0x0000000000C90000-0x0000000000C97000-memory.dmp

memory/3416-7-0x00007FFDD192A000-0x00007FFDD192B000-memory.dmp

memory/3416-5-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

memory/3416-43-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-44-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-25-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3704-81-0x000002631CD80000-0x000002631CD87000-memory.dmp

memory/3704-80-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3704-75-0x0000000140000000-0x00000001401C7000-memory.dmp

C:\Users\Admin\AppData\Local\xWFyOjH2\XmlLite.dll

MD5 5484764c9cff3a5e91e43f90ef967033
SHA1 4304dae70af13f0897e18123a2d65706c272284d
SHA256 9d342eb0138f380bbb69155e37a5268e3b96fcf0364efab82daf07efc7975fe6
SHA512 ae2ee9d79e7a6ff02746872ce56bc13a4122d73b644e5413d20ba94528c1bea33b891918e8487da40e196a77386f9a6e2796daac7764ce71c3718402216aa75a

C:\Users\Admin\AppData\Local\xWFyOjH2\MusNotifyIcon.exe

MD5 c54b1a69a21e03b83ebb0aeb3758b6f7
SHA1 b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c
SHA256 ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf
SHA512 2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

memory/3416-71-0x00007FFDD2960000-0x00007FFDD2970000-memory.dmp

memory/3416-70-0x0000000001190000-0x0000000001197000-memory.dmp

memory/3416-64-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-62-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-53-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-46-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-45-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-42-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-40-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-39-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-38-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-37-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-36-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-34-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-32-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-31-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-30-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-29-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-28-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-27-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-23-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-21-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-22-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-20-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-19-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-18-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-17-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-16-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-15-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-14-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-12-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-11-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-9-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-10-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-41-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3500-35-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-33-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-26-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-24-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3416-8-0x0000000140000000-0x00000001401C6000-memory.dmp

C:\Users\Admin\AppData\Local\DS94\RecoveryDrive.exe

MD5 b9b3dc6f2eb89e41ff27400952602c74
SHA1 24ae07e0db3ace0809d08bbd039db3a9d533e81b
SHA256 630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4
SHA512 7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

C:\Users\Admin\AppData\Local\DS94\ReAgent.dll

MD5 ac00e7059bd56a33dd871ec4e92ba4f8
SHA1 3cbc92f1adc50ccf9803bb5c1591546e09a968f1
SHA256 f9fa40faecb6bf957f11673a18e18023e3bafef2c9c31e91b483d2ac250ee0c5
SHA512 266bc6869546ac15a6ffc02923795af4af1fe5ddd549e1675031a519ccc2ec1ec70cd264336044b92f32779367a8cba08748462e92787b197ec6cf09b220ef7e

memory/3512-97-0x000001FDA0D00000-0x000001FDA0D07000-memory.dmp

memory/3512-96-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3512-101-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3416-106-0x0000000003170000-0x0000000003171000-memory.dmp

C:\Users\Admin\AppData\Local\tfdRDWBc\mblctr.exe

MD5 d3db14eabb2679e08020bcd0c96fa9f6
SHA1 578dca7aad29409634064579d269e61e1f07d9dd
SHA256 3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69
SHA512 14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

C:\Users\Admin\AppData\Local\tfdRDWBc\WTSAPI32.dll

MD5 83245557ecdb577db0d4d18db7935122
SHA1 bfd8a39dbfd2c05ab3ab2e6eead1ea3b1b5e115d
SHA256 951a3df2ac4933b636e0227a5aae6f8fce8e8ddd06abe99998cba53b03ebc4b5
SHA512 c15dd5432930cbc811d40c7207fc9d40f922b5a65e019a1aca238302cba3768c2a6cea6045820c40cca0b4cb4f6314ad3b1346b5bffb803ed86fb9521e790753

memory/1824-119-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/4328-134-0x0000000140000000-0x00000001401C7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiikwavd.lnk

MD5 45b209adc59705aba471cf45a30f0868
SHA1 01df89f52d3f735c255dcaa5561a5926d5762657
SHA256 60994acd3976f45236d04e26b49d42080d7c99802f83b21395723f5b05717601
SHA512 213b9595022be1a89ed5cbdfd12c7d02e3afdd77595b0ba9e3d3eca3173ee46806c93a8eb83222cb44fa7ef76a283ebf34687a750e6b5ccce009180ab438ccb1