Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2025, 08:02
Static task
static1
Behavioral task
behavioral1
Sample
250519-jqjnbsvns7.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
250519-jqjnbsvns7.dll
Resource
win11-20250502-en
General
-
Target
250519-jqjnbsvns7.dll
-
Size
1.9MB
-
MD5
06effa778a2a805203c4af335d725d2b
-
SHA1
4e41f99864618fb2b8b3342b67cbfd448dbf6b9e
-
SHA256
b26b58a0fd0811e31a1f53e914784db5736478e1272929ed075f71bc4b48dae9
-
SHA512
8c8a3a5b53c506af885bddb827f06712383c062b71b9acb99845a3113488ffd7749a7681ae72ea19785940b40ce9610e0b48c2de16b9085121c12fee0167203f
-
SSDEEP
12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/3448-4-0x0000000001270000-0x0000000001271000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
pid Process 5232 wbengine.exe 5572 sethc.exe 5684 sethc.exe 4196 eudcedit.exe -
Loads dropped DLL 4 IoCs
pid Process 5232 wbengine.exe 5572 sethc.exe 5684 sethc.exe 4196 eudcedit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bchxroqbssp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\0FMa\\sethc.exe" Process not Found -
Checks whether UAC is enabled 1 TTPs 5 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eudcedit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wbengine.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sethc.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 408 rundll32.exe 408 rundll32.exe 408 rundll32.exe 408 rundll32.exe 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found 3448 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3448 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 3448 Process not Found Token: SeCreatePagefilePrivilege 3448 Process not Found Token: SeShutdownPrivilege 3448 Process not Found Token: SeCreatePagefilePrivilege 3448 Process not Found Token: SeShutdownPrivilege 3448 Process not Found Token: SeCreatePagefilePrivilege 3448 Process not Found Token: SeShutdownPrivilege 3448 Process not Found Token: SeCreatePagefilePrivilege 3448 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3448 Process not Found -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3448 wrote to memory of 4976 3448 Process not Found 91 PID 3448 wrote to memory of 4976 3448 Process not Found 91 PID 3448 wrote to memory of 5232 3448 Process not Found 92 PID 3448 wrote to memory of 5232 3448 Process not Found 92 PID 3448 wrote to memory of 3376 3448 Process not Found 95 PID 3448 wrote to memory of 3376 3448 Process not Found 95 PID 3448 wrote to memory of 5572 3448 Process not Found 97 PID 3448 wrote to memory of 5572 3448 Process not Found 97 PID 3448 wrote to memory of 3572 3448 Process not Found 99 PID 3448 wrote to memory of 3572 3448 Process not Found 99 PID 3448 wrote to memory of 3600 3448 Process not Found 101 PID 3448 wrote to memory of 3600 3448 Process not Found 101 PID 3572 wrote to memory of 5684 3572 cmd.exe 102 PID 3572 wrote to memory of 5684 3572 cmd.exe 102 PID 3448 wrote to memory of 4196 3448 Process not Found 103 PID 3448 wrote to memory of 4196 3448 Process not Found 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\250519-jqjnbsvns7.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:408
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵PID:4976
-
C:\Users\Admin\AppData\Local\bIvrQx0\wbengine.exeC:\Users\Admin\AppData\Local\bIvrQx0\wbengine.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5232
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵PID:3376
-
C:\Users\Admin\AppData\Local\NMXMyLa\sethc.exeC:\Users\Admin\AppData\Local\NMXMyLa\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\0FMa\sethc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\0FMa\sethc.exeC:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\0FMa\sethc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5684
-
-
C:\Windows\system32\eudcedit.exeC:\Windows\system32\eudcedit.exe1⤵PID:3600
-
C:\Users\Admin\AppData\Local\2sK2d7F\eudcedit.exeC:\Users\Admin\AppData\Local\2sK2d7F\eudcedit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4196
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5aad649a2de9f33b64b3bb9c0c09ccf84
SHA1da60aed75fcf11fcfbfd7fa06852f973621f8ccf
SHA256dadaf52fef5939fcf08e51945cf57ca1ae2e870ed3d19931fe90b66ca66fe7b0
SHA512418ed2977c0cba90903b223769254a02d9a0e448c50859fc5a2514b7b7f10e9cebfde6d39070c8b8ab56a2f89d52899e768353a24143157be741a69458882124
-
Filesize
365KB
MD5a9de6557179d371938fbe52511b551ce
SHA1def460b4028788ded82dc55c36cb0df28599fd5f
SHA25683c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe
SHA5125790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c
-
Filesize
1.9MB
MD58631459abff53f13778cca5770e96630
SHA1b6fbb6757f5fd97e2b22dba9a486c071862c17ea
SHA256248b0ca97df2aec8b7a1d5c3814d10485e30f505fc942ca3ad6799b179b2972a
SHA5128bbef4a6882959a1104e2aea848a002271e4825d3744cc1fee52ae289c3dd3e57d2373aa02533ba0130f7de7b871293c85a8d40d4a73f7dfdf21194bd200b3e4
-
Filesize
104KB
MD58ba3a9702a3f1799431cad6a290223a6
SHA19c7dc9b6830297c8f759d1f46c8b36664e26c031
SHA256615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8
SHA512680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746
-
Filesize
1.9MB
MD53ce6ad470958542c7ead480554e85e37
SHA18fe338950a1c761d54fc157e5a05fa769ceee3c6
SHA25648b5e4d5bc0b8b56a7852764a70bd1ae99c71bbea4ea98d19108f04ec71cef94
SHA512754fa2e0c7b3288db3d58de6f91148870a24d7535da35a005ec3cc20786622af2d06d85b07ed2f4571619f2b36c9a85b8add81bc7a179027c0c9f8c019e40cbd
-
Filesize
1.5MB
MD517270a354a66590953c4aac1cf54e507
SHA1715babcc8e46b02ac498f4f06df7937904d9798d
SHA2569954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4
SHA5126be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89
-
Filesize
1KB
MD5bb30a08596008864f8bc9876314ab4d7
SHA1259d451288771fa7c1de3618ee7daea1e9e046a9
SHA2561217eb8997e1c51b0cb939307ced56dd242297c0cb89869c29087394b547df90
SHA512e12f5882558f6d5346eeaaa83f970eee226524bfdde629ac8a11b47c88af551ba8c422e0efabc9f8b7e4eee786518f09ab7b6b7c1265705fc853c64e771bfe13