Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/05/2025, 08:02
Static task
static1
Behavioral task
behavioral1
Sample
250519-jqjnbsvns7.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
250519-jqjnbsvns7.dll
Resource
win11-20250502-en
General
-
Target
250519-jqjnbsvns7.dll
-
Size
1.9MB
-
MD5
06effa778a2a805203c4af335d725d2b
-
SHA1
4e41f99864618fb2b8b3342b67cbfd448dbf6b9e
-
SHA256
b26b58a0fd0811e31a1f53e914784db5736478e1272929ed075f71bc4b48dae9
-
SHA512
8c8a3a5b53c506af885bddb827f06712383c062b71b9acb99845a3113488ffd7749a7681ae72ea19785940b40ce9610e0b48c2de16b9085121c12fee0167203f
-
SSDEEP
12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral2/memory/3264-4-0x00000000026F0000-0x00000000026F1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 4 IoCs
pid Process 4908 rdpclip.exe 4940 wusa.exe 3068 wusa.exe 5696 AgentService.exe -
Loads dropped DLL 3 IoCs
pid Process 4908 rdpclip.exe 4940 wusa.exe 3068 wusa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wfsmcetjkwodll = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\W7uGOyZ0\\wusa.exe" Process not Found -
Checks whether UAC is enabled 1 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpclip.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wusa.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wusa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1204 rundll32.exe 1204 rundll32.exe 1204 rundll32.exe 1204 rundll32.exe 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found 3264 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3264 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found Token: SeShutdownPrivilege 3264 Process not Found Token: SeCreatePagefilePrivilege 3264 Process not Found -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3264 wrote to memory of 5432 3264 Process not Found 78 PID 3264 wrote to memory of 5432 3264 Process not Found 78 PID 3264 wrote to memory of 4908 3264 Process not Found 79 PID 3264 wrote to memory of 4908 3264 Process not Found 79 PID 3264 wrote to memory of 4816 3264 Process not Found 80 PID 3264 wrote to memory of 4816 3264 Process not Found 80 PID 3264 wrote to memory of 4940 3264 Process not Found 81 PID 3264 wrote to memory of 4940 3264 Process not Found 81 PID 3264 wrote to memory of 4976 3264 Process not Found 82 PID 3264 wrote to memory of 4976 3264 Process not Found 82 PID 3264 wrote to memory of 5060 3264 Process not Found 84 PID 3264 wrote to memory of 5060 3264 Process not Found 84 PID 4976 wrote to memory of 3068 4976 cmd.exe 85 PID 4976 wrote to memory of 3068 4976 cmd.exe 85 PID 3264 wrote to memory of 5696 3264 Process not Found 86 PID 3264 wrote to memory of 5696 3264 Process not Found 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\250519-jqjnbsvns7.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1204
-
C:\Windows\system32\rdpclip.exeC:\Windows\system32\rdpclip.exe1⤵PID:5432
-
C:\Users\Admin\AppData\Local\e2n\rdpclip.exeC:\Users\Admin\AppData\Local\e2n\rdpclip.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4908
-
C:\Windows\system32\wusa.exeC:\Windows\system32\wusa.exe1⤵PID:4816
-
C:\Users\Admin\AppData\Local\oYgJNB0\wusa.exeC:\Users\Admin\AppData\Local\oYgJNB0\wusa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4940
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\W7uGOyZ0\wusa.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\W7uGOyZ0\wusa.exeC:\Users\Admin\AppData\Roaming\Microsoft\AddIns\W7uGOyZ0\wusa.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3068
-
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵PID:5060
-
C:\Users\Admin\AppData\Local\UDKuq4\AgentService.exeC:\Users\Admin\AppData\Local\UDKuq4\AgentService.exe1⤵
- Executes dropped EXE
PID:5696
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5c7e24de48a363f4eb05ade5aad1185ba
SHA1fbd5529274020b100804394344fc837a14189d66
SHA256395564dce668e21d767e2a9a627569b97bc06a63fdedc328101e65d05327316d
SHA512f549f0f08a0487735339bbdca28332da0b194599ac92ab197854505a9ee29e864ae2e0f22bb53adcba010c22e614511e033b7917a7435747001c9a10bba25d35
-
Filesize
1.9MB
MD547e8aa4ba0891c3bae36a1c76be6d365
SHA14212914675b39bc5a84bd272c80680dd187d5809
SHA256c9567e858e1de5963590a99d7edea029e223127f9abd41b52a74420cdb3ac1cd
SHA51216243fb1ca99ced987fd665346e18506eaeafa91484e0cfb6e5657b0333ed08c7a368ee33a3533bdb26878d44e66c733db15471d444ecbb098a762a443523e11
-
Filesize
1.9MB
MD5ce09a1691f4dba677f6a63bce9ade2cf
SHA14f0880848a1ed44b54e4e709802df0b15cbcbc52
SHA25612a4a8700a1c2b5ad34e426619039a3b9becc3c4e497dddbd94359d602a2c372
SHA5124f73b1fb1a56ba60456aa5c2e54cb0ab4f2da13dad52f8435c03fd9015e8c1d714e1c06dda68d469658972783e6fe13110415dc5703cc418d4cf371740616a33
-
Filesize
564KB
MD57e094c9b2ed143d70220eba69c106a13
SHA1f11057cb5d5203861307604634bd03cd175fe7df
SHA2561d259ed430b9af4aadc15d899e8458e158cae516fdd5b4267a0d0995b82e9048
SHA512d9acab9eae18da3ac1fddde128fbda98633000d9ab94dca3142077e1adaafd3fa3e76c545f8e82380f6c42eb718f6a1d81bc0be26a61ef1fc5f8daf9a1d3ac8b
-
Filesize
1.9MB
MD5b8f9999e0987f62ad3913685eafaa31c
SHA1e226469e8d1eba1f45366f59d9317d6853b64207
SHA256c58828aa663f3951be558c536b461f3a825bcbe198c8a723a0b64008ca1e4a70
SHA512b529dc1f0e9e8ba63327a9059c9fad8e225ccdc1f1e5b5f06c6152a9d1e36fb451b1969c563557447a97970c04d500e5d6630367d3c0021cc92dd15a3c013877
-
Filesize
184KB
MD5297ce1cb7c6ce8ef6f5655ec78e4c667
SHA1986422155a1509a0ee0dfe8098623f1158ad69c5
SHA25650af95b82a9fc4f25b5443b2582bc76ef8fdd64792bb8da9b64ec7312da37452
SHA5122e436801f2f64e816b0f4b80dbe60d350c1d48956d059e55a25c8d1d66311cbd6b59ed1deeec2524c6dedb7efc97ceca5e061f70be06fa7e4872cfa8079519cb
-
Filesize
1KB
MD51d0eddba9564003fc80af03509e7c421
SHA1f53106cbe078c141600b42e28300c09a245ff2c6
SHA256bfddfc714681e74604efb2c17c63a75d2a064e37b1b96782634c4b1e8b698d27
SHA512ba99ce6af1f2c8f1c955d15b6735916c509ba49b1f7bb098d38dbc2ae21716533d4ee68b9269c5b21b1b1a60782d0d99c8d996422c92512a3f888e6de74988eb