Analysis
-
max time kernel
51s -
max time network
89s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
26-06-2022 06:17
Static task
static1
Behavioral task
behavioral1
Sample
xkmjs35.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
xkmjs35.dll
-
Size
1.0MB
-
MD5
e25df6542aee785f8c1d836895c31f12
-
SHA1
8ede993ca03d023514bdb83488a8a495ccc3524b
-
SHA256
2a6ab44c7c050efc9a9e8123e6865d6f7fefd6c9eb8f74c0815561faeaa51c6b
-
SHA512
0380c78eb09e421cc2d72c4b962d8376f1272a8d326340693c820dd814cea978c4bd4e8c50e4dea6d556c5f19af3279c38554dbd9813f96f391ac51a95d25b42
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
192.46.210.220:443
143.244.140.214:808
45.77.0.96:6891
185.56.219.47:8116
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1868 rundll32.exe 5 1868 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1584 wrote to memory of 1868 1584 rundll32.exe rundll32.exe PID 1584 wrote to memory of 1868 1584 rundll32.exe rundll32.exe PID 1584 wrote to memory of 1868 1584 rundll32.exe rundll32.exe PID 1584 wrote to memory of 1868 1584 rundll32.exe rundll32.exe PID 1584 wrote to memory of 1868 1584 rundll32.exe rundll32.exe PID 1584 wrote to memory of 1868 1584 rundll32.exe rundll32.exe PID 1584 wrote to memory of 1868 1584 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\xkmjs35.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\xkmjs35.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1868-54-0x0000000000000000-mapping.dmp
-
memory/1868-55-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB
-
memory/1868-56-0x00000000752A0000-0x00000000753BB000-memory.dmpFilesize
1.1MB
-
memory/1868-57-0x00000000752A0000-0x00000000752DD000-memory.dmpFilesize
244KB
-
memory/1868-59-0x00000000752A0000-0x00000000753BB000-memory.dmpFilesize
1.1MB
-
memory/1868-61-0x00000000752A0000-0x00000000753BB000-memory.dmpFilesize
1.1MB