Overview

overview

10

Static

static

3

Payment Receipt.exe

windows7-x64

10

Payment Receipt.exe

windows10-2004-x64

7

$PLUGINSDIR/zmdtm.dll

windows7-x64

10

$PLUGINSDIR/zmdtm.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    17s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 20:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Receipt.exe

  • Size

    363KB

  • MD5

    5d409547afd674af8eb515fc842fb646

  • SHA1

    0a2fbdea88e1ad6878d2d8bb2e22dcb12d724b02

  • SHA256

    dbbff1e34097a4a94e305fc34db136f9f2558f577b65155d3a90d3663a2a9663

  • SHA512

    fdb4a03a70140596242eca8d2a79671cf372c43d6bd4fecc5bb713bd1bb7c70259b401349360a22d0da6cd0d9cc3ade0232e2c46faa877f8f6685eef41be384d

  • SSDEEP

    6144:VBlL/kE286EZd0lsHJgmPcaauxE17N1y/eucOMBhtvgBMmdiEhVKUi:D6E28640lspbPcaJKFb4+DBhtvAMmcw8

Score
10/10
xloaderpoubdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

poub

Decoy

my-access.cloud

tcmylg.com

theemployeesolutions.com

mawanstory.com

themarketerz.com

negoking.net

dridgebaseball.com

instantbookings.space

idoocam.com

showfunds.net

walletsvalidationconnet.com

e-scapes.ltd

itsoizy.com

176821.com

antiinflammatory-diet.com

esloke-1.com

plumbersincali.com

intercitydrywall.com

cartwheeldesigns.com

griffinjamesdesign.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2740
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:2784
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2388
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 268
          3⤵
          • Program crash
          PID:2704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nse63D3.tmp\zmdtm.dll
      Filesize

      100KB

      MD5

      d4b3308970835c85d3d24ad2f8ee3b4f

      SHA1

      8a3722200f614f37a0a446c36df6dfcbd26ae138

      SHA256

      14c94199dc9e370703b5579066d6b34a2055ab97fdf2675dd7ac8ec3616c3137

      SHA512

      72b50aed7860dfa674a34e52a75b6a9aaf3529f4a8dcc7a622f5d00970855dd5cd70a0e9699fd9b79acdfb9a06411ecbee26c471e6a91e67851464dd7b4ca240

      Download Submit

    • memory/1204-12-0x0000000004F90000-0x000000000508F000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/1204-15-0x0000000004F90000-0x000000000508F000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/1204-16-0x0000000006720000-0x0000000006879000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1204-25-0x0000000006720000-0x0000000006879000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2180-7-0x0000000074ED6000-0x0000000074ED8000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2388-19-0x0000000000B40000-0x0000000000B54000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2388-20-0x0000000000B40000-0x0000000000B54000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2388-22-0x0000000000B40000-0x0000000000B54000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2740-9-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2740-11-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2740-14-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download