Overview

overview

10

Static

static

3

Payment Receipt.exe

windows7-x64

10

Payment Receipt.exe

windows10-2004-x64

7

$PLUGINSDIR/zmdtm.dll

windows7-x64

10

$PLUGINSDIR/zmdtm.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 20:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/zmdtm.dll

  • Size

    100KB

  • MD5

    d4b3308970835c85d3d24ad2f8ee3b4f

  • SHA1

    8a3722200f614f37a0a446c36df6dfcbd26ae138

  • SHA256

    14c94199dc9e370703b5579066d6b34a2055ab97fdf2675dd7ac8ec3616c3137

  • SHA512

    72b50aed7860dfa674a34e52a75b6a9aaf3529f4a8dcc7a622f5d00970855dd5cd70a0e9699fd9b79acdfb9a06411ecbee26c471e6a91e67851464dd7b4ca240

  • SSDEEP

    1536:gF15tzIksRHS1oD+ajCWmzx3e6fch6gqZ3ralsWjcdWRPbUK7xkm75Cm:gFDhWss0YKWRPbH7uol

Score
10/10
xloaderpoubdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

poub

Decoy

my-access.cloud

tcmylg.com

theemployeesolutions.com

mawanstory.com

themarketerz.com

negoking.net

dridgebaseball.com

instantbookings.space

idoocam.com

showfunds.net

walletsvalidationconnet.com

e-scapes.ltd

itsoizy.com

176821.com

antiinflammatory-diet.com

esloke-1.com

plumbersincali.com

intercitydrywall.com

cartwheeldesigns.com

griffinjamesdesign.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\zmdtm.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\zmdtm.dll,#1
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\zmdtm.dll,#1
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2056
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 248
          4⤵
          • Program crash
          PID:2072
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\rundll32.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2128

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1256-7-0x00000000064A0000-0x000000000655C000-memory.dmp

    Filesize

    752KB

    Download

  • memory/1256-19-0x0000000006560000-0x0000000006680000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1256-17-0x0000000006560000-0x0000000006680000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1256-16-0x0000000006560000-0x0000000006680000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1256-11-0x00000000064A0000-0x000000000655C000-memory.dmp

    Filesize

    752KB

    Download

  • memory/1256-6-0x0000000000010000-0x0000000000020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2056-5-0x00000000001F0000-0x0000000000201000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2056-4-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2056-2-0x00000000021C0000-0x00000000024C3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2056-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2380-0-0x0000000074E66000-0x0000000074E68000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2932-8-0x0000000000D00000-0x0000000000E04000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2932-9-0x0000000000D00000-0x0000000000E04000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2932-10-0x00000000000D0000-0x00000000000F9000-memory.dmp

    Filesize

    164KB

    Download