Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2023, 04:56
Static task
static1
1 signatures
General
-
Target
Phemedrone-Stealer.exe
-
Size
81KB
-
MD5
3e2f888ce2078969c81b1e49026115f1
-
SHA1
4c877004934f4912502ff9862a962d6ec92ab011
-
SHA256
eb1c2284db5dd717f9ab690f2080ce880f83506f792b79c22ae452d6edc4587f
-
SHA512
da1f57f2c167affe0ae023bf3a875ed64501e26dc75270c2a7821713c3dc2ff677f581b035e5b9c2a63011ed90c4757be3621bf75de787ec0a021f806f972b90
-
SSDEEP
1536:w8KpkpcGtNWaaCQZB1rniGbJeadDTJHjwtNGMlCn5p2gnhQqJSwEKb/:w8KWGGtqCeiGbJeadDTZjwtNVlq54gnd
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ipinfo.io 9 ipinfo.io -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Phemedrone-Stealer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Phemedrone-Stealer.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe 3660 Phemedrone-Stealer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3660 Phemedrone-Stealer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Phemedrone-Stealer.exe"C:\Users\Admin\AppData\Local\Temp\Phemedrone-Stealer.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2548