phemedrone | 75ce00349f364e34ca9744edff81d8e7e4237b035a0bea0ab2cf3e5c29e55af9

Resubmissions

12-10-2023 12:35

231012-psttzaac8x 10

04-10-2023 13:44

231004-q16n6sea48 10

Analysis

max time kernel
29s
max time network
19s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04-10-2023 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpotifySetup.exe
Size

2.8MB
MD5

da56532db7d8cb67270fc27697bb524e
SHA1

d127c343cc8e7484997f541aeeebec8b63fa39a0
SHA256

75ce00349f364e34ca9744edff81d8e7e4237b035a0bea0ab2cf3e5c29e55af9
SHA512

6e856cb531dc6752872c7beadf0b6fa24e2457c8d9afa4d240c12b8d297eb6263b34726d8c720458e99d6958ce9917933356bd43f165c936d1304e6c1df85377
SSDEEP

49152:y2My0eKmxEyFNfjLmIUlOu7QtmZWNWwG6/MhmdWWjkCIj+yNyRS0b4t4TxCejhzq:

Score

10^/10

phemedrone stealer

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Executes dropped EXE 2 IoCs

Processes:

7V4OOB3J.exeMJFIUNQV.exe

pid process

2732 7V4OOB3J.exe
2944 MJFIUNQV.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2732	7V4OOB3J.exe
2944	MJFIUNQV.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

SpotifySetup.exeMJFIUNQV.exe

description	pid	process	target process
PID 3060 wrote to memory of 2732	3060	SpotifySetup.exe	7V4OOB3J.exe
PID 3060 wrote to memory of 2732	3060	SpotifySetup.exe	7V4OOB3J.exe
PID 3060 wrote to memory of 2732	3060	SpotifySetup.exe	7V4OOB3J.exe
PID 3060 wrote to memory of 2732	3060	SpotifySetup.exe	7V4OOB3J.exe
PID 3060 wrote to memory of 2944	3060	SpotifySetup.exe	MJFIUNQV.exe
PID 3060 wrote to memory of 2944	3060	SpotifySetup.exe	MJFIUNQV.exe
PID 3060 wrote to memory of 2944	3060	SpotifySetup.exe	MJFIUNQV.exe
PID 2944 wrote to memory of 2140	2944	MJFIUNQV.exe	WerFault.exe
PID 2944 wrote to memory of 2140	2944	MJFIUNQV.exe	WerFault.exe
PID 2944 wrote to memory of 2140	2944	MJFIUNQV.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe
"C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3060
- C:\ProgramData\Application Data\7V4OOB3J.exe
  "C:\ProgramData\Application Data\7V4OOB3J.exe"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\ProgramData\Templates\MJFIUNQV.exe
  "C:\ProgramData\Templates\MJFIUNQV.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2944 -s 520
    3⤵
    PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\7V4OOB3J.exe

Filesize
992KB

MD5
6469f63b99f50f188793dc299a452d97

SHA1
34a1a95f61b52fb9abe41ff317eb36760fd25c65

SHA256
e939a8b97ffd09604a1569fcc4017a7d34b2d852b1f775f2e6e5d7e8b34da178

SHA512
06c19ca4a557e019e869db1739adfe437657adb4527fedce004792ad8a6ce9baa38702d2e8ac9b9c51072fabb812287d6510abdcd7072f0b25d677fce335295f

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\MJFIUNQV.exe

Filesize
83KB

MD5
051c8b584ffde2a373d4a54d038bc46c

SHA1
d58abcb0d3875094b51e6836036bf65ff96b8b40

SHA256
711de934bbdb56f4335d776819d4059222f8b3376fcb4a72ac2fca0a38e45801

SHA512
8f28ce2467b8accba63be5a4983df4c8faed25a7f79c1f04560f47009969cbf84fc2afe4e08c2903c17f895afe29e397a91ed579d012f68fe08f0b4261552063

Download Submit
C:\ProgramData\Templates\MJFIUNQV.exe

Filesize
83KB

MD5
051c8b584ffde2a373d4a54d038bc46c

SHA1
d58abcb0d3875094b51e6836036bf65ff96b8b40

SHA256
711de934bbdb56f4335d776819d4059222f8b3376fcb4a72ac2fca0a38e45801

SHA512
8f28ce2467b8accba63be5a4983df4c8faed25a7f79c1f04560f47009969cbf84fc2afe4e08c2903c17f895afe29e397a91ed579d012f68fe08f0b4261552063

Download Submit
memory/2944-11-0x0000000000D00000-0x0000000000D1C000-memory.dmp

Filesize
112KB

Download
memory/2944-13-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2944-14-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/3060-0-0x0000000000D70000-0x0000000001048000-memory.dmp

Filesize
2.8MB

Download
memory/3060-1-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/3060-12-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download