Analysis
-
max time kernel
20s -
max time network
24s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
04-10-2023 13:41
Static task
static1
Behavioral task
behavioral1
Sample
PhotoshopSetup.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
PhotoshopSetup.exe
Resource
win10v2004-20230915-en
General
-
Target
PhotoshopSetup.exe
-
Size
6.7MB
-
MD5
ccec9f6516e38c852b1df13c836e5430
-
SHA1
30e3c298370f32e92d42f586e170996229db8fab
-
SHA256
e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385
-
SHA512
e23d714a352ebda1c75ade3f782159562d34402ebff31511f5b952b247f9b49c039a4b29123762bbffcbe90f3dd6db828bc36deac344a91d75f41346435bbdd1
-
SSDEEP
49152:Fu9q0pxgIYZdVKr2TZO/Ay+tN2ACtcXrGwuh0637dkKg4kGzlXerAEEEEEEEEE20:
Malware Config
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Executes dropped EXE 2 IoCs
Processes:
G8KDCQRE.exeTF8VGYJP.exepid process 2420 G8KDCQRE.exe 1624 TF8VGYJP.exe -
Processes:
resource yara_rule C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\G8KDCQRE.exe upx behavioral1/memory/2420-8-0x0000000000120000-0x00000000008AA000-memory.dmp upx C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\G8KDCQRE.exe upx behavioral1/memory/2420-44-0x0000000000120000-0x00000000008AA000-memory.dmp upx behavioral1/memory/2420-47-0x0000000000120000-0x00000000008AA000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
G8KDCQRE.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION G8KDCQRE.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main G8KDCQRE.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl G8KDCQRE.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION G8KDCQRE.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\G8KDCQRE.exe = "11001" G8KDCQRE.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
G8KDCQRE.exepid process 2420 G8KDCQRE.exe 2420 G8KDCQRE.exe 2420 G8KDCQRE.exe 2420 G8KDCQRE.exe 2420 G8KDCQRE.exe 2420 G8KDCQRE.exe 2420 G8KDCQRE.exe 2420 G8KDCQRE.exe 2420 G8KDCQRE.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
G8KDCQRE.exedescription pid process Token: SeIncreaseQuotaPrivilege 2420 G8KDCQRE.exe Token: SeIncreaseQuotaPrivilege 2420 G8KDCQRE.exe Token: SeIncreaseQuotaPrivilege 2420 G8KDCQRE.exe Token: SeIncreaseQuotaPrivilege 2420 G8KDCQRE.exe Token: SeIncreaseQuotaPrivilege 2420 G8KDCQRE.exe Token: SeIncreaseQuotaPrivilege 2420 G8KDCQRE.exe Token: SeIncreaseQuotaPrivilege 2420 G8KDCQRE.exe Token: SeIncreaseQuotaPrivilege 2420 G8KDCQRE.exe Token: SeIncreaseQuotaPrivilege 2420 G8KDCQRE.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
G8KDCQRE.exepid process 2420 G8KDCQRE.exe 2420 G8KDCQRE.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
PhotoshopSetup.exeTF8VGYJP.exedescription pid process target process PID 2352 wrote to memory of 2420 2352 PhotoshopSetup.exe G8KDCQRE.exe PID 2352 wrote to memory of 2420 2352 PhotoshopSetup.exe G8KDCQRE.exe PID 2352 wrote to memory of 2420 2352 PhotoshopSetup.exe G8KDCQRE.exe PID 2352 wrote to memory of 2420 2352 PhotoshopSetup.exe G8KDCQRE.exe PID 2352 wrote to memory of 2420 2352 PhotoshopSetup.exe G8KDCQRE.exe PID 2352 wrote to memory of 2420 2352 PhotoshopSetup.exe G8KDCQRE.exe PID 2352 wrote to memory of 2420 2352 PhotoshopSetup.exe G8KDCQRE.exe PID 2352 wrote to memory of 1624 2352 PhotoshopSetup.exe TF8VGYJP.exe PID 2352 wrote to memory of 1624 2352 PhotoshopSetup.exe TF8VGYJP.exe PID 2352 wrote to memory of 1624 2352 PhotoshopSetup.exe TF8VGYJP.exe PID 1624 wrote to memory of 2920 1624 TF8VGYJP.exe WerFault.exe PID 1624 wrote to memory of 2920 1624 TF8VGYJP.exe WerFault.exe PID 1624 wrote to memory of 2920 1624 TF8VGYJP.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PhotoshopSetup.exe"C:\Users\Admin\AppData\Local\Temp\PhotoshopSetup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\G8KDCQRE.exe"C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\G8KDCQRE.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\TF8VGYJP.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\TF8VGYJP.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1624 -s 5203⤵PID:2920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD50df3a35807f6a4f361d03c4d66b915e2
SHA175ddf979ab97871cd8980afdf0a83251ac21066b
SHA256e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c
SHA5121a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28
-
Filesize
2.4MB
MD50df3a35807f6a4f361d03c4d66b915e2
SHA175ddf979ab97871cd8980afdf0a83251ac21066b
SHA256e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c
SHA5121a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\TF8VGYJP.exe
Filesize83KB
MD5e025c7bfa143c476a648e9daa3cfda2f
SHA1d4f90ae2727cd20c19802eeee5589fc4e7b36ec3
SHA25695ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60
SHA512f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\TF8VGYJP.exe
Filesize83KB
MD5e025c7bfa143c476a648e9daa3cfda2f
SHA1d4f90ae2727cd20c19802eeee5589fc4e7b36ec3
SHA25695ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60
SHA512f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3
-
Filesize
1.2MB
MD5fbc34da120e8a3ad11b3ad1404b6c51a
SHA1fe3e36de12e0bdd0a7731e572e862c50ee89207c
SHA2569701b3ba335b5a11be32dd63ea3a466a14e048c1e5881cac81352b459be0f202
SHA512f3f0452d16a7cd0600a8ffced5167783d3f31e51dce512872ade5031c97b14366af0343bfe2c822c8ac4a281f27f5eeb00fe7d0e8cbe90434f79bacf3ecb42d2
-
Filesize
426B
MD5a28ab17b18ff254173dfeef03245efd0
SHA1c6ce20924565644601d4e0dd0fba9dde8dea5c77
SHA256886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375
SHA5129371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6