Analysis

  • max time kernel
    139s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2023 13:41

General

  • Target

    PhotoshopSetup.exe

  • Size

    6.7MB

  • MD5

    ccec9f6516e38c852b1df13c836e5430

  • SHA1

    30e3c298370f32e92d42f586e170996229db8fab

  • SHA256

    e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385

  • SHA512

    e23d714a352ebda1c75ade3f782159562d34402ebff31511f5b952b247f9b49c039a4b29123762bbffcbe90f3dd6db828bc36deac344a91d75f41346435bbdd1

  • SSDEEP

    49152:Fu9q0pxgIYZdVKr2TZO/Ay+tN2ACtcXrGwuh0637dkKg4kGzlXerAEEEEEEEEE20:

Malware Config

Signatures

  • Phemedrone

    An information and wallet stealer written in C#.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PhotoshopSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\PhotoshopSetup.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4336
    • C:\Users\Admin\AppData\Roaming\Adobe\DKU3Y2AG.exe
      "C:\Users\Admin\AppData\Roaming\Adobe\DKU3Y2AG.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3656
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 2452
        3⤵
        • Program crash
        PID:2232
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 2480
        3⤵
        • Program crash
        PID:4380
    • C:\Users\Admin\AppData\Roaming\Adobe\N8MKRJJY.exe
      "C:\Users\Admin\AppData\Roaming\Adobe\N8MKRJJY.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4860
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3656 -ip 3656
    1⤵
      PID:2932
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3656 -ip 3656
      1⤵
        PID:4620
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:3348

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\{10DBFA2C-FB6F-4FB5-B2A4-EE8776D783B0}\CCDInstaller.js

          Filesize

          1.2MB

          MD5

          fbc34da120e8a3ad11b3ad1404b6c51a

          SHA1

          fe3e36de12e0bdd0a7731e572e862c50ee89207c

          SHA256

          9701b3ba335b5a11be32dd63ea3a466a14e048c1e5881cac81352b459be0f202

          SHA512

          f3f0452d16a7cd0600a8ffced5167783d3f31e51dce512872ade5031c97b14366af0343bfe2c822c8ac4a281f27f5eeb00fe7d0e8cbe90434f79bacf3ecb42d2

        • C:\Users\Admin\AppData\Local\Temp\{10DBFA2C-FB6F-4FB5-B2A4-EE8776D783B0}\index.html

          Filesize

          426B

          MD5

          a28ab17b18ff254173dfeef03245efd0

          SHA1

          c6ce20924565644601d4e0dd0fba9dde8dea5c77

          SHA256

          886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375

          SHA512

          9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

        • C:\Users\Admin\AppData\Roaming\Adobe\DKU3Y2AG.exe

          Filesize

          2.4MB

          MD5

          0df3a35807f6a4f361d03c4d66b915e2

          SHA1

          75ddf979ab97871cd8980afdf0a83251ac21066b

          SHA256

          e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c

          SHA512

          1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

        • C:\Users\Admin\AppData\Roaming\Adobe\DKU3Y2AG.exe

          Filesize

          2.4MB

          MD5

          0df3a35807f6a4f361d03c4d66b915e2

          SHA1

          75ddf979ab97871cd8980afdf0a83251ac21066b

          SHA256

          e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c

          SHA512

          1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

        • C:\Users\Admin\AppData\Roaming\Adobe\DKU3Y2AG.exe

          Filesize

          2.4MB

          MD5

          0df3a35807f6a4f361d03c4d66b915e2

          SHA1

          75ddf979ab97871cd8980afdf0a83251ac21066b

          SHA256

          e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c

          SHA512

          1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

        • C:\Users\Admin\AppData\Roaming\Adobe\N8MKRJJY.exe

          Filesize

          83KB

          MD5

          e025c7bfa143c476a648e9daa3cfda2f

          SHA1

          d4f90ae2727cd20c19802eeee5589fc4e7b36ec3

          SHA256

          95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60

          SHA512

          f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

        • C:\Users\Admin\AppData\Roaming\Adobe\N8MKRJJY.exe

          Filesize

          83KB

          MD5

          e025c7bfa143c476a648e9daa3cfda2f

          SHA1

          d4f90ae2727cd20c19802eeee5589fc4e7b36ec3

          SHA256

          95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60

          SHA512

          f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

        • C:\Users\Admin\AppData\Roaming\Adobe\N8MKRJJY.exe

          Filesize

          83KB

          MD5

          e025c7bfa143c476a648e9daa3cfda2f

          SHA1

          d4f90ae2727cd20c19802eeee5589fc4e7b36ec3

          SHA256

          95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60

          SHA512

          f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

        • memory/3656-62-0x0000000000BC0000-0x000000000134A000-memory.dmp

          Filesize

          7.5MB

        • memory/3656-24-0x0000000000BC0000-0x000000000134A000-memory.dmp

          Filesize

          7.5MB

        • memory/4336-28-0x00007FFE1BC60000-0x00007FFE1C721000-memory.dmp

          Filesize

          10.8MB

        • memory/4336-0-0x0000000000C60000-0x0000000001314000-memory.dmp

          Filesize

          6.7MB

        • memory/4336-1-0x00007FFE1BC60000-0x00007FFE1C721000-memory.dmp

          Filesize

          10.8MB

        • memory/4860-25-0x00007FFE1BC60000-0x00007FFE1C721000-memory.dmp

          Filesize

          10.8MB

        • memory/4860-26-0x000000001B000000-0x000000001B010000-memory.dmp

          Filesize

          64KB

        • memory/4860-23-0x00000000001A0000-0x00000000001BC000-memory.dmp

          Filesize

          112KB

        • memory/4860-64-0x00007FFE1BC60000-0x00007FFE1C721000-memory.dmp

          Filesize

          10.8MB

        • memory/4860-65-0x000000001B000000-0x000000001B010000-memory.dmp

          Filesize

          64KB

        • memory/4860-68-0x00007FFE1BC60000-0x00007FFE1C721000-memory.dmp

          Filesize

          10.8MB