phemedrone | e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385

Analysis

max time kernel
143s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04-10-2023 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccec9f6516e38c852b1df13c836e5430.exe
Size

6.7MB
MD5

ccec9f6516e38c852b1df13c836e5430
SHA1

30e3c298370f32e92d42f586e170996229db8fab
SHA256

e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385
SHA512

e23d714a352ebda1c75ade3f782159562d34402ebff31511f5b952b247f9b49c039a4b29123762bbffcbe90f3dd6db828bc36deac344a91d75f41346435bbdd1
SSDEEP

49152:Fu9q0pxgIYZdVKr2TZO/Ay+tN2ACtcXrGwuh0637dkKg4kGzlXerAEEEEEEEEE20:

Score

10^/10

phemedrone stealer upx

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Executes dropped EXE 2 IoCs

Processes:

83AVV42L.exe4JVTTSCG.exe

pid process

2104 83AVV42L.exe
2732 4JVTTSCG.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Public\Desktop\83AVV42L.exe	upx
behavioral1/memory/2104-11-0x00000000001C0000-0x000000000094A000-memory.dmp	upx
C:\ProgramData\Desktop\83AVV42L.exe	upx
behavioral1/memory/2104-215-0x00000000001C0000-0x000000000094A000-memory.dmp	upx
behavioral1/memory/2104-595-0x00000000001C0000-0x000000000094A000-memory.dmp	upx
behavioral1/memory/2104-618-0x00000000001C0000-0x000000000094A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

83AVV42L.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	83AVV42L.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\83AVV42L.exe = "11001"	83AVV42L.exe
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	83AVV42L.exe
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main	83AVV42L.exe
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	83AVV42L.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

83AVV42L.exe

pid	process
2104	83AVV42L.exe
2104	83AVV42L.exe
2104	83AVV42L.exe
2104	83AVV42L.exe
2104	83AVV42L.exe
2104	83AVV42L.exe
2104	83AVV42L.exe
2104	83AVV42L.exe
2104	83AVV42L.exe
2104	83AVV42L.exe
2104	83AVV42L.exe
2104	83AVV42L.exe
2104	83AVV42L.exe
2104	83AVV42L.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

83AVV42L.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2104	83AVV42L.exe
Token: SeIncreaseQuotaPrivilege	2104	83AVV42L.exe
Token: SeIncreaseQuotaPrivilege	2104	83AVV42L.exe
Token: SeIncreaseQuotaPrivilege	2104	83AVV42L.exe
Token: SeIncreaseQuotaPrivilege	2104	83AVV42L.exe
Token: SeIncreaseQuotaPrivilege	2104	83AVV42L.exe
Token: SeIncreaseQuotaPrivilege	2104	83AVV42L.exe
Token: SeIncreaseQuotaPrivilege	2104	83AVV42L.exe
Token: SeIncreaseQuotaPrivilege	2104	83AVV42L.exe
Token: SeIncreaseQuotaPrivilege	2104	83AVV42L.exe
Token: SeIncreaseQuotaPrivilege	2104	83AVV42L.exe
Token: SeIncreaseQuotaPrivilege	2104	83AVV42L.exe
Token: SeIncreaseQuotaPrivilege	2104	83AVV42L.exe
Token: SeIncreaseQuotaPrivilege	2104	83AVV42L.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

83AVV42L.exe

pid process

2104 83AVV42L.exe
2104 83AVV42L.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

ccec9f6516e38c852b1df13c836e5430.exe4JVTTSCG.exe

description	pid	process	target process
PID 1732 wrote to memory of 2104	1732	ccec9f6516e38c852b1df13c836e5430.exe	83AVV42L.exe
PID 1732 wrote to memory of 2104	1732	ccec9f6516e38c852b1df13c836e5430.exe	83AVV42L.exe
PID 1732 wrote to memory of 2104	1732	ccec9f6516e38c852b1df13c836e5430.exe	83AVV42L.exe
PID 1732 wrote to memory of 2104	1732	ccec9f6516e38c852b1df13c836e5430.exe	83AVV42L.exe
PID 1732 wrote to memory of 2732	1732	ccec9f6516e38c852b1df13c836e5430.exe	4JVTTSCG.exe
PID 1732 wrote to memory of 2732	1732	ccec9f6516e38c852b1df13c836e5430.exe	4JVTTSCG.exe
PID 1732 wrote to memory of 2732	1732	ccec9f6516e38c852b1df13c836e5430.exe	4JVTTSCG.exe
PID 2732 wrote to memory of 2584	2732	4JVTTSCG.exe	WerFault.exe
PID 2732 wrote to memory of 2584	2732	4JVTTSCG.exe	WerFault.exe
PID 2732 wrote to memory of 2584	2732	4JVTTSCG.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe
"C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\ProgramData\Desktop\83AVV42L.exe
  "C:\ProgramData\Desktop\83AVV42L.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2104
- C:\ProgramData\Package Cache\4JVTTSCG.exe
  "C:\ProgramData\Package Cache\4JVTTSCG.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2732 -s 520
    3⤵
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Desktop\83AVV42L.exe

Filesize
2.4MB

MD5
0df3a35807f6a4f361d03c4d66b915e2

SHA1
75ddf979ab97871cd8980afdf0a83251ac21066b

SHA256
e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c

SHA512
1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

Download Submit
C:\ProgramData\Package Cache\4JVTTSCG.exe

Filesize
83KB

MD5
e025c7bfa143c476a648e9daa3cfda2f

SHA1
d4f90ae2727cd20c19802eeee5589fc4e7b36ec3

SHA256
95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60

SHA512
f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

Download Submit
C:\ProgramData\Package Cache\4JVTTSCG.exe

Filesize
83KB

MD5
e025c7bfa143c476a648e9daa3cfda2f

SHA1
d4f90ae2727cd20c19802eeee5589fc4e7b36ec3

SHA256
95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60

SHA512
f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b231497342b40d4456589b977161069

SHA1
008bc03ae02c20a05a029d88629472f844af5d38

SHA256
79950537591d5bc61e65c9197ccf7f0ddd658f32a8ad020cc7656208a07041fc

SHA512
03429c67f5915981da28e33d82b15fbdbe384c5f605accee8f497cd121663c6097289fcb6609391ea8865f0ab7beb5c5114131c06f92c891872affdfefe76b91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0b81711c92e469937af667d7ee5ca8f

SHA1
46449e59dcf20eb81ea195e091d5fa69c3095d8c

SHA256
23d3b69ecaf47550fa99131d39a299536d2bcd96fc20b2223522c6f12cfdea11

SHA512
0806e787dedb6048fc3a66bbd18aa9d6c26197068a0ae4c528535bbf3291026feb0bb907fee8109ea70b4cf15cdacb67d3afbc72fd3a2e6ce2816cb0e3d905a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08c371fa17357158273dcad3edc29b4b

SHA1
68fde7bd535ec2851ba0f02cca71c687e0909ad3

SHA256
c4f249acbfee114fd3fc3f94e2fcc00dab162732408eaa71fdf3e13a52321ea6

SHA512
8432bf86c5d65f9f94bc9727f6f5bcc2c141594dc96c6f0fd52c066032ef7840bf6b3196040990cab72c43132baba165aa3e94d45a78e6060b97c9944906a9de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b42731c334e49cc119c0bb035cd10d5b

SHA1
5c068cdd28507f2dcdff3eef6ef6dcbfcc8d1d56

SHA256
ec4956883bf0dd096d782e45c1717f65a99918a081aa1ce61efd762d5228b29f

SHA512
f80ccb60e15cb48355ca7418bd8180f99f844b0b72eb386c21db7b23c74a62774586bb9098769e9fc8eb5f69f32336eb6cc65c7c46f52b492c9ba71f7e4a3817

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
067cfdda55d887903e8bf1ef9b16184c

SHA1
bc36eed592154800f4201ba5b67baa472943fc83

SHA256
b9cea19c5304a2a83effb5664ca77fa4d00d53cb704cf057c1dfe1eee6066c47

SHA512
b8e5e56dc55366a2ea24a0331bd8650020eda3583cd74e566fcc3c3faafc4b443c25a507fe2f9917efbc4572627d67871e8b51bd21ac82eb2dd924204c75f0e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cca6c1d888c76e9657f9a1a4759953cf

SHA1
2aad77529d87f3741dc456cd8497978126876923

SHA256
adeb423d51192c4e12f2a2b4bb5a5d16ec2530acbe848f1346f76b9c01ee27dd

SHA512
72a0583cfc950ff5b853127fde65a8f3967b4c91d672babf86c29e9af662f07a775ee856d29c142fc5a134221f38518dbebc74b618b604b07504d9bb7db2d6ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
329c442704a7d2b187d989ca1ca89719

SHA1
0a9f5ecaf34991f017938f10995d8924af2a6859

SHA256
664495b73b878ed348f491dcdeddbd291caa8f1372f2fe656853497104f3705c

SHA512
30d74bdf7c20164357df1e9f30864b313f005d064d1a0165400728f23a88a5adcc3d4568ad44de21c85f57e6f36179ac1879fe303cc6660a316cc3fe06b1b179

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
990d2300766a899a9da5de3fb48fa37c

SHA1
30fd3ba774a05d0439790d80ec7a400ab97a94cb

SHA256
29c5a99d7f1413a8b2ae8463c3101adca4644c2946b5b2192d4b3bcae412b60e

SHA512
8704ad93370f3f071a86620cb5d2346a9fcf5f40d5c2e25b12c8504ecf295956529297eeb9284ee4df1d5d1d7556bc34e2de2b5095294bb6f4f5caec8dacdd5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e15160e5890d5afe16de937b0a7727e

SHA1
5b84a40ef47726a06fafc255327167d6ede14bf8

SHA256
a4622ef39bde72fed006efbc715b2a6f178ce0bf44065106e85d28c844953cf8

SHA512
0409f7d30457ebc653cb15ab2272c49fba372eadd505baaaa94cb9d173dd6b7d8ed4adae91d67820a14252ab6ff7c0610943038aef38ccef3ca4c01f015478cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b11d26a1f17aecd78c029e9ecd27abf

SHA1
99fa79f96f1b8eb68cca2667ee629394aaa574a6

SHA256
5b9037bdcba2546e05a00aba42230c7f2cae79c66296e990dfa545e0cddcb76c

SHA512
6b69dafc0a112e4ea4f5ef5b8cc1e877356ee07d6c3e7c06f3830c893c564b531c7cbe1d035fe13e23d0667a0d559e4e0c9fd11728caea84c2e9833cff71ebe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
079d786c48ed7859741d81080f28497c

SHA1
af66ed2a4eaf40464de233a1e45abc7cdff4d29b

SHA256
27055edb92af65549aca67270c9261818cb63c05576b63313b93eb933a7dd0c5

SHA512
f3d410808c61ffa1310721ae698403a584b5323fff199e2c0d492ede74c5dc077e8835f6dfa61110e52dcd76c6cc64686d408b87f7f55f8f67fe966abcf1562a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a6eff272c1cacf173b6ee695ad6a257c

SHA1
7acf9a3eef2e59ad4355c6c573bbe08c77337f5d

SHA256
ede1c3eecb01c9a7fe1c5618fc2e489bad5b65f3accd4064f02f1260dce0c990

SHA512
cc9881627189ff2136be7169ad27a2e12fb78e7d5ba5040f46a45c6f641994dec64d8a92bc85bad02084dc8886214d050e368b2461f5575e1b13d286b5c45efb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c4669dd3c1505e9931f54519d13f9bc

SHA1
22cc6a7c5131873bdebeb05691edd76aa475313b

SHA256
b8a8bf1e9ac8addea3fe88e462d0ce2f4456b6cb9cba51d08a6daa20ad08a61e

SHA512
6c6dd7c64a2bc03367f617b22c869a6dd36036d54b6c553b5a14bddcd00bd84bc3d3f32f75f97ab62f0d4e8eb657607e550fcfd8211ea422a528d495e3ee46d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89f440ee46b46b644fab1e28817c80cf

SHA1
96a28921fee279cfee63e0b9d987b0e960989f1e

SHA256
03a9e8f3e2ef37e3755e917bea792a95758fc9e40b64abe41d13bbd69e06ef0c

SHA512
18fb588930c487cc5697487d204bac0183d9da4ff4ea040d95d8ebba31c40847c34ca4c20762250c2b0955f9e909f5c39ba8e09d12bb22070fab43c727b30802

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5A27.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5B35.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D8B07743-4B98-4371-8C65-963FB7759253}\CCDInstaller.js

Filesize
1.2MB

MD5
fbc34da120e8a3ad11b3ad1404b6c51a

SHA1
fe3e36de12e0bdd0a7731e572e862c50ee89207c

SHA256
9701b3ba335b5a11be32dd63ea3a466a14e048c1e5881cac81352b459be0f202

SHA512
f3f0452d16a7cd0600a8ffced5167783d3f31e51dce512872ade5031c97b14366af0343bfe2c822c8ac4a281f27f5eeb00fe7d0e8cbe90434f79bacf3ecb42d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D8B07743-4B98-4371-8C65-963FB7759253}\index.html

Filesize
426B

MD5
a28ab17b18ff254173dfeef03245efd0

SHA1
c6ce20924565644601d4e0dd0fba9dde8dea5c77

SHA256
886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375

SHA512
9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

Download Submit
C:\Users\Public\Desktop\83AVV42L.exe

Filesize
2.4MB

MD5
0df3a35807f6a4f361d03c4d66b915e2

SHA1
75ddf979ab97871cd8980afdf0a83251ac21066b

SHA256
e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c

SHA512
1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

Download Submit
memory/1732-615-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/1732-75-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/1732-0-0x0000000000B60000-0x0000000001214000-memory.dmp

Filesize
6.7MB

Download
memory/1732-1-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2104-11-0x00000000001C0000-0x000000000094A000-memory.dmp

Filesize
7.5MB

Download
memory/2104-44-0x00000000055E0000-0x0000000005600000-memory.dmp

Filesize
128KB

Download
memory/2104-215-0x00000000001C0000-0x000000000094A000-memory.dmp

Filesize
7.5MB

Download
memory/2104-595-0x00000000001C0000-0x000000000094A000-memory.dmp

Filesize
7.5MB

Download
memory/2104-27-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/2104-616-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/2104-617-0x00000000055E0000-0x0000000005600000-memory.dmp

Filesize
128KB

Download
memory/2104-618-0x00000000001C0000-0x000000000094A000-memory.dmp

Filesize
7.5MB

Download
memory/2732-13-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2732-12-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2732-604-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download