Analysis Overview
SHA256
e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385
Threat Level: Known bad
The file ccec9f6516e38c852b1df13c836e5430.exe was found to be: Known bad.
Malicious Activity Summary
Phemedrone
Reads user/profile data of web browsers
UPX packed file
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Unsigned PE
Program crash
Enumerates physical storage devices
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-04 16:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-04 16:31
Reported
2023-10-04 16:33
Platform
win7-20230831-en
Max time kernel
143s
Max time network
130s
Command Line
Signatures
Phemedrone
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| N/A | N/A | C:\ProgramData\Package Cache\4JVTTSCG.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\83AVV42L.exe = "11001" | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
| N/A | N/A | C:\ProgramData\Desktop\83AVV42L.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe
"C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe"
C:\ProgramData\Desktop\83AVV42L.exe
"C:\ProgramData\Desktop\83AVV42L.exe"
C:\ProgramData\Package Cache\4JVTTSCG.exe
"C:\ProgramData\Package Cache\4JVTTSCG.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2732 -s 520
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cc-api-data.adobe.io | udp |
| US | 8.8.8.8:53 | na1e-acc.services.adobe.com | udp |
| US | 3.233.129.217:443 | cc-api-data.adobe.io | tcp |
| US | 54.200.76.247:443 | na1e-acc.services.adobe.com | tcp |
| US | 3.233.129.217:443 | cc-api-data.adobe.io | tcp |
| US | 3.233.129.217:443 | cc-api-data.adobe.io | tcp |
| US | 3.233.129.217:443 | cc-api-data.adobe.io | tcp |
| US | 54.200.76.247:443 | na1e-acc.services.adobe.com | tcp |
| US | 8.8.8.8:53 | client.messaging.adobe.com | udp |
| US | 18.65.39.7:443 | client.messaging.adobe.com | tcp |
| US | 18.65.39.7:443 | client.messaging.adobe.com | tcp |
| US | 54.200.76.247:443 | na1e-acc.services.adobe.com | tcp |
| US | 54.200.76.247:443 | na1e-acc.services.adobe.com | tcp |
| US | 3.233.129.217:443 | cc-api-data.adobe.io | tcp |
| US | 3.233.129.217:443 | cc-api-data.adobe.io | tcp |
| US | 18.65.39.7:443 | client.messaging.adobe.com | tcp |
| US | 18.65.39.7:443 | client.messaging.adobe.com | tcp |
| US | 54.200.76.247:443 | na1e-acc.services.adobe.com | tcp |
| US | 3.233.129.217:443 | cc-api-data.adobe.io | tcp |
| US | 54.200.76.247:443 | na1e-acc.services.adobe.com | tcp |
| US | 3.233.129.217:443 | cc-api-data.adobe.io | tcp |
| US | 3.233.129.217:443 | cc-api-data.adobe.io | tcp |
| US | 3.233.129.217:443 | cc-api-data.adobe.io | tcp |
Files
memory/1732-0-0x0000000000B60000-0x0000000001214000-memory.dmp
memory/1732-1-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
C:\Users\Public\Desktop\83AVV42L.exe
| MD5 | 0df3a35807f6a4f361d03c4d66b915e2 |
| SHA1 | 75ddf979ab97871cd8980afdf0a83251ac21066b |
| SHA256 | e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c |
| SHA512 | 1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28 |
C:\ProgramData\Package Cache\4JVTTSCG.exe
| MD5 | e025c7bfa143c476a648e9daa3cfda2f |
| SHA1 | d4f90ae2727cd20c19802eeee5589fc4e7b36ec3 |
| SHA256 | 95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60 |
| SHA512 | f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3 |
memory/2732-12-0x0000000000340000-0x000000000035C000-memory.dmp
memory/2104-11-0x00000000001C0000-0x000000000094A000-memory.dmp
C:\ProgramData\Package Cache\4JVTTSCG.exe
| MD5 | e025c7bfa143c476a648e9daa3cfda2f |
| SHA1 | d4f90ae2727cd20c19802eeee5589fc4e7b36ec3 |
| SHA256 | 95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60 |
| SHA512 | f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3 |
memory/2732-13-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
C:\ProgramData\Desktop\83AVV42L.exe
| MD5 | 0df3a35807f6a4f361d03c4d66b915e2 |
| SHA1 | 75ddf979ab97871cd8980afdf0a83251ac21066b |
| SHA256 | e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c |
| SHA512 | 1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28 |
memory/2104-27-0x00000000024F0000-0x00000000024F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{D8B07743-4B98-4371-8C65-963FB7759253}\index.html
| MD5 | a28ab17b18ff254173dfeef03245efd0 |
| SHA1 | c6ce20924565644601d4e0dd0fba9dde8dea5c77 |
| SHA256 | 886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375 |
| SHA512 | 9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6 |
C:\Users\Admin\AppData\Local\Temp\{D8B07743-4B98-4371-8C65-963FB7759253}\CCDInstaller.js
| MD5 | fbc34da120e8a3ad11b3ad1404b6c51a |
| SHA1 | fe3e36de12e0bdd0a7731e572e862c50ee89207c |
| SHA256 | 9701b3ba335b5a11be32dd63ea3a466a14e048c1e5881cac81352b459be0f202 |
| SHA512 | f3f0452d16a7cd0600a8ffced5167783d3f31e51dce512872ade5031c97b14366af0343bfe2c822c8ac4a281f27f5eeb00fe7d0e8cbe90434f79bacf3ecb42d2 |
memory/2104-44-0x00000000055E0000-0x0000000005600000-memory.dmp
memory/1732-75-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab5A27.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar5B35.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4b231497342b40d4456589b977161069 |
| SHA1 | 008bc03ae02c20a05a029d88629472f844af5d38 |
| SHA256 | 79950537591d5bc61e65c9197ccf7f0ddd658f32a8ad020cc7656208a07041fc |
| SHA512 | 03429c67f5915981da28e33d82b15fbdbe384c5f605accee8f497cd121663c6097289fcb6609391ea8865f0ab7beb5c5114131c06f92c891872affdfefe76b91 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f0b81711c92e469937af667d7ee5ca8f |
| SHA1 | 46449e59dcf20eb81ea195e091d5fa69c3095d8c |
| SHA256 | 23d3b69ecaf47550fa99131d39a299536d2bcd96fc20b2223522c6f12cfdea11 |
| SHA512 | 0806e787dedb6048fc3a66bbd18aa9d6c26197068a0ae4c528535bbf3291026feb0bb907fee8109ea70b4cf15cdacb67d3afbc72fd3a2e6ce2816cb0e3d905a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 08c371fa17357158273dcad3edc29b4b |
| SHA1 | 68fde7bd535ec2851ba0f02cca71c687e0909ad3 |
| SHA256 | c4f249acbfee114fd3fc3f94e2fcc00dab162732408eaa71fdf3e13a52321ea6 |
| SHA512 | 8432bf86c5d65f9f94bc9727f6f5bcc2c141594dc96c6f0fd52c066032ef7840bf6b3196040990cab72c43132baba165aa3e94d45a78e6060b97c9944906a9de |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b42731c334e49cc119c0bb035cd10d5b |
| SHA1 | 5c068cdd28507f2dcdff3eef6ef6dcbfcc8d1d56 |
| SHA256 | ec4956883bf0dd096d782e45c1717f65a99918a081aa1ce61efd762d5228b29f |
| SHA512 | f80ccb60e15cb48355ca7418bd8180f99f844b0b72eb386c21db7b23c74a62774586bb9098769e9fc8eb5f69f32336eb6cc65c7c46f52b492c9ba71f7e4a3817 |
memory/2104-215-0x00000000001C0000-0x000000000094A000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 067cfdda55d887903e8bf1ef9b16184c |
| SHA1 | bc36eed592154800f4201ba5b67baa472943fc83 |
| SHA256 | b9cea19c5304a2a83effb5664ca77fa4d00d53cb704cf057c1dfe1eee6066c47 |
| SHA512 | b8e5e56dc55366a2ea24a0331bd8650020eda3583cd74e566fcc3c3faafc4b443c25a507fe2f9917efbc4572627d67871e8b51bd21ac82eb2dd924204c75f0e8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cca6c1d888c76e9657f9a1a4759953cf |
| SHA1 | 2aad77529d87f3741dc456cd8497978126876923 |
| SHA256 | adeb423d51192c4e12f2a2b4bb5a5d16ec2530acbe848f1346f76b9c01ee27dd |
| SHA512 | 72a0583cfc950ff5b853127fde65a8f3967b4c91d672babf86c29e9af662f07a775ee856d29c142fc5a134221f38518dbebc74b618b604b07504d9bb7db2d6ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 329c442704a7d2b187d989ca1ca89719 |
| SHA1 | 0a9f5ecaf34991f017938f10995d8924af2a6859 |
| SHA256 | 664495b73b878ed348f491dcdeddbd291caa8f1372f2fe656853497104f3705c |
| SHA512 | 30d74bdf7c20164357df1e9f30864b313f005d064d1a0165400728f23a88a5adcc3d4568ad44de21c85f57e6f36179ac1879fe303cc6660a316cc3fe06b1b179 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 990d2300766a899a9da5de3fb48fa37c |
| SHA1 | 30fd3ba774a05d0439790d80ec7a400ab97a94cb |
| SHA256 | 29c5a99d7f1413a8b2ae8463c3101adca4644c2946b5b2192d4b3bcae412b60e |
| SHA512 | 8704ad93370f3f071a86620cb5d2346a9fcf5f40d5c2e25b12c8504ecf295956529297eeb9284ee4df1d5d1d7556bc34e2de2b5095294bb6f4f5caec8dacdd5e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e15160e5890d5afe16de937b0a7727e |
| SHA1 | 5b84a40ef47726a06fafc255327167d6ede14bf8 |
| SHA256 | a4622ef39bde72fed006efbc715b2a6f178ce0bf44065106e85d28c844953cf8 |
| SHA512 | 0409f7d30457ebc653cb15ab2272c49fba372eadd505baaaa94cb9d173dd6b7d8ed4adae91d67820a14252ab6ff7c0610943038aef38ccef3ca4c01f015478cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9b11d26a1f17aecd78c029e9ecd27abf |
| SHA1 | 99fa79f96f1b8eb68cca2667ee629394aaa574a6 |
| SHA256 | 5b9037bdcba2546e05a00aba42230c7f2cae79c66296e990dfa545e0cddcb76c |
| SHA512 | 6b69dafc0a112e4ea4f5ef5b8cc1e877356ee07d6c3e7c06f3830c893c564b531c7cbe1d035fe13e23d0667a0d559e4e0c9fd11728caea84c2e9833cff71ebe5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 079d786c48ed7859741d81080f28497c |
| SHA1 | af66ed2a4eaf40464de233a1e45abc7cdff4d29b |
| SHA256 | 27055edb92af65549aca67270c9261818cb63c05576b63313b93eb933a7dd0c5 |
| SHA512 | f3d410808c61ffa1310721ae698403a584b5323fff199e2c0d492ede74c5dc077e8835f6dfa61110e52dcd76c6cc64686d408b87f7f55f8f67fe966abcf1562a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a6eff272c1cacf173b6ee695ad6a257c |
| SHA1 | 7acf9a3eef2e59ad4355c6c573bbe08c77337f5d |
| SHA256 | ede1c3eecb01c9a7fe1c5618fc2e489bad5b65f3accd4064f02f1260dce0c990 |
| SHA512 | cc9881627189ff2136be7169ad27a2e12fb78e7d5ba5040f46a45c6f641994dec64d8a92bc85bad02084dc8886214d050e368b2461f5575e1b13d286b5c45efb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4c4669dd3c1505e9931f54519d13f9bc |
| SHA1 | 22cc6a7c5131873bdebeb05691edd76aa475313b |
| SHA256 | b8a8bf1e9ac8addea3fe88e462d0ce2f4456b6cb9cba51d08a6daa20ad08a61e |
| SHA512 | 6c6dd7c64a2bc03367f617b22c869a6dd36036d54b6c553b5a14bddcd00bd84bc3d3f32f75f97ab62f0d4e8eb657607e550fcfd8211ea422a528d495e3ee46d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 89f440ee46b46b644fab1e28817c80cf |
| SHA1 | 96a28921fee279cfee63e0b9d987b0e960989f1e |
| SHA256 | 03a9e8f3e2ef37e3755e917bea792a95758fc9e40b64abe41d13bbd69e06ef0c |
| SHA512 | 18fb588930c487cc5697487d204bac0183d9da4ff4ea040d95d8ebba31c40847c34ca4c20762250c2b0955f9e909f5c39ba8e09d12bb22070fab43c727b30802 |
memory/2104-595-0x00000000001C0000-0x000000000094A000-memory.dmp
memory/2732-604-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/1732-615-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2104-616-0x00000000024F0000-0x00000000024F1000-memory.dmp
memory/2104-617-0x00000000055E0000-0x0000000005600000-memory.dmp
memory/2104-618-0x00000000001C0000-0x000000000094A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-04 16:31
Reported
2023-10-04 16:33
Platform
win10v2004-20230915-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Phemedrone
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe | N/A |
| N/A | N/A | C:\ProgramData\Templates\RLCVLWWR.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\1L6APO5M.exe = "11001" | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Templates\RLCVLWWR.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2436 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe |
| PID 2436 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe |
| PID 2436 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe | C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe |
| PID 2436 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe | C:\ProgramData\Templates\RLCVLWWR.exe |
| PID 2436 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe | C:\ProgramData\Templates\RLCVLWWR.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe
"C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe"
C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe
"C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe"
C:\ProgramData\Templates\RLCVLWWR.exe
"C:\ProgramData\Templates\RLCVLWWR.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1100 -ip 1100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1996
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.20.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | cc-api-data.adobe.io | udp |
| US | 8.8.8.8:53 | na1e-acc.services.adobe.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 34.215.32.195:443 | na1e-acc.services.adobe.com | tcp |
| US | 54.224.241.105:443 | cc-api-data.adobe.io | tcp |
| US | 54.224.241.105:443 | cc-api-data.adobe.io | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 54.224.241.105:443 | cc-api-data.adobe.io | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.241.224.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.32.215.34.in-addr.arpa | udp |
| US | 34.215.32.195:443 | na1e-acc.services.adobe.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | rakishev.net | udp |
| US | 104.21.88.34:80 | rakishev.net | tcp |
| US | 8.8.8.8:53 | 34.88.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/2436-0-0x0000000000050000-0x0000000000704000-memory.dmp
memory/2436-1-0x00007FFCBE2D0000-0x00007FFCBED91000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe
| MD5 | 0df3a35807f6a4f361d03c4d66b915e2 |
| SHA1 | 75ddf979ab97871cd8980afdf0a83251ac21066b |
| SHA256 | e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c |
| SHA512 | 1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28 |
C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe
| MD5 | 0df3a35807f6a4f361d03c4d66b915e2 |
| SHA1 | 75ddf979ab97871cd8980afdf0a83251ac21066b |
| SHA256 | e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c |
| SHA512 | 1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28 |
C:\ProgramData\Microsoft\Windows\Templates\RLCVLWWR.exe
| MD5 | e025c7bfa143c476a648e9daa3cfda2f |
| SHA1 | d4f90ae2727cd20c19802eeee5589fc4e7b36ec3 |
| SHA256 | 95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60 |
| SHA512 | f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3 |
memory/4884-24-0x0000000000F00000-0x0000000000F1C000-memory.dmp
C:\ProgramData\Templates\RLCVLWWR.exe
| MD5 | e025c7bfa143c476a648e9daa3cfda2f |
| SHA1 | d4f90ae2727cd20c19802eeee5589fc4e7b36ec3 |
| SHA256 | 95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60 |
| SHA512 | f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3 |
C:\ProgramData\Microsoft\Windows\Templates\RLCVLWWR.exe
| MD5 | e025c7bfa143c476a648e9daa3cfda2f |
| SHA1 | d4f90ae2727cd20c19802eeee5589fc4e7b36ec3 |
| SHA256 | 95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60 |
| SHA512 | f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3 |
memory/1100-25-0x0000000000230000-0x00000000009BA000-memory.dmp
memory/4884-26-0x000000001BE60000-0x000000001BE70000-memory.dmp
memory/4884-27-0x00007FFCBE2D0000-0x00007FFCBED91000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe
| MD5 | 0df3a35807f6a4f361d03c4d66b915e2 |
| SHA1 | 75ddf979ab97871cd8980afdf0a83251ac21066b |
| SHA256 | e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c |
| SHA512 | 1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28 |
C:\Users\Admin\AppData\Local\Temp\{E2F03368-0A82-4EAB-A62D-A7EF4377E109}\index.html
| MD5 | a28ab17b18ff254173dfeef03245efd0 |
| SHA1 | c6ce20924565644601d4e0dd0fba9dde8dea5c77 |
| SHA256 | 886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375 |
| SHA512 | 9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6 |
C:\Users\Admin\AppData\Local\Temp\{E2F03368-0A82-4EAB-A62D-A7EF4377E109}\CCDInstaller.js
| MD5 | fbc34da120e8a3ad11b3ad1404b6c51a |
| SHA1 | fe3e36de12e0bdd0a7731e572e862c50ee89207c |
| SHA256 | 9701b3ba335b5a11be32dd63ea3a466a14e048c1e5881cac81352b459be0f202 |
| SHA512 | f3f0452d16a7cd0600a8ffced5167783d3f31e51dce512872ade5031c97b14366af0343bfe2c822c8ac4a281f27f5eeb00fe7d0e8cbe90434f79bacf3ecb42d2 |
memory/1100-53-0x0000000000230000-0x00000000009BA000-memory.dmp
memory/2436-54-0x00007FFCBE2D0000-0x00007FFCBED91000-memory.dmp
memory/4884-55-0x000000001BE60000-0x000000001BE70000-memory.dmp
memory/2436-57-0x00007FFCBE2D0000-0x00007FFCBED91000-memory.dmp
memory/4884-59-0x00007FFCBE2D0000-0x00007FFCBED91000-memory.dmp