Analysis Overview
SHA256
255d887e4aee44b4a811fd99c76d7df6ce442316125d236f9b3891bd56b82f8c
Threat Level: Known bad
The file tcpview.exe was found to be: Known bad.
Malicious Activity Summary
Phemedrone
Executes dropped EXE
Reads user/profile data of web browsers
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-04 15:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-04 15:57
Reported
2023-10-04 15:58
Platform
win10-20230915-en
Max time kernel
73s
Max time network
78s
Command Line
Signatures
Phemedrone
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\CCJBAEUO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\CCJBAEUO.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4532 wrote to memory of 5008 | N/A | C:\Users\Admin\AppData\Local\Temp\tcpview.exe | C:\Users\Admin\AppData\Roaming\Adobe\CCJBAEUO.exe |
| PID 4532 wrote to memory of 5008 | N/A | C:\Users\Admin\AppData\Local\Temp\tcpview.exe | C:\Users\Admin\AppData\Roaming\Adobe\CCJBAEUO.exe |
| PID 4532 wrote to memory of 5008 | N/A | C:\Users\Admin\AppData\Local\Temp\tcpview.exe | C:\Users\Admin\AppData\Roaming\Adobe\CCJBAEUO.exe |
| PID 4532 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\tcpview.exe | C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe |
| PID 4532 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\tcpview.exe | C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\tcpview.exe
"C:\Users\Admin\AppData\Local\Temp\tcpview.exe"
C:\Users\Admin\AppData\Roaming\Adobe\CCJBAEUO.exe
"C:\Users\Admin\AppData\Roaming\Adobe\CCJBAEUO.exe"
C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe
"C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rakishev.net | udp |
| US | 172.67.150.79:80 | rakishev.net | tcp |
| US | 8.8.8.8:53 | 79.150.67.172.in-addr.arpa | udp |
Files
memory/4532-0-0x0000000000760000-0x0000000000B36000-memory.dmp
memory/4532-1-0x00007FF986650000-0x00007FF98703C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\CCJBAEUO.exe
| MD5 | 126d1dba7efc0faed18afa036fb0468b |
| SHA1 | fe58c79cc3b5d11d9c1fbf53db1e0d726c94c491 |
| SHA256 | adb8b6cfb9633759f3a08ecb160790aaa6a733d5671991c21a5a28deafbeef26 |
| SHA512 | a3c32b7b4961c13c4fafb1b71b123bf4d0ecdfc4087912429019fb63aaf17f132ae2c58135f2ea8d64643966e99a28c89fc67c6256e9dafcb310049ab6951ad9 |
C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe
| MD5 | 051c8b584ffde2a373d4a54d038bc46c |
| SHA1 | d58abcb0d3875094b51e6836036bf65ff96b8b40 |
| SHA256 | 711de934bbdb56f4335d776819d4059222f8b3376fcb4a72ac2fca0a38e45801 |
| SHA512 | 8f28ce2467b8accba63be5a4983df4c8faed25a7f79c1f04560f47009969cbf84fc2afe4e08c2903c17f895afe29e397a91ed579d012f68fe08f0b4261552063 |
C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe
| MD5 | 051c8b584ffde2a373d4a54d038bc46c |
| SHA1 | d58abcb0d3875094b51e6836036bf65ff96b8b40 |
| SHA256 | 711de934bbdb56f4335d776819d4059222f8b3376fcb4a72ac2fca0a38e45801 |
| SHA512 | 8f28ce2467b8accba63be5a4983df4c8faed25a7f79c1f04560f47009969cbf84fc2afe4e08c2903c17f895afe29e397a91ed579d012f68fe08f0b4261552063 |
memory/5008-11-0x000000006D320000-0x000000006D330000-memory.dmp
memory/3036-12-0x00000000007B0000-0x00000000007CC000-memory.dmp
memory/3036-14-0x00007FF986650000-0x00007FF98703C000-memory.dmp
memory/3036-16-0x000000001B2E0000-0x000000001B2F0000-memory.dmp
memory/4532-15-0x00007FF986650000-0x00007FF98703C000-memory.dmp
memory/3036-17-0x00007FF986650000-0x00007FF98703C000-memory.dmp
memory/3036-19-0x00007FF986650000-0x00007FF98703C000-memory.dmp