Malware Analysis Report

2024-10-19 07:07

Sample ID 231004-tdxpjaeh53
Target tcpview.exe
SHA256 255d887e4aee44b4a811fd99c76d7df6ce442316125d236f9b3891bd56b82f8c
Tags
phemedrone spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

255d887e4aee44b4a811fd99c76d7df6ce442316125d236f9b3891bd56b82f8c

Threat Level: Known bad

The file tcpview.exe was found to be: Known bad.

Malicious Activity Summary

phemedrone spyware stealer

Phemedrone

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-04 15:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-04 15:57

Reported

2023-10-04 15:58

Platform

win10-20230915-en

Max time kernel

73s

Max time network

78s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tcpview.exe"

Signatures

Phemedrone

stealer phemedrone

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\CCJBAEUO.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\CCJBAEUO.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tcpview.exe

"C:\Users\Admin\AppData\Local\Temp\tcpview.exe"

C:\Users\Admin\AppData\Roaming\Adobe\CCJBAEUO.exe

"C:\Users\Admin\AppData\Roaming\Adobe\CCJBAEUO.exe"

C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe

"C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 rakishev.net udp
US 172.67.150.79:80 rakishev.net tcp
US 8.8.8.8:53 79.150.67.172.in-addr.arpa udp

Files

memory/4532-0-0x0000000000760000-0x0000000000B36000-memory.dmp

memory/4532-1-0x00007FF986650000-0x00007FF98703C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\CCJBAEUO.exe

MD5 126d1dba7efc0faed18afa036fb0468b
SHA1 fe58c79cc3b5d11d9c1fbf53db1e0d726c94c491
SHA256 adb8b6cfb9633759f3a08ecb160790aaa6a733d5671991c21a5a28deafbeef26
SHA512 a3c32b7b4961c13c4fafb1b71b123bf4d0ecdfc4087912429019fb63aaf17f132ae2c58135f2ea8d64643966e99a28c89fc67c6256e9dafcb310049ab6951ad9

C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe

MD5 051c8b584ffde2a373d4a54d038bc46c
SHA1 d58abcb0d3875094b51e6836036bf65ff96b8b40
SHA256 711de934bbdb56f4335d776819d4059222f8b3376fcb4a72ac2fca0a38e45801
SHA512 8f28ce2467b8accba63be5a4983df4c8faed25a7f79c1f04560f47009969cbf84fc2afe4e08c2903c17f895afe29e397a91ed579d012f68fe08f0b4261552063

C:\Users\Admin\AppData\Roaming\Adobe\7ZHSQ2JA.exe

MD5 051c8b584ffde2a373d4a54d038bc46c
SHA1 d58abcb0d3875094b51e6836036bf65ff96b8b40
SHA256 711de934bbdb56f4335d776819d4059222f8b3376fcb4a72ac2fca0a38e45801
SHA512 8f28ce2467b8accba63be5a4983df4c8faed25a7f79c1f04560f47009969cbf84fc2afe4e08c2903c17f895afe29e397a91ed579d012f68fe08f0b4261552063

memory/5008-11-0x000000006D320000-0x000000006D330000-memory.dmp

memory/3036-12-0x00000000007B0000-0x00000000007CC000-memory.dmp

memory/3036-14-0x00007FF986650000-0x00007FF98703C000-memory.dmp

memory/3036-16-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

memory/4532-15-0x00007FF986650000-0x00007FF98703C000-memory.dmp

memory/3036-17-0x00007FF986650000-0x00007FF98703C000-memory.dmp

memory/3036-19-0x00007FF986650000-0x00007FF98703C000-memory.dmp