Malware Analysis Report

2024-10-19 07:07

Sample ID 231004-tgblgaeh62
Target a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af
SHA256 a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af
Tags
phemedrone spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af

Threat Level: Known bad

The file a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af was found to be: Known bad.

Malicious Activity Summary

phemedrone spyware stealer

Phemedrone

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-04 16:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-04 16:01

Reported

2023-10-04 16:03

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe"

Signatures

Phemedrone

stealer phemedrone

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe

"C:\Users\Admin\AppData\Local\Temp\a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af.exe"

C:\Users\Admin\AppData\Local\Temp\Low\VWQ50RMO.exe

"C:\Users\Admin\AppData\Local\Temp\Low\VWQ50RMO.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 rakishev.net udp
US 104.21.88.34:80 rakishev.net tcp
US 8.8.8.8:53 34.88.21.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/652-0-0x0000000000B40000-0x0000000000DC2000-memory.dmp

memory/652-1-0x00007FFA34D80000-0x00007FFA35841000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Low\VWQ50RMO.exe

MD5 53406e9988306cbd4537677c5336aba4
SHA1 06becadb92a5fcca2529c0b93687c2a0c6d0d610
SHA256 fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425
SHA512 4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99

C:\Users\Admin\AppData\Local\Temp\Low\VWQ50RMO.exe

MD5 53406e9988306cbd4537677c5336aba4
SHA1 06becadb92a5fcca2529c0b93687c2a0c6d0d610
SHA256 fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425
SHA512 4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99

C:\Users\Admin\AppData\Local\Temp\Low\VWQ50RMO.exe

MD5 53406e9988306cbd4537677c5336aba4
SHA1 06becadb92a5fcca2529c0b93687c2a0c6d0d610
SHA256 fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425
SHA512 4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe

MD5 ae881baa8c3a00a94e5994826bdac3aa
SHA1 3f81a9e1cb712b2f69c8ab9104469a436c797706
SHA256 2c669f5390b14c63c91f4898419792aaee9c0b996dc348419e2ee84179cf3531
SHA512 2e1845235d5cb2c710ab8db068cc9cf744ccd2809e8293ef4ce27d090d071a645524d23517f74bf841aca21ddeea7daa21621b537a63a7ec356db7be6dfc21fc

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe

MD5 ae881baa8c3a00a94e5994826bdac3aa
SHA1 3f81a9e1cb712b2f69c8ab9104469a436c797706
SHA256 2c669f5390b14c63c91f4898419792aaee9c0b996dc348419e2ee84179cf3531
SHA512 2e1845235d5cb2c710ab8db068cc9cf744ccd2809e8293ef4ce27d090d071a645524d23517f74bf841aca21ddeea7daa21621b537a63a7ec356db7be6dfc21fc

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\ZF167JVU.exe

MD5 ae881baa8c3a00a94e5994826bdac3aa
SHA1 3f81a9e1cb712b2f69c8ab9104469a436c797706
SHA256 2c669f5390b14c63c91f4898419792aaee9c0b996dc348419e2ee84179cf3531
SHA512 2e1845235d5cb2c710ab8db068cc9cf744ccd2809e8293ef4ce27d090d071a645524d23517f74bf841aca21ddeea7daa21621b537a63a7ec356db7be6dfc21fc

memory/1656-24-0x0000000000CA0000-0x0000000000CBC000-memory.dmp

memory/1656-25-0x00007FFA34D80000-0x00007FFA35841000-memory.dmp

memory/1656-26-0x000000001BAF0000-0x000000001BB00000-memory.dmp

memory/652-28-0x00007FFA34D80000-0x00007FFA35841000-memory.dmp

memory/1656-29-0x00007FFA34D80000-0x00007FFA35841000-memory.dmp

memory/1656-30-0x000000001BAF0000-0x000000001BB00000-memory.dmp

memory/1656-32-0x00007FFA34D80000-0x00007FFA35841000-memory.dmp