Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2023 16:03
Static task
static1
Behavioral task
behavioral1
Sample
tcpview.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
tcpview.exe
Resource
win10v2004-20230915-en
General
-
Target
tcpview.exe
-
Size
3.8MB
-
MD5
4c51b62c9ee7a37ddc010e48b516c243
-
SHA1
77b6f4ce0867078a8d7c02fa1254912b6f4c0d00
-
SHA256
255d887e4aee44b4a811fd99c76d7df6ce442316125d236f9b3891bd56b82f8c
-
SHA512
8e292a6125309ad8e26606b4682001a8cfa8038818a9b28e4070a5133b73083bac608c48f00ae30e38fea170186de7e5da9c3528f8a55685c44d923c029e1adb
-
SSDEEP
49152:T+eKofn4V0kl/gaMHqAwl6hXsM75LwV71pG7XPQx7PtwlSr+Ucbf3QC3aLVeolcB:
Malware Config
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tcpview.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation tcpview.exe -
Executes dropped EXE 2 IoCs
Processes:
7CFWVPWU.exe9HBYJW52.exepid process 864 7CFWVPWU.exe 4092 9HBYJW52.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
9HBYJW52.exepid process 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe 4092 9HBYJW52.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9HBYJW52.exesvchost.exedescription pid process Token: SeDebugPrivilege 4092 9HBYJW52.exe Token: SeManageVolumePrivilege 4324 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
7CFWVPWU.exepid process 864 7CFWVPWU.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
tcpview.exedescription pid process target process PID 3400 wrote to memory of 864 3400 tcpview.exe 7CFWVPWU.exe PID 3400 wrote to memory of 864 3400 tcpview.exe 7CFWVPWU.exe PID 3400 wrote to memory of 864 3400 tcpview.exe 7CFWVPWU.exe PID 3400 wrote to memory of 4092 3400 tcpview.exe 9HBYJW52.exe PID 3400 wrote to memory of 4092 3400 tcpview.exe 9HBYJW52.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tcpview.exe"C:\Users\Admin\AppData\Local\Temp\tcpview.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\7CFWVPWU.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\7CFWVPWU.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:864 -
C:\ProgramData\Start Menu\9HBYJW52.exe"C:\ProgramData\Start Menu\9HBYJW52.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4328
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:420
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD5051c8b584ffde2a373d4a54d038bc46c
SHA1d58abcb0d3875094b51e6836036bf65ff96b8b40
SHA256711de934bbdb56f4335d776819d4059222f8b3376fcb4a72ac2fca0a38e45801
SHA5128f28ce2467b8accba63be5a4983df4c8faed25a7f79c1f04560f47009969cbf84fc2afe4e08c2903c17f895afe29e397a91ed579d012f68fe08f0b4261552063
-
Filesize
83KB
MD5051c8b584ffde2a373d4a54d038bc46c
SHA1d58abcb0d3875094b51e6836036bf65ff96b8b40
SHA256711de934bbdb56f4335d776819d4059222f8b3376fcb4a72ac2fca0a38e45801
SHA5128f28ce2467b8accba63be5a4983df4c8faed25a7f79c1f04560f47009969cbf84fc2afe4e08c2903c17f895afe29e397a91ed579d012f68fe08f0b4261552063
-
Filesize
83KB
MD5051c8b584ffde2a373d4a54d038bc46c
SHA1d58abcb0d3875094b51e6836036bf65ff96b8b40
SHA256711de934bbdb56f4335d776819d4059222f8b3376fcb4a72ac2fca0a38e45801
SHA5128f28ce2467b8accba63be5a4983df4c8faed25a7f79c1f04560f47009969cbf84fc2afe4e08c2903c17f895afe29e397a91ed579d012f68fe08f0b4261552063
-
Filesize
16KB
MD5d448d88f3c4f994e05c0a0653c6634ee
SHA1f30a448188a5620dce19c1bd464e47924e36ee55
SHA256fe2ceb0ec8e8908ccf4cc6c025d36e649e1c78e985cc47f9268049b2f7826556
SHA5128f484298ccfd01833ce25ba61cfbb8f92c50ecde92f5d8e2d75a4a0b247dc2b2c938620abf5ea2712e0e684fbee7d3b22208f025b494137a7e5c71e2f68566a1
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\7CFWVPWU.exe
Filesize1.3MB
MD5126d1dba7efc0faed18afa036fb0468b
SHA1fe58c79cc3b5d11d9c1fbf53db1e0d726c94c491
SHA256adb8b6cfb9633759f3a08ecb160790aaa6a733d5671991c21a5a28deafbeef26
SHA512a3c32b7b4961c13c4fafb1b71b123bf4d0ecdfc4087912429019fb63aaf17f132ae2c58135f2ea8d64643966e99a28c89fc67c6256e9dafcb310049ab6951ad9
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\7CFWVPWU.exe
Filesize1.3MB
MD5126d1dba7efc0faed18afa036fb0468b
SHA1fe58c79cc3b5d11d9c1fbf53db1e0d726c94c491
SHA256adb8b6cfb9633759f3a08ecb160790aaa6a733d5671991c21a5a28deafbeef26
SHA512a3c32b7b4961c13c4fafb1b71b123bf4d0ecdfc4087912429019fb63aaf17f132ae2c58135f2ea8d64643966e99a28c89fc67c6256e9dafcb310049ab6951ad9