Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2023 19:07

General

  • Target

    e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe

  • Size

    6.7MB

  • MD5

    ccec9f6516e38c852b1df13c836e5430

  • SHA1

    30e3c298370f32e92d42f586e170996229db8fab

  • SHA256

    e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385

  • SHA512

    e23d714a352ebda1c75ade3f782159562d34402ebff31511f5b952b247f9b49c039a4b29123762bbffcbe90f3dd6db828bc36deac344a91d75f41346435bbdd1

  • SSDEEP

    49152:Fu9q0pxgIYZdVKr2TZO/Ay+tN2ACtcXrGwuh0637dkKg4kGzlXerAEEEEEEEEE20:

Malware Config

Signatures

  • Phemedrone

    An information and wallet stealer written in C#.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2300
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 2500
        3⤵
        • Program crash
        PID:3736
    • C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe
      "C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2300 -ip 2300
    1⤵
      PID:840
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:4924

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\{6B5D24E6-517D-43C6-A40B-423E32426257}\CCDInstaller.js

        Filesize

        1.2MB

        MD5

        fbc34da120e8a3ad11b3ad1404b6c51a

        SHA1

        fe3e36de12e0bdd0a7731e572e862c50ee89207c

        SHA256

        9701b3ba335b5a11be32dd63ea3a466a14e048c1e5881cac81352b459be0f202

        SHA512

        f3f0452d16a7cd0600a8ffced5167783d3f31e51dce512872ade5031c97b14366af0343bfe2c822c8ac4a281f27f5eeb00fe7d0e8cbe90434f79bacf3ecb42d2

      • C:\Users\Admin\AppData\Local\Temp\{6B5D24E6-517D-43C6-A40B-423E32426257}\index.html

        Filesize

        426B

        MD5

        a28ab17b18ff254173dfeef03245efd0

        SHA1

        c6ce20924565644601d4e0dd0fba9dde8dea5c77

        SHA256

        886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375

        SHA512

        9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

      • C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe

        Filesize

        83KB

        MD5

        e025c7bfa143c476a648e9daa3cfda2f

        SHA1

        d4f90ae2727cd20c19802eeee5589fc4e7b36ec3

        SHA256

        95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60

        SHA512

        f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

      • C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe

        Filesize

        83KB

        MD5

        e025c7bfa143c476a648e9daa3cfda2f

        SHA1

        d4f90ae2727cd20c19802eeee5589fc4e7b36ec3

        SHA256

        95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60

        SHA512

        f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

      • C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe

        Filesize

        83KB

        MD5

        e025c7bfa143c476a648e9daa3cfda2f

        SHA1

        d4f90ae2727cd20c19802eeee5589fc4e7b36ec3

        SHA256

        95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60

        SHA512

        f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

      • C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe

        Filesize

        2.4MB

        MD5

        0df3a35807f6a4f361d03c4d66b915e2

        SHA1

        75ddf979ab97871cd8980afdf0a83251ac21066b

        SHA256

        e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c

        SHA512

        1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

      • C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe

        Filesize

        2.4MB

        MD5

        0df3a35807f6a4f361d03c4d66b915e2

        SHA1

        75ddf979ab97871cd8980afdf0a83251ac21066b

        SHA256

        e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c

        SHA512

        1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

      • C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe

        Filesize

        2.4MB

        MD5

        0df3a35807f6a4f361d03c4d66b915e2

        SHA1

        75ddf979ab97871cd8980afdf0a83251ac21066b

        SHA256

        e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c

        SHA512

        1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

      • memory/1500-1-0x00007FF96C630000-0x00007FF96D0F1000-memory.dmp

        Filesize

        10.8MB

      • memory/1500-58-0x00007FF96C630000-0x00007FF96D0F1000-memory.dmp

        Filesize

        10.8MB

      • memory/1500-55-0x00007FF96C630000-0x00007FF96D0F1000-memory.dmp

        Filesize

        10.8MB

      • memory/1500-0-0x0000000000500000-0x0000000000BB4000-memory.dmp

        Filesize

        6.7MB

      • memory/2300-54-0x0000000000110000-0x000000000089A000-memory.dmp

        Filesize

        7.5MB

      • memory/2300-52-0x0000000007080000-0x00000000070A0000-memory.dmp

        Filesize

        128KB

      • memory/2300-20-0x0000000000110000-0x000000000089A000-memory.dmp

        Filesize

        7.5MB

      • memory/2560-26-0x000000001BB10000-0x000000001BB20000-memory.dmp

        Filesize

        64KB

      • memory/2560-25-0x00007FF96C630000-0x00007FF96D0F1000-memory.dmp

        Filesize

        10.8MB

      • memory/2560-24-0x0000000000C30000-0x0000000000C4C000-memory.dmp

        Filesize

        112KB

      • memory/2560-56-0x00007FF96C630000-0x00007FF96D0F1000-memory.dmp

        Filesize

        10.8MB

      • memory/2560-59-0x00007FF96C630000-0x00007FF96D0F1000-memory.dmp

        Filesize

        10.8MB