phemedrone | 4b1d253b214f9d502bcb88d8df24424c1c11692cba770031cca6c7d3703d19de

General

Target

e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe
Size

6.7MB
MD5

ccec9f6516e38c852b1df13c836e5430
SHA1

30e3c298370f32e92d42f586e170996229db8fab
SHA256

e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385
SHA512

e23d714a352ebda1c75ade3f782159562d34402ebff31511f5b952b247f9b49c039a4b29123762bbffcbe90f3dd6db828bc36deac344a91d75f41346435bbdd1
SSDEEP

49152:Fu9q0pxgIYZdVKr2TZO/Ay+tN2ACtcXrGwuh0637dkKg4kGzlXerAEEEEEEEEE20:

Score

10^/10

phemedrone stealer upx

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Executes dropped EXE 2 IoCs

Processes:

46UL1YC0.exeA176NUPB.exe

pid process

1292 46UL1YC0.exe
2264 A176NUPB.exe

pid	process
1292	46UL1YC0.exe
2264	A176NUPB.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Package Cache\46UL1YC0.exe	upx
behavioral1/memory/1292-13-0x0000000000C20000-0x00000000013AA000-memory.dmp	upx
C:\ProgramData\Package Cache\46UL1YC0.exe	upx
behavioral1/memory/1292-46-0x0000000000C20000-0x00000000013AA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

46UL1YC0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	46UL1YC0.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	46UL1YC0.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	46UL1YC0.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	46UL1YC0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\46UL1YC0.exe = "11001"	46UL1YC0.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

46UL1YC0.exe

pid process

1292 46UL1YC0.exe
1292 46UL1YC0.exe
1292 46UL1YC0.exe
1292 46UL1YC0.exe
1292 46UL1YC0.exe

pid	process
1292	46UL1YC0.exe
1292	46UL1YC0.exe
1292	46UL1YC0.exe
1292	46UL1YC0.exe
1292	46UL1YC0.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

46UL1YC0.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1292	46UL1YC0.exe
Token: SeIncreaseQuotaPrivilege	1292	46UL1YC0.exe
Token: SeIncreaseQuotaPrivilege	1292	46UL1YC0.exe
Token: SeIncreaseQuotaPrivilege	1292	46UL1YC0.exe
Token: SeIncreaseQuotaPrivilege	1292	46UL1YC0.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

46UL1YC0.exe

pid process

1292 46UL1YC0.exe
1292 46UL1YC0.exe

pid	process
1292	46UL1YC0.exe
1292	46UL1YC0.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exeA176NUPB.exe

description	pid	process	target process
PID 1832 wrote to memory of 1292	1832	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe	46UL1YC0.exe
PID 1832 wrote to memory of 1292	1832	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe	46UL1YC0.exe
PID 1832 wrote to memory of 1292	1832	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe	46UL1YC0.exe
PID 1832 wrote to memory of 1292	1832	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe	46UL1YC0.exe
PID 1832 wrote to memory of 1292	1832	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe	46UL1YC0.exe
PID 1832 wrote to memory of 1292	1832	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe	46UL1YC0.exe
PID 1832 wrote to memory of 1292	1832	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe	46UL1YC0.exe
PID 1832 wrote to memory of 2264	1832	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe	A176NUPB.exe
PID 1832 wrote to memory of 2264	1832	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe	A176NUPB.exe
PID 1832 wrote to memory of 2264	1832	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe	A176NUPB.exe
PID 2264 wrote to memory of 2876	2264	A176NUPB.exe	WerFault.exe
PID 2264 wrote to memory of 2876	2264	A176NUPB.exe	WerFault.exe
PID 2264 wrote to memory of 2876	2264	A176NUPB.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe
"C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\ProgramData\Package Cache\46UL1YC0.exe
  "C:\ProgramData\Package Cache\46UL1YC0.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1292
- C:\ProgramData\Start Menu\A176NUPB.exe
  "C:\ProgramData\Start Menu\A176NUPB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2264 -s 520
    3⤵
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\A176NUPB.exe

Filesize
83KB

MD5
e025c7bfa143c476a648e9daa3cfda2f

SHA1
d4f90ae2727cd20c19802eeee5589fc4e7b36ec3

SHA256
95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60

SHA512
f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

Download Submit
C:\ProgramData\Package Cache\46UL1YC0.exe

Filesize
2.4MB

MD5
0df3a35807f6a4f361d03c4d66b915e2

SHA1
75ddf979ab97871cd8980afdf0a83251ac21066b

SHA256
e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c

SHA512
1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

Download Submit
C:\ProgramData\Package Cache\46UL1YC0.exe

Filesize
2.4MB

MD5
0df3a35807f6a4f361d03c4d66b915e2

SHA1
75ddf979ab97871cd8980afdf0a83251ac21066b

SHA256
e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c

SHA512
1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

Download Submit
C:\ProgramData\Start Menu\A176NUPB.exe

Filesize
83KB

MD5
e025c7bfa143c476a648e9daa3cfda2f

SHA1
d4f90ae2727cd20c19802eeee5589fc4e7b36ec3

SHA256
95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60

SHA512
f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{12D4FD26-D7D6-48CA-B5D1-00886087AA8D}\CCDInstaller.js

Filesize
1.2MB

MD5
fbc34da120e8a3ad11b3ad1404b6c51a

SHA1
fe3e36de12e0bdd0a7731e572e862c50ee89207c

SHA256
9701b3ba335b5a11be32dd63ea3a466a14e048c1e5881cac81352b459be0f202

SHA512
f3f0452d16a7cd0600a8ffced5167783d3f31e51dce512872ade5031c97b14366af0343bfe2c822c8ac4a281f27f5eeb00fe7d0e8cbe90434f79bacf3ecb42d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{12D4FD26-D7D6-48CA-B5D1-00886087AA8D}\index.html

Filesize
426B

MD5
a28ab17b18ff254173dfeef03245efd0

SHA1
c6ce20924565644601d4e0dd0fba9dde8dea5c77

SHA256
886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375

SHA512
9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

Download Submit
memory/1292-45-0x00000000054C0000-0x00000000054E0000-memory.dmp

Filesize
128KB

Download
memory/1292-28-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/1292-13-0x0000000000C20000-0x00000000013AA000-memory.dmp

Filesize
7.5MB

Download
memory/1292-46-0x0000000000C20000-0x00000000013AA000-memory.dmp

Filesize
7.5MB

Download
memory/1832-1-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/1832-0-0x0000000000AE0000-0x0000000001194000-memory.dmp

Filesize
6.7MB

Download
memory/1832-47-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/1832-49-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2264-14-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2264-12-0x0000000000B50000-0x0000000000B6C000-memory.dmp

Filesize
112KB

Download
memory/2264-48-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads