phemedrone | 4b1d253b214f9d502bcb88d8df24424c1c11692cba770031cca6c7d3703d19de

General

Target

e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe
Size

6.7MB
MD5

ccec9f6516e38c852b1df13c836e5430
SHA1

30e3c298370f32e92d42f586e170996229db8fab
SHA256

e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385
SHA512

e23d714a352ebda1c75ade3f782159562d34402ebff31511f5b952b247f9b49c039a4b29123762bbffcbe90f3dd6db828bc36deac344a91d75f41346435bbdd1
SSDEEP

49152:Fu9q0pxgIYZdVKr2TZO/Ay+tN2ACtcXrGwuh0637dkKg4kGzlXerAEEEEEEEEE20:

Score

10^/10

phemedrone spyware stealer upx

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe

Executes dropped EXE 2 IoCs

Processes:

DKFD1EHT.exeT9WVUKDH.exe

pid process

3764 DKFD1EHT.exe
3468 T9WVUKDH.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\DKFD1EHT.exe	upx
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\DKFD1EHT.exe	upx
behavioral2/memory/3764-15-0x0000000000DB0000-0x000000000153A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\DKFD1EHT.exe	upx
behavioral2/memory/3764-54-0x0000000000DB0000-0x000000000153A000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2084 3764 WerFault.exe DKFD1EHT.exe

flow	ioc
26	ip-api.com

pid	pid_target	process	target process
2084	3764	WerFault.exe	DKFD1EHT.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

DKFD1EHT.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	DKFD1EHT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\DKFD1EHT.exe = "11001"	DKFD1EHT.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

DKFD1EHT.exeT9WVUKDH.exe

pid	process
3764	DKFD1EHT.exe
3764	DKFD1EHT.exe
3764	DKFD1EHT.exe
3764	DKFD1EHT.exe
3764	DKFD1EHT.exe
3764	DKFD1EHT.exe
3764	DKFD1EHT.exe
3764	DKFD1EHT.exe
3764	DKFD1EHT.exe
3764	DKFD1EHT.exe
3764	DKFD1EHT.exe
3764	DKFD1EHT.exe
3764	DKFD1EHT.exe
3764	DKFD1EHT.exe
3764	DKFD1EHT.exe
3764	DKFD1EHT.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe
3468	T9WVUKDH.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

T9WVUKDH.exeDKFD1EHT.exe

description	pid	process
Token: SeDebugPrivilege	3468	T9WVUKDH.exe
Token: SeIncreaseQuotaPrivilege	3764	DKFD1EHT.exe
Token: SeIncreaseQuotaPrivilege	3764	DKFD1EHT.exe
Token: SeIncreaseQuotaPrivilege	3764	DKFD1EHT.exe
Token: SeIncreaseQuotaPrivilege	3764	DKFD1EHT.exe
Token: SeIncreaseQuotaPrivilege	3764	DKFD1EHT.exe
Token: SeIncreaseQuotaPrivilege	3764	DKFD1EHT.exe
Token: SeIncreaseQuotaPrivilege	3764	DKFD1EHT.exe
Token: SeIncreaseQuotaPrivilege	3764	DKFD1EHT.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

DKFD1EHT.exe

pid process

3764 DKFD1EHT.exe
3764 DKFD1EHT.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe

description	pid	process	target process
PID 2208 wrote to memory of 3764	2208	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe	DKFD1EHT.exe
PID 2208 wrote to memory of 3764	2208	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe	DKFD1EHT.exe
PID 2208 wrote to memory of 3764	2208	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe	DKFD1EHT.exe
PID 2208 wrote to memory of 3468	2208	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe	T9WVUKDH.exe
PID 2208 wrote to memory of 3468	2208	e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe	T9WVUKDH.exe

C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe
"C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\DKFD1EHT.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\DKFD1EHT.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 2456
    3⤵
    - Program crash
    PID:2084
- C:\Users\Admin\AppData\Roaming\Adobe\T9WVUKDH.exe
  "C:\Users\Admin\AppData\Roaming\Adobe\T9WVUKDH.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3764 -ip 3764
1⤵
PID:1212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\DKFD1EHT.exe

Filesize
2.4MB

MD5
0df3a35807f6a4f361d03c4d66b915e2

SHA1
75ddf979ab97871cd8980afdf0a83251ac21066b

SHA256
e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c

SHA512
1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\DKFD1EHT.exe

Filesize
2.4MB

MD5
0df3a35807f6a4f361d03c4d66b915e2

SHA1
75ddf979ab97871cd8980afdf0a83251ac21066b

SHA256
e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c

SHA512
1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\DKFD1EHT.exe

Filesize
2.4MB

MD5
0df3a35807f6a4f361d03c4d66b915e2

SHA1
75ddf979ab97871cd8980afdf0a83251ac21066b

SHA256
e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c

SHA512
1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BF66FF50-B403-4617-AB1E-B252CF457A27}\CCDInstaller.js

Filesize
1.2MB

MD5
fbc34da120e8a3ad11b3ad1404b6c51a

SHA1
fe3e36de12e0bdd0a7731e572e862c50ee89207c

SHA256
9701b3ba335b5a11be32dd63ea3a466a14e048c1e5881cac81352b459be0f202

SHA512
f3f0452d16a7cd0600a8ffced5167783d3f31e51dce512872ade5031c97b14366af0343bfe2c822c8ac4a281f27f5eeb00fe7d0e8cbe90434f79bacf3ecb42d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BF66FF50-B403-4617-AB1E-B252CF457A27}\index.html

Filesize
426B

MD5
a28ab17b18ff254173dfeef03245efd0

SHA1
c6ce20924565644601d4e0dd0fba9dde8dea5c77

SHA256
886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375

SHA512
9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\T9WVUKDH.exe

Filesize
83KB

MD5
e025c7bfa143c476a648e9daa3cfda2f

SHA1
d4f90ae2727cd20c19802eeee5589fc4e7b36ec3

SHA256
95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60

SHA512
f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\T9WVUKDH.exe

Filesize
83KB

MD5
e025c7bfa143c476a648e9daa3cfda2f

SHA1
d4f90ae2727cd20c19802eeee5589fc4e7b36ec3

SHA256
95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60

SHA512
f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\T9WVUKDH.exe

Filesize
83KB

MD5
e025c7bfa143c476a648e9daa3cfda2f

SHA1
d4f90ae2727cd20c19802eeee5589fc4e7b36ec3

SHA256
95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60

SHA512
f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

Download Submit
memory/2208-1-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/2208-0-0x0000000000290000-0x0000000000944000-memory.dmp

Filesize
6.7MB

Download
memory/2208-38-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/3468-24-0x0000000000F90000-0x0000000000FAC000-memory.dmp

Filesize
112KB

Download
memory/3468-26-0x000000001BEE0000-0x000000001BEF0000-memory.dmp

Filesize
64KB

Download
memory/3468-25-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/3468-56-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/3468-58-0x000000001BEE0000-0x000000001BEF0000-memory.dmp

Filesize
64KB

Download
memory/3468-59-0x00007FF8A1000000-0x00007FF8A1AC1000-memory.dmp

Filesize
10.8MB

Download
memory/3764-15-0x0000000000DB0000-0x000000000153A000-memory.dmp

Filesize
7.5MB

Download
memory/3764-54-0x0000000000DB0000-0x000000000153A000-memory.dmp

Filesize
7.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads