Overview

overview

10

Static

static

3

2Elynyru.exe

windows7-x64

10

2Elynyru.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 22:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2Elynyru.exe

  • Size

    1.7MB

  • MD5

    6c8965f1d56a93b0bf67780f7c2fa965

  • SHA1

    c3beaf2bf36e40c5e1afb3c0e879ae1d25f02922

  • SHA256

    52817df4b19ffc52e81384b3117888fc053326b9635152fcbd7ca62d00801887

  • SHA512

    6693d6851842c3693b4fb866e97de0c3e560a5c1776fab6ffae17af5c814b723f5284f756cdc396149645a61821a698548ef159dd424b85e5842d4d74cf84b22

  • SSDEEP

    49152:WBRmRJuZoLIEk0zZVACftmxN4akoFc0y6sFzxT:WZ/R0VAMmx/FldsdT

Score
10/10
phemedroneevasionspywarestealer

Malware Config

Signatures

  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2Elynyru.exe
    "C:\Users\Admin\AppData\Local\Temp\2Elynyru.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4624
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 2808
      2⤵
      • Program crash
      PID:3068
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:540
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4624 -ip 4624
      1⤵
        PID:4764

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4624-0-0x0000000000410000-0x0000000000866000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/4624-1-0x0000000077E94000-0x0000000077E96000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4624-2-0x0000000074C80000-0x0000000075430000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4624-3-0x0000000000410000-0x0000000000866000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/4624-4-0x0000000000410000-0x0000000000866000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/4624-5-0x0000000007810000-0x0000000007820000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4624-6-0x0000000007640000-0x00000000076D2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4624-7-0x0000000000410000-0x0000000000866000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/4624-9-0x0000000008140000-0x00000000081A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4624-10-0x0000000074C80000-0x0000000075430000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4624-16-0x0000000000410000-0x0000000000866000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/4624-17-0x0000000074C80000-0x0000000075430000-memory.dmp

        Filesize

        7.7MB

        Download