Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
11-10-2023 23:00
General
-
Target
2Elynyru.exe
-
Size
1.7MB
-
MD5
6c8965f1d56a93b0bf67780f7c2fa965
-
SHA1
c3beaf2bf36e40c5e1afb3c0e879ae1d25f02922
-
SHA256
52817df4b19ffc52e81384b3117888fc053326b9635152fcbd7ca62d00801887
-
SHA512
6693d6851842c3693b4fb866e97de0c3e560a5c1776fab6ffae17af5c814b723f5284f756cdc396149645a61821a698548ef159dd424b85e5842d4d74cf84b22
-
SSDEEP
49152:WBRmRJuZoLIEk0zZVACftmxN4akoFc0y6sFzxT:WZ/R0VAMmx/FldsdT
Malware Config
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2Elynyru.exe"C:\Users\Admin\AppData\Local\Temp\2Elynyru.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
296KB
-
Filesize
256KB
-
Filesize
296KB
-
Filesize
6.9MB
-
Filesize
4.3MB
-
Filesize
512KB
-
Filesize
4.3MB
-
Filesize
56KB
-
Filesize
1.1MB
-
Filesize
92KB
-
Filesize
512KB
-
Filesize
4.3MB
-
Filesize
44KB
-
Filesize
960KB
-
Filesize
816KB
-
Filesize
52KB
-
Filesize
328KB
-
Filesize
352KB
-
Filesize
4.3MB
-
Filesize
156KB
-
Filesize
36KB
-
Filesize
816KB
-
Filesize
6.9MB
-
Filesize
352KB
-
Filesize
960KB
-
Filesize
8KB
-
Filesize
4.3MB
-
Filesize
296KB
-
Filesize
36KB
-
Filesize
52KB
-
Filesize
156KB
-
Filesize
6.9MB
-
Filesize
92KB
-
Filesize
1.1MB
-
Filesize
512KB
-
Filesize
44KB
-
Filesize
328KB
-
Filesize
960KB
-
Filesize
352KB
-
Filesize
816KB
-
Filesize
56KB