Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2024, 02:09
Behavioral task
behavioral1
Sample
400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe
Resource
win10v2004-20240226-en
General
-
Target
400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe
-
Size
313KB
-
MD5
accf109edfa6ea05bb88505668ad8e28
-
SHA1
d3cb874e0db864d16b90a5a6ecac2651b2fc5c41
-
SHA256
400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39
-
SHA512
7a63951e9baba219769e1186c126dfe2fee5d8fc9e46000add310fb1e432118017b43cebff926e095da3a67b134307260024f02d9d055856268db407568287e7
-
SSDEEP
6144:kfdmxcbEKy9TVUfUnBfrmjlyRVLkJqJVpHO5CZ7Rm:kfdShVBfrmjsN/pf7Rm
Malware Config
Extracted
phemedrone
https://rakishevkenes.com/wp-admin/admin-ajax.php
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Detect binaries embedding considerable number of MFA browser extension IDs. 1 IoCs
resource yara_rule behavioral2/memory/4372-0-0x0000000000600000-0x0000000000654000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
resource yara_rule behavioral2/memory/4372-0-0x0000000000600000-0x0000000000654000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
resource yara_rule behavioral2/memory/4372-0-0x0000000000600000-0x0000000000654000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4372 400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe"C:\Users\Admin\AppData\Local\Temp\400471a357266923af7b64048acd77f3d132dd429c3ef8eae4ab5dfd6652fd39.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3056