Analysis
-
max time kernel
55s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 23:20
Behavioral task
behavioral1
Sample
Zuma Deluxe.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Zuma Deluxe.exe
Resource
win10v2004-20240419-en
General
-
Target
Zuma Deluxe.exe
-
Size
6.9MB
-
MD5
0d7243c3e9eefa5e30c04453623c9182
-
SHA1
f53f043451ad77189616ef823d9d27c9f089a8f7
-
SHA256
08f9ea9a663a5d463b017f8829a8ae6f875f75653433099f803c82188270eae0
-
SHA512
bc40fd2dfdb764161f185932b49727c8545456e1c0f2060801095fa7f4ed0d1d0eadba9e425d6ec000bc06977766d94ad637ea231642475d8531e2c94a6c442b
-
SSDEEP
6144:nHdmxc2EKy9TVDbTi+TAJigC8tYQztwNTOcaOPgOEU20Rz:nHdSyDP4YQRwJOcFPgO1
Malware Config
Extracted
phemedrone
https://rakishevkenes.com/wp-admin/admin-ajax.php
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
Zuma Deluxe.exepid process 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe 1636 Zuma Deluxe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Zuma Deluxe.exedescription pid process Token: SeDebugPrivilege 1636 Zuma Deluxe.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1636-0-0x0000000000DA0000-0x0000000000DFA000-memory.dmpFilesize
360KB
-
memory/1636-1-0x00007FF986560000-0x00007FF987021000-memory.dmpFilesize
10.8MB
-
memory/1636-2-0x000000001BDC0000-0x000000001BDD0000-memory.dmpFilesize
64KB
-
memory/1636-3-0x00007FF986560000-0x00007FF987021000-memory.dmpFilesize
10.8MB
-
memory/1636-4-0x000000001BDC0000-0x000000001BDD0000-memory.dmpFilesize
64KB
-
memory/1636-5-0x00007FF986560000-0x00007FF987021000-memory.dmpFilesize
10.8MB