Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 19:17
Behavioral task
behavioral1
Sample
571878c5dbb5200509fddc36d7c01643.exe
Resource
win7-20240419-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
571878c5dbb5200509fddc36d7c01643.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
571878c5dbb5200509fddc36d7c01643.exe
-
Size
194KB
-
MD5
571878c5dbb5200509fddc36d7c01643
-
SHA1
85812f73a4857c3dbf52f7f33bde08fae9ac730c
-
SHA256
201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97
-
SHA512
df6af844fe158ee31988a0f49fc20b2a15a9812fb9cb4fec569900a486e5af4ebff84d6db8229f96175ebee7a114c1285e625320342bb61c8aaee9200e6b8e89
-
SSDEEP
6144:UsbxzQ/mrGZw/uWJbGF7REKQ1TLRSSXBHDUfp90k:fQ+yZw/CM1/RxXB4fp90k
Score
10/10
Malware Config
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Modifies registry class 5 IoCs
Processes:
571878c5dbb5200509fddc36d7c01643.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ms-settings\shell\open 571878c5dbb5200509fddc36d7c01643.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ms-settings\shell\open\command\ 571878c5dbb5200509fddc36d7c01643.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ms-settings\shell\open\command 571878c5dbb5200509fddc36d7c01643.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ms-settings 571878c5dbb5200509fddc36d7c01643.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\ms-settings\shell 571878c5dbb5200509fddc36d7c01643.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
571878c5dbb5200509fddc36d7c01643.exedescription pid process target process PID 2944 wrote to memory of 2348 2944 571878c5dbb5200509fddc36d7c01643.exe WerFault.exe PID 2944 wrote to memory of 2348 2944 571878c5dbb5200509fddc36d7c01643.exe WerFault.exe PID 2944 wrote to memory of 2348 2944 571878c5dbb5200509fddc36d7c01643.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\571878c5dbb5200509fddc36d7c01643.exe"C:\Users\Admin\AppData\Local\Temp\571878c5dbb5200509fddc36d7c01643.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2944 -s 6362⤵PID:2348
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2944-0-0x000007FEF5F53000-0x000007FEF5F54000-memory.dmpFilesize
4KB
-
memory/2944-1-0x0000000000D50000-0x0000000000D7A000-memory.dmpFilesize
168KB
-
memory/2944-2-0x000007FEF5F50000-0x000007FEF693C000-memory.dmpFilesize
9.9MB
-
memory/2944-3-0x000007FEF5F53000-0x000007FEF5F54000-memory.dmpFilesize
4KB
-
memory/2944-4-0x000007FEF5F50000-0x000007FEF693C000-memory.dmpFilesize
9.9MB