Analysis Overview
SHA256
201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97
Threat Level: Known bad
The file 201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe was found to be: Known bad.
Malicious Activity Summary
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Phemedrone
Detect binaries embedding considerable number of MFA browser extension IDs.
Phemedrone family
Detect binaries embedding considerable number of MFA browser extension IDs.
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-19 01:09
Signatures
Detect binaries embedding considerable number of MFA browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phemedrone family
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 01:09
Reported
2024-06-19 01:11
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Phemedrone
Detect binaries embedding considerable number of MFA browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command\ | C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command | C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings | C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell | C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open | C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2252 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe | C:\Windows\system32\WerFault.exe |
| PID 2252 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe | C:\Windows\system32\WerFault.exe |
| PID 2252 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe
"C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2252 -s 636
Network
Files
memory/2252-0-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp
memory/2252-1-0x0000000000190000-0x00000000001BA000-memory.dmp
memory/2252-2-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp
memory/2252-3-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp
memory/2252-4-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 01:09
Reported
2024-06-19 01:11
Platform
win10v2004-20240611-en
Max time kernel
135s
Max time network
142s
Command Line
Signatures
Phemedrone
Detect binaries embedding considerable number of MFA browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\ms-settings\shell\open\command | C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\ms-settings | C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\ms-settings\shell | C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\ms-settings\shell\open | C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\ms-settings\shell\open\command\ | C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe
"C:\Users\Admin\AppData\Local\Temp\201453afc1cceb1da21a6a87a6921cb99d843ae93be6fd8c2c84d4e6cf025c97.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/2540-0-0x000001BC3FCE0000-0x000001BC3FD0A000-memory.dmp
memory/2540-1-0x00007FFA8DB53000-0x00007FFA8DB55000-memory.dmp
memory/2540-2-0x00007FFA8DB50000-0x00007FFA8E611000-memory.dmp
memory/2540-3-0x00007FFA8DB50000-0x00007FFA8E611000-memory.dmp