phemedrone | 685231e2f096d41dd68be99374efd124a4c4ff316725dcddaab560dd928d0aea

General

Target

3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
Size

144KB
MD5

319218e4eb0d6637a76668a228e32de3
SHA1

20523303d722a7747deb6154a5d4401e1b932d56
SHA256

3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358
SHA512

db3d1637c178bdf3c8c5b754fe72c388a3da176b2d0a7727e89f2c257bcb93b1574eda1de7f6ea25e493949f47157c07637fbe1169fe6c9481cc42d925293fe6
SSDEEP

3072:HGNhvhNC38S7gzQ/cmD4ULz82nyLOLt/w/HOWJbG5vcX+skwEKEAm31D5:EzQ/2my2w/uWJbGFsREKQ1

Score

10^/10

phemedrone execution persistence spyware stealer

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2512	powershell.exe
2740	powershell.exe
2244	powershell.exe
2808	powershell.exe
2268	powershell.exe
1780	powershell.exe
296	powershell.exe
2028	powershell.exe
2672	powershell.exe
1136	powershell.exe
852	powershell.exe
2776	powershell.exe
2372	powershell.exe
1804	powershell.exe
1724	powershell.exe
2544	powershell.exe
1968	powershell.exe
2520	powershell.exe
2560	powershell.exe
2916	powershell.exe
3068	powershell.exe
2428	powershell.exe
576	powershell.exe
1856	powershell.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe"	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
4	ip-api.com

Modifies registry class 5 IoCs

Processes:

3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command\	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

powershell.exepowershell.exe3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2544	powershell.exe
2672	powershell.exe
2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
576	powershell.exe
1856	powershell.exe
1968	powershell.exe
1136	powershell.exe
2268	powershell.exe
852	powershell.exe
2520	powershell.exe
2560	powershell.exe
2916	powershell.exe
2776	powershell.exe
296	powershell.exe
2372	powershell.exe
1804	powershell.exe
1780	powershell.exe
3068	powershell.exe
1724	powershell.exe
2428	powershell.exe
2512	powershell.exe
2028	powershell.exe
2740	powershell.exe
2244	powershell.exe
2808	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2676 wrote to memory of 2608	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 2608	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 2608	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 2644	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 2644	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 2644	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2608 wrote to memory of 2544	2608	cmd.exe	powershell.exe
PID 2608 wrote to memory of 2544	2608	cmd.exe	powershell.exe
PID 2608 wrote to memory of 2544	2608	cmd.exe	powershell.exe
PID 2644 wrote to memory of 2672	2644	cmd.exe	powershell.exe
PID 2644 wrote to memory of 2672	2644	cmd.exe	powershell.exe
PID 2644 wrote to memory of 2672	2644	cmd.exe	powershell.exe
PID 2676 wrote to memory of 580	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 580	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 580	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 1492	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 1492	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 1492	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 580 wrote to memory of 576	580	cmd.exe	powershell.exe
PID 580 wrote to memory of 576	580	cmd.exe	powershell.exe
PID 580 wrote to memory of 576	580	cmd.exe	powershell.exe
PID 1492 wrote to memory of 1856	1492	cmd.exe	powershell.exe
PID 1492 wrote to memory of 1856	1492	cmd.exe	powershell.exe
PID 1492 wrote to memory of 1856	1492	cmd.exe	powershell.exe
PID 2676 wrote to memory of 2272	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 2272	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 2272	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 2892	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 2892	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 2892	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2272 wrote to memory of 1968	2272	cmd.exe	powershell.exe
PID 2272 wrote to memory of 1968	2272	cmd.exe	powershell.exe
PID 2272 wrote to memory of 1968	2272	cmd.exe	powershell.exe
PID 2892 wrote to memory of 1136	2892	cmd.exe	powershell.exe
PID 2892 wrote to memory of 1136	2892	cmd.exe	powershell.exe
PID 2892 wrote to memory of 1136	2892	cmd.exe	powershell.exe
PID 2676 wrote to memory of 1704	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 1704	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 1704	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 308	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 308	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 308	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1704 wrote to memory of 2268	1704	cmd.exe	powershell.exe
PID 1704 wrote to memory of 2268	1704	cmd.exe	powershell.exe
PID 1704 wrote to memory of 2268	1704	cmd.exe	powershell.exe
PID 308 wrote to memory of 852	308	cmd.exe	powershell.exe
PID 308 wrote to memory of 852	308	cmd.exe	powershell.exe
PID 308 wrote to memory of 852	308	cmd.exe	powershell.exe
PID 2676 wrote to memory of 2972	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 2972	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 2972	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 3008	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 3008	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 3008	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 3008 wrote to memory of 2520	3008	cmd.exe	powershell.exe
PID 3008 wrote to memory of 2520	3008	cmd.exe	powershell.exe
PID 3008 wrote to memory of 2520	3008	cmd.exe	powershell.exe
PID 2972 wrote to memory of 2560	2972	cmd.exe	powershell.exe
PID 2972 wrote to memory of 2560	2972	cmd.exe	powershell.exe
PID 2972 wrote to memory of 2560	2972	cmd.exe	powershell.exe
PID 2676 wrote to memory of 2608	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 2608	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 2608	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2676 wrote to memory of 2444	2676	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
"C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:3048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2872

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0SZINSYVO06BU2PCUC71.temp
Filesize
7KB

MD5
9243d4555a79527f9f1bf91a5df3d9c8

SHA1
dde26f809bd338a12fbf0682379a092c29d1455f

SHA256
c3b75df78779326ee7cdc9593e0ee06d1470d82863ffdd7ad684873097d686e3

SHA512
beeb55671e2ef017bb4e404dd3c69a7e2ba9d7b6eda963d0f5a474f46459ffe9b3adc5229189ea5892844dba3055f21852000f482b1177a41b6344b8c0c88dd3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
d9807803163be94e9b7ac770aac0e8b8

SHA1
02468c771633a90bcb94d184396e2589971b01b9

SHA256
0ed950d197c0f55cf9884b331daa001e0f2199f82ef24251b37efc3c17b3ba29

SHA512
5ad8c2df8803d700f6a4cb35e0efcf8361b15471dd9854d4ea84358d98c78fe554f294b57ead339ae102689462e9b7b28d7a7a26918ad26616798fb4975447af

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/576-28-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/576-29-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2544-9-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2544-10-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2676-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/2676-1-0x00000000010E0000-0x000000000110A000-memory.dmp

Filesize
168KB

Download
memory/2676-2-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2676-3-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/2676-4-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads