phemedrone | 3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b

Analysis

max time kernel
41s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 04:32

Target

3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b_NeikiAnalytics.exe
Size

467KB
MD5

8b18a070fb632bbcdfe00c8a35922470
SHA1

3b44e9ccfe470a70a05ebbf007a4abc928d27d39
SHA256

3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b
SHA512

c90b9a6722407bb5cdaedbfbc297853f2b4bd46368f087c16b988d7683d03ce5f6002a798562512092452ba00bebba0c209a353154642f7ea34596b9ad4296ba
SSDEEP

12288:3B4sNhwBBy9e4/BrrhMfNQJSaEuP7UgajSMq56v5LwLMycuVlGamrplaQLmfhS0h:x4uhygrrhtMu

Score

10^/10

Family

phemedrone

https://api.telegram.org/bot7274515778:AAEx4SxiDLjUG8dht4Cac1HVmxqTSwD_yL4/sendDocument

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Loads dropped DLL 1 IoCs

Processes:

3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b_NeikiAnalytics.exe

pid process

4020 3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b_NeikiAnalytics.exe

pid	process
4020	3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b_NeikiAnalytics.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b_NeikiAnalytics.exe

description	pid	process	target process
PID 4020 set thread context of 1524	4020	3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b_NeikiAnalytics.exe	MSBuild.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3836 1524 WerFault.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid process

1524 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1524 MSBuild.exe

pid	pid_target	process	target process
3836	1524	WerFault.exe	MSBuild.exe

pid	process
1524	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1524	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b_NeikiAnalytics.exe

description	pid	process	target process
PID 4020 wrote to memory of 1524	4020	3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b_NeikiAnalytics.exe	MSBuild.exe
PID 4020 wrote to memory of 1524	4020	3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b_NeikiAnalytics.exe	MSBuild.exe
PID 4020 wrote to memory of 1524	4020	3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b_NeikiAnalytics.exe	MSBuild.exe
PID 4020 wrote to memory of 1524	4020	3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b_NeikiAnalytics.exe	MSBuild.exe
PID 4020 wrote to memory of 1524	4020	3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b_NeikiAnalytics.exe	MSBuild.exe
PID 4020 wrote to memory of 1524	4020	3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b_NeikiAnalytics.exe	MSBuild.exe
PID 4020 wrote to memory of 1524	4020	3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b_NeikiAnalytics.exe	MSBuild.exe
PID 4020 wrote to memory of 1524	4020	3575d7a34763ac830acebe23a70adc31d14aefcaa7587948794f67ae663bc64b_NeikiAnalytics.exe	MSBuild.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1600
3⤵
- Program crash
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1524 -ip 1524
1⤵
PID:4808

C:\Users\Admin\AppData\Roaming\d3d9.dll
Filesize
242KB

MD5
0d81ba562424e2881c908c320f57a0ef

SHA1
488d6e93f97f20f42ad7c3c0156cf8bad561f8d0

SHA256
fc95c0e8ff45f1a7c5920d564a452b25fce96202b628f7d0c44183f8dc365188

SHA512
5ecc222ab1fc19aab8882893f71fa7b985f3f1a85b0cc7faeef1c2e1d5a9123ac81a3cb7497091d0aac4ea869632771fdf1e2f6df58e40f34ddf5839ae32fc28

Download Submit
memory/1524-15-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/1524-9-0x0000000000560000-0x0000000000584000-memory.dmp

Filesize
144KB

Download
memory/1524-13-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1524-14-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1524-16-0x0000000004C80000-0x0000000004CE6000-memory.dmp

Filesize
408KB

Download
memory/1524-17-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/4020-2-0x00000000010F0000-0x00000000010F6000-memory.dmp

Filesize
24KB

Download
memory/4020-1-0x0000000000650000-0x00000000006CE000-memory.dmp

Filesize
504KB

Download
memory/4020-11-0x00000000773F1000-0x0000000077511000-memory.dmp

Filesize
1.1MB

Download
memory/4020-12-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/4020-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/4020-18-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download