Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    07/07/2024, 22:31 UTC

General

  • Target

    ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe

  • Size

    111KB

  • MD5

    6c2c7ef5b5716d674991e364750ff233

  • SHA1

    abce149b0532326458909c21e6e13063a92f3251

  • SHA256

    ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73

  • SHA512

    cf673f324030bb23bfce9e09d3c8d10ceb108fb962557a141f1200d31e89ec4e4c1654d3d6c0657eb38ba4942ab0cc6a7bfffd6159c8d989214c6b94350113ea

  • SSDEEP

    1536:L66Cxsr7any9okBEO623Dnii5/u/TMhDLLUfmK5eR+2yMV:Qx6any1EO623/5G/Q1LQmK5eRFt

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot6861530662:AAFueJRxaIZGz_oVT2-CVuuL9N0MRsh-5_Y/sendDocument

Signatures

  • Phemedrone

    An information and wallet stealer written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe
    "C:\Users\Admin\AppData\Local\Temp\ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2528 -s 2336
      2⤵
        PID:2788
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:2872

      Network

      • flag-us
        DNS
        get.geojs.io
        ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe
        Remote address:
        8.8.8.8:53
        Request
        get.geojs.io
        IN A
        Response
        get.geojs.io
        IN A
        172.67.70.233
        get.geojs.io
        IN A
        104.26.1.100
        get.geojs.io
        IN A
        104.26.0.100
      • flag-us
        GET
        https://get.geojs.io/v1/ip/geo.json
        ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe
        Remote address:
        172.67.70.233:443
        Request
        GET /v1/ip/geo.json HTTP/1.1
        Host: get.geojs.io
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Sun, 07 Jul 2024 22:31:20 GMT
        Content-Type: application/json
        Transfer-Encoding: chunked
        Connection: keep-alive
        x-request-id: 70526e74c814c78166ca2bd51b1222d6-AMS
        strict-transport-security: max-age=15552000; includeSubDomains; preload
        access-control-allow-origin: *
        access-control-allow-methods: GET
        pragma: no-cache
        Cache-Control: no-store, no-cache, must-revalidate, private, max-age=0
        x-geojs-location: AMS
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0A212A5ptT13dppL0OX5vyx721Y%2FeXS3bMTZp1cMCZE8SXWL3So9NUI1NEvIexG%2Bte%2FQVB7S1eQPvu4pqcD1AG4FeRTp73kgp0k52zP6o2OLnWO%2BJZWNuItz4ZPH4w%3D%3D"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        X-Content-Type-Options: nosniff
        Server: cloudflare
        CF-RAY: 89fb48bdfe4d774f-LHR
        alt-svc: h3=":443"; ma=86400
      • flag-us
        DNS
        api.telegram.org
        ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe
        Remote address:
        8.8.8.8:53
        Request
        api.telegram.org
        IN A
        Response
        api.telegram.org
        IN A
        149.154.167.220
      • 172.67.70.233:443
        https://get.geojs.io/v1/ip/geo.json
        tls, http
        ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe
        723 B
        6.2kB
        8
        9

        HTTP Request

        GET https://get.geojs.io/v1/ip/geo.json

        HTTP Response

        200
      • 149.154.167.220:443
        api.telegram.org
        tls
        ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe
        388 B
        219 B
        5
        5
      • 8.8.8.8:53
        get.geojs.io
        dns
        ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe
        58 B
        106 B
        1
        1

        DNS Request

        get.geojs.io

        DNS Response

        172.67.70.233
        104.26.1.100
        104.26.0.100

      • 8.8.8.8:53
        api.telegram.org
        dns
        ad9c3a743ab48629ef8b02e26c82cb0f497669d8ae3b236758f997f695e78c73.exe
        62 B
        78 B
        1
        1

        DNS Request

        api.telegram.org

        DNS Response

        149.154.167.220

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2528-0-0x000007FEF5203000-0x000007FEF5204000-memory.dmp

        Filesize

        4KB

      • memory/2528-1-0x0000000000230000-0x0000000000252000-memory.dmp

        Filesize

        136KB

      • memory/2528-2-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

        Filesize

        9.9MB

      • memory/2528-3-0x000007FEF5203000-0x000007FEF5204000-memory.dmp

        Filesize

        4KB

      • memory/2528-4-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

        Filesize

        9.9MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.