Overview

overview

10

Static

static

1

URLScan

urlscan

https://www.youtube....

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbHhTa2RYdVAtd2NaVDR4TUdqUDJqcngzcVU2Z3xBQ3Jtc0traDhZc0IzaEJQOTdDdmp6RVVjNTBSTmVlUG40ZjA2cUdBd3EtTm5PTmQzVk4tMzNYSnBBZm83dlRpVFZTYnVQalNLTXluMlEtZHliRW84NGdXR2tja0dPME9lMVNXMklIOUhobFNGNEFPY2lKNVpIaw&q=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1m7fM9UIs0mT0UxEmGt-F-5UyJ5NzzqsG%2Fview%3Fusp%3Dsharing&v=P2N_aDjlwMg

  • Sample

    240804-h55zfazblm

Score
10/10
phemedronexmrigdiscoveryevasionexecutionminerpersistencestealerupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://drive.usercontent.google.com/u/0/uc?id=1cOfdrYTcndJEY8uHrMnDtqUbkax07UMo&export=download

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7253527125:AAG2zbXlkuY33BxLSZk2mcohhToET22xkTM/sendDocument

Targets

    • Target

      https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbHhTa2RYdVAtd2NaVDR4TUdqUDJqcngzcVU2Z3xBQ3Jtc0traDhZc0IzaEJQOTdDdmp6RVVjNTBSTmVlUG40ZjA2cUdBd3EtTm5PTmQzVk4tMzNYSnBBZm83dlRpVFZTYnVQalNLTXluMlEtZHliRW84NGdXR2tja0dPME9lMVNXMklIOUhobFNGNEFPY2lKNVpIaw&q=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1m7fM9UIs0mT0UxEmGt-F-5UyJ5NzzqsG%2Fview%3Fusp%3Dsharing&v=P2N_aDjlwMg

    Score
    10/10
    phemedronexmrigdiscoveryevasionexecutionminerpersistencestealerupx

    • Phemedrone

      An information and wallet stealer written in C#.

      stealerphemedrone

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Creates new service(s)

      persistenceexecution

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Power Settings

1
T1653

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks