General
-
Target
https://drive.usercontent.google.com/download?id=1-cRnsrAF5ik3zZkVKzImZCoVm0Bo07Ly&export=download&authuser=0&confirm=t&uuid=0904a1d0-67f9-428f-88c3-5f5a9dbf2fa2&at=APZUnTUyoxl_j-NXk0_P2Vbr8MK_%3A1723053475737
-
Sample
240807-wkcn2svdnb
Malware Config
Extracted
https://drive.usercontent.google.com/u/0/uc?id=1cOfdrYTcndJEY8uHrMnDtqUbkax07UMo&export=download
Extracted
phemedrone
https://api.telegram.org/bot7253527125:AAG2zbXlkuY33BxLSZk2mcohhToET22xkTM/sendDocument
Targets
-
-
Target
https://drive.usercontent.google.com/download?id=1-cRnsrAF5ik3zZkVKzImZCoVm0Bo07Ly&export=download&authuser=0&confirm=t&uuid=0904a1d0-67f9-428f-88c3-5f5a9dbf2fa2&at=APZUnTUyoxl_j-NXk0_P2Vbr8MK_%3A1723053475737
Score10/10-
Phemedrone
An information and wallet stealer written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Creates new service(s)
-
Stops running service(s)
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1