phemedrone | e55c163ede5ac0f0a6dfbe3bac2b68d4dc7384c8e4419b07544838161e3d8067

General

Target

e55c163ede5ac0f0a6dfbe3bac2b68d4dc7384c8e4419b07544838161e3d8067.exe
Size

116KB
MD5

d7c8c6cd7db04ce18ee9e4a0289afddc
SHA1

d9d9ee56b77a195439208f557b461bb3913cb5cd
SHA256

e55c163ede5ac0f0a6dfbe3bac2b68d4dc7384c8e4419b07544838161e3d8067
SHA512

2adf43b1387803b8dff098881a21ad4afff96a8c6fdd0e1d73d2e502bf05eb35c083b4a0ec317eb1db541e6dea23c9b3ae17bd5b339c5aad641d4e2cd8f24c77
SSDEEP

3072:XsOklG1NOuyUGbDf8OIipwYCBxsU9uLsl:XWlGtyUG3fDIizCBxB9uL

Score

10^/10

phemedrone xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

3.0

C2

david-florist.gl.at.ply.gg:34674

Attributes

Install_directory
%Public%
install_file
USB.exe

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\launcher.exe	family_xworm
behavioral1/memory/2904-10-0x00000000002C0000-0x00000000002D8000-memory.dmp	family_xworm
behavioral1/memory/2944-47-0x0000000001130000-0x0000000001148000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2036 powershell.exe
2700 powershell.exe
788 powershell.exe

pid	process
2036	powershell.exe
2700	powershell.exe
788	powershell.exe

Drops startup file 2 IoCs

Processes:

launcher.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher.lnk	launcher.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher.lnk	launcher.exe

Executes dropped EXE 4 IoCs

Processes:

launcher.exeSync Center.exelauncher.exelauncher.exe

pid process

2904 launcher.exe
2060 Sync Center.exe
2944 launcher.exe
2576 launcher.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

pid	process
2904	launcher.exe
2060	Sync Center.exe
2944	launcher.exe
2576	launcher.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

launcher.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\launcher = "C:\\Users\\Public\\launcher.exe"	launcher.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1436 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Sync Center.exepowershell.exepowershell.exepowershell.exe

pid process

2060 Sync Center.exe
2700 powershell.exe
788 powershell.exe
2036 powershell.exe

flow	ioc
4	ip-api.com

pid	process
1436	schtasks.exe

pid	process
2060	Sync Center.exe
2700	powershell.exe
788	powershell.exe
2036	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

e55c163ede5ac0f0a6dfbe3bac2b68d4dc7384c8e4419b07544838161e3d8067.exelauncher.exeSync Center.exepowershell.exepowershell.exepowershell.exelauncher.exelauncher.exe

description	pid	process
Token: SeDebugPrivilege	2908	e55c163ede5ac0f0a6dfbe3bac2b68d4dc7384c8e4419b07544838161e3d8067.exe
Token: SeDebugPrivilege	2904	launcher.exe
Token: SeDebugPrivilege	2060	Sync Center.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2904	launcher.exe
Token: SeDebugPrivilege	2944	launcher.exe
Token: SeDebugPrivilege	2576	launcher.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

e55c163ede5ac0f0a6dfbe3bac2b68d4dc7384c8e4419b07544838161e3d8067.exeSync Center.exelauncher.exetaskeng.exe

description	pid	process	target process
PID 2908 wrote to memory of 2904	2908	e55c163ede5ac0f0a6dfbe3bac2b68d4dc7384c8e4419b07544838161e3d8067.exe	launcher.exe
PID 2908 wrote to memory of 2904	2908	e55c163ede5ac0f0a6dfbe3bac2b68d4dc7384c8e4419b07544838161e3d8067.exe	launcher.exe
PID 2908 wrote to memory of 2904	2908	e55c163ede5ac0f0a6dfbe3bac2b68d4dc7384c8e4419b07544838161e3d8067.exe	launcher.exe
PID 2908 wrote to memory of 2060	2908	e55c163ede5ac0f0a6dfbe3bac2b68d4dc7384c8e4419b07544838161e3d8067.exe	Sync Center.exe
PID 2908 wrote to memory of 2060	2908	e55c163ede5ac0f0a6dfbe3bac2b68d4dc7384c8e4419b07544838161e3d8067.exe	Sync Center.exe
PID 2908 wrote to memory of 2060	2908	e55c163ede5ac0f0a6dfbe3bac2b68d4dc7384c8e4419b07544838161e3d8067.exe	Sync Center.exe
PID 2060 wrote to memory of 3032	2060	Sync Center.exe	WerFault.exe
PID 2060 wrote to memory of 3032	2060	Sync Center.exe	WerFault.exe
PID 2060 wrote to memory of 3032	2060	Sync Center.exe	WerFault.exe
PID 2904 wrote to memory of 2700	2904	launcher.exe	powershell.exe
PID 2904 wrote to memory of 2700	2904	launcher.exe	powershell.exe
PID 2904 wrote to memory of 2700	2904	launcher.exe	powershell.exe
PID 2904 wrote to memory of 788	2904	launcher.exe	powershell.exe
PID 2904 wrote to memory of 788	2904	launcher.exe	powershell.exe
PID 2904 wrote to memory of 788	2904	launcher.exe	powershell.exe
PID 2904 wrote to memory of 2036	2904	launcher.exe	powershell.exe
PID 2904 wrote to memory of 2036	2904	launcher.exe	powershell.exe
PID 2904 wrote to memory of 2036	2904	launcher.exe	powershell.exe
PID 2904 wrote to memory of 1436	2904	launcher.exe	schtasks.exe
PID 2904 wrote to memory of 1436	2904	launcher.exe	schtasks.exe
PID 2904 wrote to memory of 1436	2904	launcher.exe	schtasks.exe
PID 1856 wrote to memory of 2944	1856	taskeng.exe	launcher.exe
PID 1856 wrote to memory of 2944	1856	taskeng.exe	launcher.exe
PID 1856 wrote to memory of 2944	1856	taskeng.exe	launcher.exe
PID 1856 wrote to memory of 2576	1856	taskeng.exe	launcher.exe
PID 1856 wrote to memory of 2576	1856	taskeng.exe	launcher.exe
PID 1856 wrote to memory of 2576	1856	taskeng.exe	launcher.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e55c163ede5ac0f0a6dfbe3bac2b68d4dc7384c8e4419b07544838161e3d8067.exe
"C:\Users\Admin\AppData\Local\Temp\e55c163ede5ac0f0a6dfbe3bac2b68d4dc7384c8e4419b07544838161e3d8067.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'launcher.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\launcher.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "launcher" /tr "C:\Users\Public\launcher.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1436
- C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
  "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2060 -s 512
    3⤵
    PID:3032

C:\Windows\system32\taskeng.exe
taskeng.exe {737AA9BD-526D-4BA4-A0A4-951FB1063BAB} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Public\launcher.exe
  C:\Users\Public\launcher.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Users\Public\launcher.exe
  C:\Users\Public\launcher.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe

Filesize
121KB

MD5
7b6c19c2c8fc4ff9cc5b136f22cf490d

SHA1
e557a697a268c54a73aaffd02d25e54c4f601719

SHA256
cf6c9880812d48fe7ba3a1d1a1692a881745a7fb8cf6534f94555dd7dd1c3353

SHA512
afe23d16011e1eb71ce3be9f8796cf0398cc9e01415c93cd4e8403f1ee84f48e23396ab7709b60d5a9e5b3e5daee9e8f90bae99e6a85ece6475fa8bdd82f953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\launcher.exe

Filesize
73KB

MD5
47fb642b2c85bee2624d803bd1109dfe

SHA1
452157d77f861436c452ac20a8e48bfb562a7abc

SHA256
adf1dfef469dec04d134cee395017041155bde2d7ad89eb0ecd00a0343839268

SHA512
9b54b72602b27fb1ce22f3bb62dda748251be60f0ae61a7f35d2a39734dd207f8f638d09bc5fa0ba055110c67e058d39ccf927ed359ea1dae992a8c98efc4cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6d129186f06410a71b973e8bf02bebca

SHA1
e928074e380abf2ee9525290bb5d9747945bbdb5

SHA256
8c30c539af4a236e32bb2e2ea6801849f9d8c0d2c04572e58a737468544232a3

SHA512
cd560e073dd897414985ba07af5d6a99b2f359468677d7dce87c2416a38797560114e1725aa717f37f0a23ab6fe1e7d322fa8fe015f43933afd669f4dd31de18

Download Submit
memory/788-29-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/788-28-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2060-16-0x00000000001C0000-0x00000000001E4000-memory.dmp

Filesize
144KB

Download
memory/2700-21-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2700-22-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2904-10-0x00000000002C0000-0x00000000002D8000-memory.dmp

Filesize
96KB

Download
memory/2904-12-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2904-35-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-14-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-0-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

Filesize
4KB

Download
memory/2908-2-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-1-0x0000000000290000-0x00000000002B4000-memory.dmp

Filesize
144KB

Download
memory/2944-47-0x0000000001130000-0x0000000001148000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads