Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06-09-2024 17:29
Static task
static1
Behavioral task
behavioral1
Sample
88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3.exe
Resource
win10v2004-20240802-en
General
-
Target
88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3.exe
-
Size
2.5MB
-
MD5
ca62296a0cc72100cffc593341d7a16f
-
SHA1
99564c5ef198c932e322d6f79eb108f38744c291
-
SHA256
88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3
-
SHA512
b46f471d679449b9db0efa4a17454e6455b640ef9f3037d640300ac0a029a058c90cfdd9edc57064d8a65873988835fd0b8807ad948863859e6d70bd628b7779
-
SSDEEP
49152:Ym2S3vX223l/EgY8LEvE0wPV9ZbfOeirG8QQHFdpqqDf9SEt:Ym2S/RVjfLEvYfNSGovf9Pt
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7211678746:AAHAXg0HcpRkdl1oL31ijx8YDZHO7dYfOlQ/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2552 88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3.exe 2552 88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2856 2552 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2552 88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2552 88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2552 wrote to memory of 2856 2552 88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3.exe 32 PID 2552 wrote to memory of 2856 2552 88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3.exe 32 PID 2552 wrote to memory of 2856 2552 88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3.exe 32 PID 2552 wrote to memory of 2856 2552 88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3.exe"C:\Users\Admin\AppData\Local\Temp\88ae0b3839bd67b6b814a1cd63d92d77099acbd1d53a26f84c03bf12e10d8ac3.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 6882⤵
- Program crash
PID:2856
-