phemedrone | 3c74b4676f493cabec4327fc8f9f95a4e1755d3f7d1e156dc076b5915495682b

General

Target

XBinderOutput.exe
Size

269KB
MD5

8b45e5989e41d1512ab5aeb7e79a0646
SHA1

bb5eac66225b3fda93ad83a1eb5d98ace5b9c6d4
SHA256

3c74b4676f493cabec4327fc8f9f95a4e1755d3f7d1e156dc076b5915495682b
SHA512

c753483cd538e856e894e0b4d5d9211b07e17b02209bc463d6afc5e645e627b2385ee46b8a8c7825eda617e20fd6b318750d878e3fc7a9f3d1ff0a83b44064af
SSDEEP

6144:gDixhyqtRZ2XdRB3XjdOwkL1xOnD+Y96xf6TUIa1bq/KMw:gmxhHtRZqdRB3zEjLPPf6J

Score

10^/10

phemedrone xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7375773294:AAFZUnpXCxGuVizu2hOj5WMYl9ULnbeqZ6c/sendDocument

Extracted

Family

xworm

Version

5.0

C2

89.31.122.114:1488

Mutex

8hQA9bqDdqRhTokn

Attributes

Install_directory
%LocalAppData%
install_file
Microsoft Teams.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\svchost.exe	family_xworm
behavioral1/memory/2732-33-0x0000000000A40000-0x0000000000A50000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2280 powershell.exe
2492 powershell.exe
1320 powershell.exe
1776 powershell.exe
2856 powershell.exe
2956 powershell.exe

pid	process
2280	powershell.exe
2492	powershell.exe
1320	powershell.exe
1776	powershell.exe
2856	powershell.exe
2956	powershell.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Teams.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Teams.lnk	svchost.exe

Executes dropped EXE 3 IoCs

Processes:

Parynah.exelauncher.exesvchost.exe

pid process

2900 Parynah.exe
2332 launcher.exe
2732 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

XBinderOutput.exe

pid process

1680 XBinderOutput.exe
2880
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

pid	process
2900	Parynah.exe
2332	launcher.exe
2732	svchost.exe

pid	process
1680	XBinderOutput.exe
2880

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XBinderOutput.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	XBinderOutput.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Teams = "C:\\Users\\Admin\\AppData\\Local\\Microsoft Teams.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parynah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Parynah.exe"	XBinderOutput.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

548 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1776 powershell.exe
2856 powershell.exe
2956 powershell.exe
2280 powershell.exe
2492 powershell.exe
1320 powershell.exe

flow	ioc
9	ip-api.com

pid	process
548	timeout.exe

pid	process
1776	powershell.exe
2856	powershell.exe
2956	powershell.exe
2280	powershell.exe
2492	powershell.exe
1320	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exesvchost.exeParynah.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2732	svchost.exe
Token: SeDebugPrivilege	2900	Parynah.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	2732	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

XBinderOutput.exelauncher.exeParynah.exesvchost.execmd.exe

description	pid	process	target process
PID 1680 wrote to memory of 1776	1680	XBinderOutput.exe	powershell.exe
PID 1680 wrote to memory of 1776	1680	XBinderOutput.exe	powershell.exe
PID 1680 wrote to memory of 1776	1680	XBinderOutput.exe	powershell.exe
PID 1680 wrote to memory of 2900	1680	XBinderOutput.exe	Parynah.exe
PID 1680 wrote to memory of 2900	1680	XBinderOutput.exe	Parynah.exe
PID 1680 wrote to memory of 2900	1680	XBinderOutput.exe	Parynah.exe
PID 1680 wrote to memory of 2332	1680	XBinderOutput.exe	launcher.exe
PID 1680 wrote to memory of 2332	1680	XBinderOutput.exe	launcher.exe
PID 1680 wrote to memory of 2332	1680	XBinderOutput.exe	launcher.exe
PID 1680 wrote to memory of 2856	1680	XBinderOutput.exe	powershell.exe
PID 1680 wrote to memory of 2856	1680	XBinderOutput.exe	powershell.exe
PID 1680 wrote to memory of 2856	1680	XBinderOutput.exe	powershell.exe
PID 2332 wrote to memory of 2984	2332	launcher.exe	cmd.exe
PID 2332 wrote to memory of 2984	2332	launcher.exe	cmd.exe
PID 2332 wrote to memory of 2984	2332	launcher.exe	cmd.exe
PID 1680 wrote to memory of 2732	1680	XBinderOutput.exe	svchost.exe
PID 1680 wrote to memory of 2732	1680	XBinderOutput.exe	svchost.exe
PID 1680 wrote to memory of 2732	1680	XBinderOutput.exe	svchost.exe
PID 2900 wrote to memory of 2920	2900	Parynah.exe	WerFault.exe
PID 2900 wrote to memory of 2920	2900	Parynah.exe	WerFault.exe
PID 2900 wrote to memory of 2920	2900	Parynah.exe	WerFault.exe
PID 2732 wrote to memory of 2956	2732	svchost.exe	powershell.exe
PID 2732 wrote to memory of 2956	2732	svchost.exe	powershell.exe
PID 2732 wrote to memory of 2956	2732	svchost.exe	powershell.exe
PID 2732 wrote to memory of 2280	2732	svchost.exe	powershell.exe
PID 2732 wrote to memory of 2280	2732	svchost.exe	powershell.exe
PID 2732 wrote to memory of 2280	2732	svchost.exe	powershell.exe
PID 2732 wrote to memory of 2492	2732	svchost.exe	powershell.exe
PID 2732 wrote to memory of 2492	2732	svchost.exe	powershell.exe
PID 2732 wrote to memory of 2492	2732	svchost.exe	powershell.exe
PID 2732 wrote to memory of 1320	2732	svchost.exe	powershell.exe
PID 2732 wrote to memory of 1320	2732	svchost.exe	powershell.exe
PID 2732 wrote to memory of 1320	2732	svchost.exe	powershell.exe
PID 2732 wrote to memory of 908	2732	svchost.exe	cmd.exe
PID 2732 wrote to memory of 908	2732	svchost.exe	cmd.exe
PID 2732 wrote to memory of 908	2732	svchost.exe	cmd.exe
PID 908 wrote to memory of 548	908	cmd.exe	timeout.exe
PID 908 wrote to memory of 548	908	cmd.exe	timeout.exe
PID 908 wrote to memory of 548	908	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Parynah.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Users\Admin\AppData\Local\Temp\Parynah.exe
"C:\Users\Admin\AppData\Local\Temp\Parynah.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2900 -s 500
3⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
3⤵
PID:2984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Users\Admin\AppData\Local\svchost.exe
"C:\Users\Admin\AppData\Local\svchost.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft Teams.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Teams.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Parynah.exe

Filesize
121KB

MD5
d133118d33c184b72ca217ef7135ca21

SHA1
2d24907dc8ab775f2f204281e48c4f626daaf3ee

SHA256
79e28785a6b291d6fa50d4784c0fe0936cc326380153d7732e973bcb7a9ddba2

SHA512
6fbda67a0091388db4367aec3882e838253c9488b99955978187647f445eb775bb6b1913cc3e9fdacfa0193fe854d45945a3b48b68c76ded7eeef4d46fcc9219

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.bat

Filesize
154B

MD5
c4600144caa76fa293e78819a90303ea

SHA1
a735b1975f6313d61ca63e532f5697593f23f0cd

SHA256
caa3bf020b5cffd1da57a2824dd852021f9df37f9f63e87a3a6b72c56faa3b01

SHA512
d81613943ff9cb303d3a794c7e5d87c99161b1ba9dd75fa8b28e2f74d70d81f7334b1bec9a73a6c4cad26659efac5aad99c5c87c6bb22f20760c00a362d44787

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
41KB

MD5
fc056dfd563e0a955a60c2eaeb14e70e

SHA1
3c84ee4f1226d7d5f501021234b1e5fbbc277de8

SHA256
ed977d71ffa080570dfc92b91e8b71d07d279482e21c1ba0622f8e44400807c0

SHA512
973457e2d759031f6fee35518332ea0b9b0141657c20c227182f15028f98f0c435e6ac575dc7c64175c4024a872c9e10126d6180491f10b29b959bd48bacc243

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
00149f7dda9397e7bff8a9954267de56

SHA1
c12eccc669e21fd23368c1c7e167ec5a57251593

SHA256
0972389788cf5867939f8c5be9af908e0334a3c227b1f11352a62c74480667f8

SHA512
7691f6db36ccf2c1dd6ab8379257f087580b3fa323751725554c765d831f69dad664397d0b7f801a3a2eb688467813b3d8ecb26a7579cb163de47cd19149bef6

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\launcher.exe

Filesize
251KB

MD5
f71fc206efa0533dc5a9bdce59fd342e

SHA1
077e3d50d9db91cb943c6dcdfb8913b6b4e8bfda

SHA256
98d7a0cf5249443da87cc97998d885ed9811bd0790d49c8ee45577e54296acc6

SHA512
2913315fdc26efced8114173761a20c52705778d8fe65a84fc6ca99e8218bf85eabec67a4693dfa9e57596d9e85597aca0d7fafc18b649a2c7b0fa71062daa8e

Download Submit
memory/1680-1-0x00000000009D0000-0x0000000000A1A000-memory.dmp

Filesize
296KB

Download
memory/1680-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/1776-8-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1776-7-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/1776-6-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/2280-46-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2732-33-0x0000000000A40000-0x0000000000A50000-memory.dmp

Filesize
64KB

Download
memory/2856-26-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2856-27-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2900-18-0x0000000000920000-0x0000000000944000-memory.dmp

Filesize
144KB

Download
memory/2956-39-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads