phemedrone | 3c74b4676f493cabec4327fc8f9f95a4e1755d3f7d1e156dc076b5915495682b

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XBinderOutput.exe
Size

269KB
MD5

8b45e5989e41d1512ab5aeb7e79a0646
SHA1

bb5eac66225b3fda93ad83a1eb5d98ace5b9c6d4
SHA256

3c74b4676f493cabec4327fc8f9f95a4e1755d3f7d1e156dc076b5915495682b
SHA512

c753483cd538e856e894e0b4d5d9211b07e17b02209bc463d6afc5e645e627b2385ee46b8a8c7825eda617e20fd6b318750d878e3fc7a9f3d1ff0a83b44064af
SSDEEP

6144:gDixhyqtRZ2XdRB3XjdOwkL1xOnD+Y96xf6TUIa1bq/KMw:gmxhHtRZqdRB3zEjLPPf6J

Score

10^/10

phemedrone xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7375773294:AAFZUnpXCxGuVizu2hOj5WMYl9ULnbeqZ6c/sendDocument

Extracted

Family

xworm

Version

5.0

89.31.122.114:1488

Mutex

8hQA9bqDdqRhTokn

Attributes

Install_directory
%LocalAppData%
install_file
Microsoft Teams.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\svchost.exe	family_xworm
behavioral2/memory/4596-63-0x0000000000790000-0x00000000007A0000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2232 powershell.exe
1872 powershell.exe
3872 powershell.exe
4120 powershell.exe
1988 powershell.exe
1684 powershell.exe

pid	process
2232	powershell.exe
1872	powershell.exe
3872	powershell.exe
4120	powershell.exe
1988	powershell.exe
1684	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XBinderOutput.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	XBinderOutput.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Teams.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Teams.lnk	svchost.exe

Executes dropped EXE 3 IoCs

Processes:

Parynah.exelauncher.exesvchost.exe

pid process

3540 Parynah.exe
5116 launcher.exe
4596 svchost.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

pid	process
3540	Parynah.exe
5116	launcher.exe
4596	svchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeXBinderOutput.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Teams = "C:\\Users\\Admin\\AppData\\Local\\Microsoft Teams.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parynah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Parynah.exe"	XBinderOutput.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	XBinderOutput.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2588 timeout.exe

flow	ioc
19	ip-api.com

pid	process
2588	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeParynah.exe

pid	process
1684	powershell.exe
1684	powershell.exe
1684	powershell.exe
2232	powershell.exe
2232	powershell.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
2232	powershell.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe
3540	Parynah.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exeParynah.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	3540	Parynah.exe
Token: SeDebugPrivilege	4596	svchost.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	4596	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

XBinderOutput.exelauncher.exesvchost.execmd.exe

description	pid	process	target process
PID 1452 wrote to memory of 1684	1452	XBinderOutput.exe	powershell.exe
PID 1452 wrote to memory of 1684	1452	XBinderOutput.exe	powershell.exe
PID 1452 wrote to memory of 3540	1452	XBinderOutput.exe	Parynah.exe
PID 1452 wrote to memory of 3540	1452	XBinderOutput.exe	Parynah.exe
PID 1452 wrote to memory of 5116	1452	XBinderOutput.exe	launcher.exe
PID 1452 wrote to memory of 5116	1452	XBinderOutput.exe	launcher.exe
PID 1452 wrote to memory of 2232	1452	XBinderOutput.exe	powershell.exe
PID 1452 wrote to memory of 2232	1452	XBinderOutput.exe	powershell.exe
PID 5116 wrote to memory of 4184	5116	launcher.exe	cmd.exe
PID 5116 wrote to memory of 4184	5116	launcher.exe	cmd.exe
PID 1452 wrote to memory of 4596	1452	XBinderOutput.exe	svchost.exe
PID 1452 wrote to memory of 4596	1452	XBinderOutput.exe	svchost.exe
PID 4596 wrote to memory of 1872	4596	svchost.exe	powershell.exe
PID 4596 wrote to memory of 1872	4596	svchost.exe	powershell.exe
PID 4596 wrote to memory of 3872	4596	svchost.exe	powershell.exe
PID 4596 wrote to memory of 3872	4596	svchost.exe	powershell.exe
PID 4596 wrote to memory of 4120	4596	svchost.exe	powershell.exe
PID 4596 wrote to memory of 4120	4596	svchost.exe	powershell.exe
PID 4596 wrote to memory of 1988	4596	svchost.exe	powershell.exe
PID 4596 wrote to memory of 1988	4596	svchost.exe	powershell.exe
PID 4596 wrote to memory of 3208	4596	svchost.exe	cmd.exe
PID 4596 wrote to memory of 3208	4596	svchost.exe	cmd.exe
PID 3208 wrote to memory of 2588	3208	cmd.exe	timeout.exe
PID 3208 wrote to memory of 2588	3208	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Parynah.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Users\Admin\AppData\Local\Temp\Parynah.exe
"C:\Users\Admin\AppData\Local\Temp\Parynah.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
3⤵
PID:4184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Users\Admin\AppData\Local\svchost.exe
"C:\Users\Admin\AppData\Local\svchost.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft Teams.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Teams.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD4F6.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4548,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=3692 /prefetch:8
1⤵
PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fe9b96bc4e29457b2d225a5412322a52

SHA1
551e29903e926b5d6c52a8f57cf10475ba790bd0

SHA256
e81b9bfd38a5199813d703d5caf75baa6f62847b2b9632302b5d6f10dd6cf997

SHA512
ff912526647f6266f37749dfdc3ed5fd37c35042ba481331434168704c827d128c22093ba73d7ad0cecde10365f0978fcd3f3e2af1a1c280cd2e592a62d5fa80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a5e0d50fb884fb8a741fc1e3607069f8

SHA1
a243a80777685f77085fcd8150941eb031c2e813

SHA256
1cdfcf768abf27ba45d8748cefbf068e94b255f43d700443a0a0bb1aedf94c24

SHA512
b5fba675c532eca3b20469dee34b073c3ba988e5b294e328bc190a1925945a4bb561bd998e9dc81108c6cc782daeff104b8cdef14baa6699d7b70c37cb02147a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4857503def5a24a152c052a38f239686

SHA1
0e7db0dc1ef7aecbd1e2f7c45c15fe559da240c3

SHA256
9d1bad7ff7cb95da5f1eca5df87756b0c1ab7c80bd55d841026940c87d430bdf

SHA512
7f472229dabdc37e2fd647b287b5843d4db38c18ca8e88308cbf30a3781e6b4542156f36ed8c3ea81454c1c47d82f3833cd67cc77f1ef5aac41d14aa4af48c88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e58749a7a1826f6ea62df1e2ef63a32b

SHA1
c0bca21658b8be4f37b71eec9578bfefa44f862d

SHA256
0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

SHA512
4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Parynah.exe

Filesize
121KB

MD5
d133118d33c184b72ca217ef7135ca21

SHA1
2d24907dc8ab775f2f204281e48c4f626daaf3ee

SHA256
79e28785a6b291d6fa50d4784c0fe0936cc326380153d7732e973bcb7a9ddba2

SHA512
6fbda67a0091388db4367aec3882e838253c9488b99955978187647f445eb775bb6b1913cc3e9fdacfa0193fe854d45945a3b48b68c76ded7eeef4d46fcc9219

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1qdcrdu.omf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\launcher.exe

Filesize
251KB

MD5
f71fc206efa0533dc5a9bdce59fd342e

SHA1
077e3d50d9db91cb943c6dcdfb8913b6b4e8bfda

SHA256
98d7a0cf5249443da87cc97998d885ed9811bd0790d49c8ee45577e54296acc6

SHA512
2913315fdc26efced8114173761a20c52705778d8fe65a84fc6ca99e8218bf85eabec67a4693dfa9e57596d9e85597aca0d7fafc18b649a2c7b0fa71062daa8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD4F6.tmp.bat

Filesize
154B

MD5
58536bcc46c6ac1fb2ccf5fbd0b9c544

SHA1
cf083c191bafa44aa8ef5bb0de1f201a7c27d501

SHA256
b4ac95184b7fa1b2c0ed60f362bab86b2f0d85adbc1dfe7e538ddeba887f407c

SHA512
0201ef8255a590d9ff4fbb8f47212c67acc8f631fa44ea276fcbd5e17f0975ba69ee148956411f4c9320eb84d3dfc5666b9e3de18229ea7aa8ed280c23b0ea61

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
41KB

MD5
fc056dfd563e0a955a60c2eaeb14e70e

SHA1
3c84ee4f1226d7d5f501021234b1e5fbbc277de8

SHA256
ed977d71ffa080570dfc92b91e8b71d07d279482e21c1ba0622f8e44400807c0

SHA512
973457e2d759031f6fee35518332ea0b9b0141657c20c227182f15028f98f0c435e6ac575dc7c64175c4024a872c9e10126d6180491f10b29b959bd48bacc243

Download Submit
memory/1452-0-0x00007FF947573000-0x00007FF947575000-memory.dmp

Filesize
8KB

Download
memory/1452-26-0x00007FF947570000-0x00007FF948031000-memory.dmp

Filesize
10.8MB

Download
memory/1452-64-0x00007FF947570000-0x00007FF948031000-memory.dmp

Filesize
10.8MB

Download
memory/1452-1-0x0000000000090000-0x00000000000DA000-memory.dmp

Filesize
296KB

Download
memory/1684-13-0x00007FF947570000-0x00007FF948031000-memory.dmp

Filesize
10.8MB

Download
memory/1684-17-0x00007FF947570000-0x00007FF948031000-memory.dmp

Filesize
10.8MB

Download
memory/1684-14-0x00007FF947570000-0x00007FF948031000-memory.dmp

Filesize
10.8MB

Download
memory/1684-12-0x00007FF947570000-0x00007FF948031000-memory.dmp

Filesize
10.8MB

Download
memory/1684-7-0x000001EF921F0000-0x000001EF92212000-memory.dmp

Filesize
136KB

Download
memory/3540-37-0x0000000000D60000-0x0000000000D84000-memory.dmp

Filesize
144KB

Download
memory/4596-63-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download