Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2024 09:34
Static task
static1
Behavioral task
behavioral1
Sample
35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe
Resource
win10v2004-20240802-en
General
-
Target
35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe
-
Size
291KB
-
MD5
37992d4e5349d0a9275c8d1fe0290591
-
SHA1
2ea1bb73a8459672c7f8a1133c4edc8040c2c63c
-
SHA256
35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6
-
SHA512
dc2bd50f573d806c88eba2f599476d431ad3b2c64cf14e058e6df53edd2383d2a8b18e99aeae14af6fbbdec7f14c4403ced2883cb20a93c77515b1ed5fae7d88
-
SSDEEP
6144:rTiaVHkOlGtyUFB3XjdOwkL1xOJ9NLzof6TUIa1bq/KMw:rXJUFB3zEjLPDf6J
Malware Config
Extracted
xworm
127.0.0.1:19121
goods-flex.gl.at.ply.gg:19121
-
Install_directory
%AppData%
-
install_file
GoogleUpdateUA.exe
Extracted
phemedrone
https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0005000000022723-22.dat family_xworm behavioral2/memory/1716-29-0x0000000000410000-0x0000000000426000-memory.dmp family_xworm -
Phemedrone
An information and wallet stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2332 powershell.exe 4920 powershell.exe 4432 powershell.exe 2032 powershell.exe 208 powershell.exe 1420 powershell.exe 2628 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation GoogleUpdateUA.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleUpdateUA.lnk GoogleUpdateUA.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleUpdateUA.lnk GoogleUpdateUA.exe -
Executes dropped EXE 5 IoCs
pid Process 1716 GoogleUpdateUA.exe 3412 launcher.exe 3820 Sync Center.exe 1664 GoogleUpdateUA.exe 464 GoogleUpdateUA.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\launcher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\launcher.exe" 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdateUA = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleUpdateUA.exe" GoogleUpdateUA.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 208 powershell.exe 208 powershell.exe 1420 powershell.exe 1420 powershell.exe 2628 powershell.exe 2628 powershell.exe 3820 Sync Center.exe 2332 powershell.exe 2332 powershell.exe 4920 powershell.exe 4920 powershell.exe 4432 powershell.exe 4432 powershell.exe 2032 powershell.exe 2032 powershell.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 3044 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe Token: SeDebugPrivilege 208 powershell.exe Token: SeDebugPrivilege 1716 GoogleUpdateUA.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 3820 Sync Center.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 4920 powershell.exe Token: SeDebugPrivilege 4432 powershell.exe Token: SeDebugPrivilege 2032 powershell.exe Token: SeDebugPrivilege 1716 GoogleUpdateUA.exe Token: SeDebugPrivilege 1664 GoogleUpdateUA.exe Token: SeDebugPrivilege 464 GoogleUpdateUA.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3044 wrote to memory of 208 3044 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 88 PID 3044 wrote to memory of 208 3044 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 88 PID 3044 wrote to memory of 1716 3044 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 90 PID 3044 wrote to memory of 1716 3044 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 90 PID 3044 wrote to memory of 1420 3044 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 91 PID 3044 wrote to memory of 1420 3044 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 91 PID 3044 wrote to memory of 3412 3044 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 93 PID 3044 wrote to memory of 3412 3044 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 93 PID 3044 wrote to memory of 2628 3044 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 95 PID 3044 wrote to memory of 2628 3044 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 95 PID 3412 wrote to memory of 5104 3412 launcher.exe 97 PID 3412 wrote to memory of 5104 3412 launcher.exe 97 PID 3044 wrote to memory of 3820 3044 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 100 PID 3044 wrote to memory of 3820 3044 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe 100 PID 1716 wrote to memory of 2332 1716 GoogleUpdateUA.exe 103 PID 1716 wrote to memory of 2332 1716 GoogleUpdateUA.exe 103 PID 1716 wrote to memory of 4920 1716 GoogleUpdateUA.exe 105 PID 1716 wrote to memory of 4920 1716 GoogleUpdateUA.exe 105 PID 1716 wrote to memory of 4432 1716 GoogleUpdateUA.exe 107 PID 1716 wrote to memory of 4432 1716 GoogleUpdateUA.exe 107 PID 1716 wrote to memory of 2032 1716 GoogleUpdateUA.exe 111 PID 1716 wrote to memory of 2032 1716 GoogleUpdateUA.exe 111 PID 1716 wrote to memory of 4836 1716 GoogleUpdateUA.exe 113 PID 1716 wrote to memory of 4836 1716 GoogleUpdateUA.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe"C:\Users\Admin\AppData\Local\Temp\35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdateUA.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdateUA.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GoogleUpdateUA" /tr "C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4836
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:5104
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
-
C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exeC:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exeC:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:464
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56a5650126660a2760e93e48a63a9f626
SHA135710b657094c22ed66a37854173ce2090f02caa
SHA256e981ba57e2617381d8d75f0c7ffb6e836afbeb475434a06b56b9a5a988761e92
SHA5124e4cc9dc507cd95d5f9ddc181f68e97e5351aa7748c574717ac4cf0ff882f7fb1c6d6460b63560db382697c44118b8c2a288e2c94c9c8457b15ca6a9b1a66ba9
-
Filesize
944B
MD554ae5e62408d2ee2d9408ddd3bdf1752
SHA1946b2c7b408272a8c5586020cfb541b2fa144160
SHA256979084632c4103f3c09d9280cca1e4ad6404548368afc9530aefc9197cfe34f3
SHA512a3255b4248a4e7a1cb7482398f10fd826947b14909bf1f18098797b4099a194dad06a31e771ae9b714135963051d2f4e2b489100adbb35c5acaa3ba05c63eb3e
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5888f29c0442cabfd610879a5710baa3d
SHA16aafe5eb81e4c557408245b3f5dac3fe45a25e10
SHA2560b0e42f34bfdd5dabbdcb27288c8e7fdd3731f07540a56d8cfa90df7219a2e95
SHA5125c7e343501483e74fc40fa6fdcc29364a974fc0bd36d53a744ff799cf886113300d5dd76ad778f50f1e66741003c77de36bf3b1f186aa1dbcaf15267c709e058
-
Filesize
944B
MD52414198488c434d42d9a1ccda60d1f77
SHA12fb9f28bee397d29a457e326970644d03763f238
SHA2569da692fc5bc13f8ed86e57d6e05e0796e7fea900d431fd25a40f0c0c2957552a
SHA5121c0fbe9ba6a2d3d936ed484bcf5829e91e9137b41a4b150b62bf46f73a6fe055adde58f18a247e7f9a8f5ab36fdfd0221e6e0d92eec7e5b74d99f028b93b9623
-
Filesize
944B
MD53db1c0d23daacf01eb99125ccc2787d3
SHA10849528de1ba411279231d635d8f39d54cc829d2
SHA256bceb96f5c3d31447980eb8cd891bba75b3e5b6eb60abf4d829fc13cd8faf2582
SHA5123d84635a3395bca1d91ce182ccfb9e38c8da87ad678704673a72d580e4251cedc5a6b2a89040a172a5687b67952e74a13673bd115bce7bdabaed06f89323de5b
-
Filesize
63KB
MD59d84713a034176855221121b1b82e66d
SHA11f8b51b489510ba4d7d899b698f0ae1cf24380c3
SHA25643fe14e317713480c623a3fef46f3347c7051796eac95f489db2ea2f5a9830f3
SHA512434a8d9e81fb22ed38ba8c593b7d17be1d8b674b9a0441b194352a7072b7dfc20fdb81bb4aa8451d8b69671ac9f008e3d5611a209894cb1fbc86583a924e84dc
-
Filesize
121KB
MD57b6c19c2c8fc4ff9cc5b136f22cf490d
SHA1e557a697a268c54a73aaffd02d25e54c4f601719
SHA256cf6c9880812d48fe7ba3a1d1a1692a881745a7fb8cf6534f94555dd7dd1c3353
SHA512afe23d16011e1eb71ce3be9f8796cf0398cc9e01415c93cd4e8403f1ee84f48e23396ab7709b60d5a9e5b3e5daee9e8f90bae99e6a85ece6475fa8bdd82f953b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
251KB
MD5f71fc206efa0533dc5a9bdce59fd342e
SHA1077e3d50d9db91cb943c6dcdfb8913b6b4e8bfda
SHA25698d7a0cf5249443da87cc97998d885ed9811bd0790d49c8ee45577e54296acc6
SHA5122913315fdc26efced8114173761a20c52705778d8fe65a84fc6ca99e8218bf85eabec67a4693dfa9e57596d9e85597aca0d7fafc18b649a2c7b0fa71062daa8e