Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-10-2024 16:33

General

  • Target

    tmpg45mr2xx.exe

  • Size

    137KB

  • MD5

    e27b299c37caf241ff547c4845efb6d6

  • SHA1

    a5b62b4536da6262e18315a44ca5ff7be4dd658f

  • SHA256

    7a2e81375e856c2407907599f401b4a5ec43322bc8e5a4847c43a97f4b91af3f

  • SHA512

    962f94f887b7d6fa95402bc9ef2fbea68deed0a76871e461176e03ad88d07ded383f244095318aa2499543703654825029299b403a16469c1ad635a143d10fcb

  • SSDEEP

    1536:qQfUyJkgcYU/BFI6d75KunrlsCK2Wu01Dy5s5b3x07XSI7UKCWaDCoL3T4NODbio:qQ849/Ud75FnZtCDyK5Tm7iIFCzPi0F

Score
10/10

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7580542331:AAGHf6T43IrCaf5fPcI73jO_S0Bs8H-8Nig/sendDocument

Signatures

  • Phemedrone

    An information and wallet stealer written in C#.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmpg45mr2xx.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpg45mr2xx.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1600 -s 520
      2⤵
        PID:2092

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1600-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

      Filesize

      4KB

    • memory/1600-1-0x0000000001160000-0x0000000001188000-memory.dmp

      Filesize

      160KB