Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 06:22
Static task
static1
Behavioral task
behavioral1
Sample
08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe
Resource
win10v2004-20241007-en
General
-
Target
08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe
-
Size
698KB
-
MD5
150df9d8d8d7dfa6806fd746f5046278
-
SHA1
145d6bfa4eeceaf3c91e05a955c3ca77ee62fca2
-
SHA256
08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37
-
SHA512
f92b5be8839e01d35dfc6e8efa645e2307082fdc754370200774b0f502f107a70a1f52913ec43fffa4d234c79edb5ac3e4cdecfaea08df2c1a89102dbfcbaaf9
-
SSDEEP
12288:PyveQB/fTHIGaPkKEYzURNAwbAgjsYrWu+bsOWFoS7RxYCcvlZ62sHVRj5:PuDXTIGaPhEYzUzA0DrWu6hTMbDksHVT
Malware Config
Extracted
phemedrone
http://89.23.102.24:80/gate.php
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exehelper.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation helper.exe -
Executes dropped EXE 2 IoCs
Processes:
helper.exesihost.exepid process 4336 helper.exe 5020 sihost.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
sihost.exepid process 5020 sihost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
sihost.exedescription pid process Token: SeDebugPrivilege 5020 sihost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.execmd.exehelper.execmd.exedescription pid process target process PID 4600 wrote to memory of 3400 4600 08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe cmd.exe PID 4600 wrote to memory of 3400 4600 08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe cmd.exe PID 3400 wrote to memory of 4336 3400 cmd.exe helper.exe PID 3400 wrote to memory of 4336 3400 cmd.exe helper.exe PID 4336 wrote to memory of 1440 4336 helper.exe cmd.exe PID 4336 wrote to memory of 1440 4336 helper.exe cmd.exe PID 1440 wrote to memory of 5020 1440 cmd.exe sihost.exe PID 1440 wrote to memory of 5020 1440 cmd.exe sihost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe"C:\Users\Admin\AppData\Local\Temp\08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\UpdateService\2.cmd" "2⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\ProgramData\Microsoft\UpdateService\helper.exehelper.exe -p20243⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\UpdateService\1.cmd" "4⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\ProgramData\Microsoft\UpdateService\sihost.exesihost.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10B
MD5659bda4383172c5d2ac21b729af13c81
SHA166fc9ff0ee96c2b21f0cfded48750ae9e3032bf3
SHA256185b38ec66134f027a26a9ce666774adeed1ed2f7eb60d73eb03bbe6c0b8ed6c
SHA512c32d7f6e68ef095f78e90ebb779cc8ff985def52f1b4b1d5804bcbc1d25710145b390caf1bca8d874558ea70b886984a6b15ff77086aa81cab5fef51b6d64659
-
Filesize
28B
MD5e5811189f8e9e048198b7ba8f61df071
SHA15cbf208238c19ad1b2fa5d4a213adfeecab2df82
SHA256358b61d0dac44c298fe9ad1a8932976eaab391ec2199f4b2f33999d9408e2743
SHA512da7aa57b8fafece936e07963583e7e8a9c2b6b04a352750ba26d4514d4a239fa3d8143c0e32ac20ac1437bc6690c6922dbaf835d3eacadff0528b532fe8745ae
-
Filesize
511KB
MD528c2bcc769b519934e2b5957745c7b0d
SHA191a9ae91605d3058887e16aba69ac9368dd1a9f8
SHA256ef7900aed9eb9b4a1ba526f5e4e787cc19aaf00935b54b57e3e2228cd2fb1b4c
SHA5122978bec2643b4f60417ead9022a253f6584d973b36bd2829e5d74414545487af6d112ce364ba2b08af07dda6c81e1ae0c6453672b2efe4ce0d06884dc59f78d3
-
Filesize
138KB
MD505cd26a6be48d566af0c8c6d4b7be291
SHA18667cf89b4055dd9cab3c7a24cde6cdf3c5efea5
SHA256ab04c22ab7dc507d43170a1dbe9e179c95685e2165c7c91a3d7487ced92cb464
SHA5125d3369aa26f35f2b7a6e7d09d86c6aa88900963914387588bc18456d03d9931adddbcefb3337a20eea65afba16bae83e4cda16b704ed36e7fc3fda547a406c2c