Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 06:22

General

  • Target

    08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe

  • Size

    698KB

  • MD5

    150df9d8d8d7dfa6806fd746f5046278

  • SHA1

    145d6bfa4eeceaf3c91e05a955c3ca77ee62fca2

  • SHA256

    08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37

  • SHA512

    f92b5be8839e01d35dfc6e8efa645e2307082fdc754370200774b0f502f107a70a1f52913ec43fffa4d234c79edb5ac3e4cdecfaea08df2c1a89102dbfcbaaf9

  • SSDEEP

    12288:PyveQB/fTHIGaPkKEYzURNAwbAgjsYrWu+bsOWFoS7RxYCcvlZ62sHVRj5:PuDXTIGaPhEYzUzA0DrWu6hTMbDksHVT

Malware Config

Extracted

Family

phemedrone

C2

http://89.23.102.24:80/gate.php

Signatures

  • Phemedrone

    An information and wallet stealer written in C#.

  • Phemedrone family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe
    "C:\Users\Admin\AppData\Local\Temp\08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4600
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\UpdateService\2.cmd" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3400
      • C:\ProgramData\Microsoft\UpdateService\helper.exe
        helper.exe -p2024
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4336
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\UpdateService\1.cmd" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1440
          • C:\ProgramData\Microsoft\UpdateService\sihost.exe
            sihost.exe
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\UpdateService\1.cmd

    Filesize

    10B

    MD5

    659bda4383172c5d2ac21b729af13c81

    SHA1

    66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3

    SHA256

    185b38ec66134f027a26a9ce666774adeed1ed2f7eb60d73eb03bbe6c0b8ed6c

    SHA512

    c32d7f6e68ef095f78e90ebb779cc8ff985def52f1b4b1d5804bcbc1d25710145b390caf1bca8d874558ea70b886984a6b15ff77086aa81cab5fef51b6d64659

  • C:\ProgramData\Microsoft\UpdateService\2.cmd

    Filesize

    28B

    MD5

    e5811189f8e9e048198b7ba8f61df071

    SHA1

    5cbf208238c19ad1b2fa5d4a213adfeecab2df82

    SHA256

    358b61d0dac44c298fe9ad1a8932976eaab391ec2199f4b2f33999d9408e2743

    SHA512

    da7aa57b8fafece936e07963583e7e8a9c2b6b04a352750ba26d4514d4a239fa3d8143c0e32ac20ac1437bc6690c6922dbaf835d3eacadff0528b532fe8745ae

  • C:\ProgramData\Microsoft\UpdateService\helper.exe

    Filesize

    511KB

    MD5

    28c2bcc769b519934e2b5957745c7b0d

    SHA1

    91a9ae91605d3058887e16aba69ac9368dd1a9f8

    SHA256

    ef7900aed9eb9b4a1ba526f5e4e787cc19aaf00935b54b57e3e2228cd2fb1b4c

    SHA512

    2978bec2643b4f60417ead9022a253f6584d973b36bd2829e5d74414545487af6d112ce364ba2b08af07dda6c81e1ae0c6453672b2efe4ce0d06884dc59f78d3

  • C:\ProgramData\Microsoft\UpdateService\sihost.exe

    Filesize

    138KB

    MD5

    05cd26a6be48d566af0c8c6d4b7be291

    SHA1

    8667cf89b4055dd9cab3c7a24cde6cdf3c5efea5

    SHA256

    ab04c22ab7dc507d43170a1dbe9e179c95685e2165c7c91a3d7487ced92cb464

    SHA512

    5d3369aa26f35f2b7a6e7d09d86c6aa88900963914387588bc18456d03d9931adddbcefb3337a20eea65afba16bae83e4cda16b704ed36e7fc3fda547a406c2c

  • memory/5020-20-0x000001CA810A0000-0x000001CA810C8000-memory.dmp

    Filesize

    160KB