Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2024 06:27

General

  • Target

    08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe

  • Size

    698KB

  • MD5

    150df9d8d8d7dfa6806fd746f5046278

  • SHA1

    145d6bfa4eeceaf3c91e05a955c3ca77ee62fca2

  • SHA256

    08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37

  • SHA512

    f92b5be8839e01d35dfc6e8efa645e2307082fdc754370200774b0f502f107a70a1f52913ec43fffa4d234c79edb5ac3e4cdecfaea08df2c1a89102dbfcbaaf9

  • SSDEEP

    12288:PyveQB/fTHIGaPkKEYzURNAwbAgjsYrWu+bsOWFoS7RxYCcvlZ62sHVRj5:PuDXTIGaPhEYzUzA0DrWu6hTMbDksHVT

Malware Config

Extracted

Family

phemedrone

C2

http://89.23.102.24:80/gate.php

Signatures

  • Phemedrone

    An information and wallet stealer written in C#.

  • Phemedrone family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe
    "C:\Users\Admin\AppData\Local\Temp\08d9d4e6489dc5b05a6caa434fc36ad6c1bd8c8eb08888f61cbed094eac6cb37.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\ProgramData\Microsoft\UpdateService\2.cmd" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\ProgramData\Microsoft\UpdateService\helper.exe
        helper.exe -p2024
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2924
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\ProgramData\Microsoft\UpdateService\1.cmd" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\ProgramData\Microsoft\UpdateService\sihost.exe
            sihost.exe
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 2688 -s 596
              6⤵
                PID:3024

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\UpdateService\1.cmd

      Filesize

      10B

      MD5

      659bda4383172c5d2ac21b729af13c81

      SHA1

      66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3

      SHA256

      185b38ec66134f027a26a9ce666774adeed1ed2f7eb60d73eb03bbe6c0b8ed6c

      SHA512

      c32d7f6e68ef095f78e90ebb779cc8ff985def52f1b4b1d5804bcbc1d25710145b390caf1bca8d874558ea70b886984a6b15ff77086aa81cab5fef51b6d64659

    • C:\ProgramData\Microsoft\UpdateService\2.cmd

      Filesize

      28B

      MD5

      e5811189f8e9e048198b7ba8f61df071

      SHA1

      5cbf208238c19ad1b2fa5d4a213adfeecab2df82

      SHA256

      358b61d0dac44c298fe9ad1a8932976eaab391ec2199f4b2f33999d9408e2743

      SHA512

      da7aa57b8fafece936e07963583e7e8a9c2b6b04a352750ba26d4514d4a239fa3d8143c0e32ac20ac1437bc6690c6922dbaf835d3eacadff0528b532fe8745ae

    • C:\ProgramData\Microsoft\UpdateService\sihost.exe

      Filesize

      138KB

      MD5

      05cd26a6be48d566af0c8c6d4b7be291

      SHA1

      8667cf89b4055dd9cab3c7a24cde6cdf3c5efea5

      SHA256

      ab04c22ab7dc507d43170a1dbe9e179c95685e2165c7c91a3d7487ced92cb464

      SHA512

      5d3369aa26f35f2b7a6e7d09d86c6aa88900963914387588bc18456d03d9931adddbcefb3337a20eea65afba16bae83e4cda16b704ed36e7fc3fda547a406c2c

    • \ProgramData\Microsoft\UpdateService\helper.exe

      Filesize

      511KB

      MD5

      28c2bcc769b519934e2b5957745c7b0d

      SHA1

      91a9ae91605d3058887e16aba69ac9368dd1a9f8

      SHA256

      ef7900aed9eb9b4a1ba526f5e4e787cc19aaf00935b54b57e3e2228cd2fb1b4c

      SHA512

      2978bec2643b4f60417ead9022a253f6584d973b36bd2829e5d74414545487af6d112ce364ba2b08af07dda6c81e1ae0c6453672b2efe4ce0d06884dc59f78d3

    • memory/2688-43-0x0000000000A70000-0x0000000000A98000-memory.dmp

      Filesize

      160KB