Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-11-2024 15:49
Static task
static1
Behavioral task
behavioral1
Sample
fix.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fix.exe
Resource
win10v2004-20241007-en
General
-
Target
fix.exe
-
Size
182KB
-
MD5
c051fba1ccd26b26c6052d9d83af4ef7
-
SHA1
f05973654803099ed3579f90e4ec2febc893d86f
-
SHA256
971a5e7ce8ea5ec0daba3818240f241e7ef73c7b26f876fb90faa989427e8de7
-
SHA512
1c01641f92bb291b79c49aac8a1a3c42725c82650e56bb6e741b0d399df477eb295ddf3dbdf79de76dcb7949de9637bc60bab204cbfdb90889f0ec317162ce5c
-
SSDEEP
3072:ACUln0JMvzUD7CSCMIP8PMJDQe5SOmrc0i/HBAx4EuiLaOmf9hvQO541gMhKFziu:AT0JpD70P8PMJ83rJaBOQ1d5nMhKxiko
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot8048480644:AAGu4LS8y7U94z6qxGp1BK4BXot90IjTN4k/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "C:\\Users\\Admin\\AppData\\Roaming\\vlc\\vlc.exe" powershell.exe -
pid Process 2692 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2112 set thread context of 2860 2112 fix.exe 33 -
Program crash 1 IoCs
pid pid_target Process procid_target 2544 2860 WerFault.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fix.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2112 fix.exe 2112 fix.exe 2860 RegAsm.exe 2692 powershell.exe 2860 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2112 fix.exe Token: SeDebugPrivilege 2860 RegAsm.exe Token: SeDebugPrivilege 2692 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2692 2112 fix.exe 30 PID 2112 wrote to memory of 2692 2112 fix.exe 30 PID 2112 wrote to memory of 2692 2112 fix.exe 30 PID 2112 wrote to memory of 2692 2112 fix.exe 30 PID 2112 wrote to memory of 2608 2112 fix.exe 32 PID 2112 wrote to memory of 2608 2112 fix.exe 32 PID 2112 wrote to memory of 2608 2112 fix.exe 32 PID 2112 wrote to memory of 2608 2112 fix.exe 32 PID 2112 wrote to memory of 2608 2112 fix.exe 32 PID 2112 wrote to memory of 2608 2112 fix.exe 32 PID 2112 wrote to memory of 2608 2112 fix.exe 32 PID 2112 wrote to memory of 2860 2112 fix.exe 33 PID 2112 wrote to memory of 2860 2112 fix.exe 33 PID 2112 wrote to memory of 2860 2112 fix.exe 33 PID 2112 wrote to memory of 2860 2112 fix.exe 33 PID 2112 wrote to memory of 2860 2112 fix.exe 33 PID 2112 wrote to memory of 2860 2112 fix.exe 33 PID 2112 wrote to memory of 2860 2112 fix.exe 33 PID 2112 wrote to memory of 2860 2112 fix.exe 33 PID 2112 wrote to memory of 2860 2112 fix.exe 33 PID 2112 wrote to memory of 2860 2112 fix.exe 33 PID 2112 wrote to memory of 2860 2112 fix.exe 33 PID 2112 wrote to memory of 2860 2112 fix.exe 33 PID 2860 wrote to memory of 2544 2860 RegAsm.exe 35 PID 2860 wrote to memory of 2544 2860 RegAsm.exe 35 PID 2860 wrote to memory of 2544 2860 RegAsm.exe 35 PID 2860 wrote to memory of 2544 2860 RegAsm.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\fix.exe"C:\Users\Admin\AppData\Local\Temp\fix.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'vlc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'vlc' -Value '"C:\Users\Admin\AppData\Roaming\vlc\vlc.exe"' -PropertyType 'String'2⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 7683⤵
- Program crash
PID:2544
-
-