Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 10:59
Behavioral task
behavioral1
Sample
WDSecureUtilities(1).exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
WDSecureUtilities(1).exe
Resource
win10v2004-20241007-en
General
-
Target
WDSecureUtilities(1).exe
-
Size
234KB
-
MD5
94f4be08caae697b20849e2e1e467290
-
SHA1
72b397df67081f2209875c997112c10923ba530c
-
SHA256
0cb3d1764153b9a3030623c8a3a9a166a23fb15238399270d7022be0cda443bb
-
SHA512
cc42687240a149230786d328da4342f6eec8ef2d1884c6175cae774f1ac082b2c66ac374049b3566968c65ac22a732a42ebf8529d0ed27468832167cbedd5390
-
SSDEEP
3072:8kV3NK7I1mCkW3oUo3TizdqnuQVR4Iis3ET:8kaI1mCkWY1io4Il
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7597110015:AAE37zZN-zm_svW9oNT0XSU5nlCY5Ha0Wjs/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe 3052 WDSecureUtilities(1).exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3052 WDSecureUtilities(1).exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2636 3052 WDSecureUtilities(1).exe 31 PID 3052 wrote to memory of 2636 3052 WDSecureUtilities(1).exe 31 PID 3052 wrote to memory of 2636 3052 WDSecureUtilities(1).exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\WDSecureUtilities(1).exe"C:\Users\Admin\AppData\Local\Temp\WDSecureUtilities(1).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3052 -s 6402⤵PID:2636
-