Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 23:18
Behavioral task
behavioral1
Sample
73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe
Resource
win10v2004-20241007-en
General
-
Target
73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe
-
Size
358KB
-
MD5
6492e47738dd77951bd2f5f9839f6636
-
SHA1
8a647c9a1594d1b5e16ffcb32de1264787c4a80e
-
SHA256
73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212
-
SHA512
e563d188d124071cada50bd3ae8b7b30bfef605b5c1e2a97b3bde39534ed1b03be4cac3a2ef830aa97c77a5778af076a56e96c2f568e5e0c3d8948c796d615ff
-
SSDEEP
6144:G7yrhcdXOmSnpz70UFuRwo+JcoEej3KFUzR/FLUY+Yw:64UOf0UFTo+JPj36UzR/9Rw
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot5942488573:AAHwpEclqtQTOQ8pXq-JbNtaNF28JxIiT1E/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Executes dropped EXE 2 IoCs
pid Process 2780 Edydimi.exe 2872 Steamify.exe -
Loads dropped DLL 7 IoCs
pid Process 2580 73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe 2580 73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2840 2872 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Steamify.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2780 Edydimi.exe 2780 Edydimi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2780 Edydimi.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2580 wrote to memory of 2780 2580 73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe 30 PID 2580 wrote to memory of 2780 2580 73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe 30 PID 2580 wrote to memory of 2780 2580 73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe 30 PID 2580 wrote to memory of 2780 2580 73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe 30 PID 2580 wrote to memory of 2872 2580 73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe 31 PID 2580 wrote to memory of 2872 2580 73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe 31 PID 2580 wrote to memory of 2872 2580 73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe 31 PID 2580 wrote to memory of 2872 2580 73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe 31 PID 2872 wrote to memory of 2840 2872 Steamify.exe 33 PID 2872 wrote to memory of 2840 2872 Steamify.exe 33 PID 2872 wrote to memory of 2840 2872 Steamify.exe 33 PID 2872 wrote to memory of 2840 2872 Steamify.exe 33 PID 2780 wrote to memory of 1784 2780 Edydimi.exe 34 PID 2780 wrote to memory of 1784 2780 Edydimi.exe 34 PID 2780 wrote to memory of 1784 2780 Edydimi.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe"C:\Users\Admin\AppData\Local\Temp\73dac4bb47f3d767633827448b03abf12c5e2561180db45204ee1ca800ebb212.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\Edydimi.exe"C:\Users\Admin\AppData\Local\Temp\Edydimi.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2780 -s 7523⤵PID:1784
-
-
-
C:\Users\Admin\AppData\Local\Temp\Steamify.exe"C:\Users\Admin\AppData\Local\Temp\Steamify.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 5523⤵
- Loads dropped DLL
- Program crash
PID:2840
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD558e7619ddc6edc65e0ae04d817da607c
SHA166ef74b1a68112821823f5b2a6f66498500ad510
SHA25690655573221e9d42546ee24ea9c6db318964442569a2c1314054ddb99309b86f
SHA512ed1cbdbc14ceb2233e250513bb98671f25b795eb0e76e1dc96ba3bd379b7493f7231bee7c982bf66c705c0096b8e99eda778e2fead47512c708bb6f529f7c45e
-
Filesize
196KB
MD5b9bb27e693a8cc545bdafbcae85ee6bf
SHA13d4ef6d9985e7815f157fed255623bac499e3554
SHA256eb76fb99cb26edd46f2e45b495700306880ed63143f62ebc24f4db03d62e1dd9
SHA512fbc29d4a9154861352af495b3468e5e2a8828e82770620b25e3c56557d4bec81b36a589b36b9da82d09d22338f1e2515f3a4c6a45000564ec4e712db140cf924