Resubmissions
21-11-2024 21:22
241121-z7zc4ssmgp 10Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 21:22
Behavioral task
behavioral1
Sample
system.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
system.exe
Resource
win10v2004-20241007-en
General
-
Target
system.exe
-
Size
122KB
-
MD5
8ccbd97201fb104da148476fb7740d38
-
SHA1
33b60652da7403daeb3e18c8f5db8d9c4e595e43
-
SHA256
f5939fc9c044ea28527a3f66ce394153b43473d28e1209c49dd19d5916e1368d
-
SHA512
b03e1849a858cd02a9f025c1897638ac2c038f4218c179bbb9a8cfd5d0db41d00fa620d861977802f8bf3250f5c9d09986e95da61fa4019912b60747473c1ad8
-
SSDEEP
3072:EG3oAZoUcggU5DZv2eZU72VM5B5rhYb9wEKT3ut:E0oIoUcgpO2VwHREK
Malware Config
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2972 system.exe 2972 system.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2972 system.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2612 2972 system.exe 31 PID 2972 wrote to memory of 2612 2972 system.exe 31 PID 2972 wrote to memory of 2612 2972 system.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2972 -s 7642⤵PID:2612
-