Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 22:50
Static task
static1
Behavioral task
behavioral1
Sample
123123.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
123123.exe
Resource
win10v2004-20241007-en
General
-
Target
123123.exe
-
Size
1.1MB
-
MD5
12cd6d4eeb407906eedbc0b1f4b0f6b7
-
SHA1
438fdf39c97484407c506b003aa81184b5bf48ef
-
SHA256
38358ae773d721939f0d7e8f6b78edd6e0200f3db3f69f1f5bf8a20ef47a394f
-
SHA512
96c0adc8041410cb5c922ab5c8942635e58547cac29791bc6a2dad9bbd6e06937c2b9785cbb9dd9b8a67e11d7007588aea265ce411928f60f38688f036045d1c
-
SSDEEP
24576:WDNAd93ox8aPGwu5sFE4VSsw1GtLoAHp9pNX5zCI2zev5puga1Tk4xbBby:Wad93ozywt7J9DX554wMb0
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7641379829:AAFjgiXcMQofN3SUzqAhu88yXM8p4ktzdm4/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2664 123123.exe 2664 123123.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1292 2664 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123123.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2664 123123.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2664 123123.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2664 123123.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2664 wrote to memory of 1292 2664 123123.exe 32 PID 2664 wrote to memory of 1292 2664 123123.exe 32 PID 2664 wrote to memory of 1292 2664 123123.exe 32 PID 2664 wrote to memory of 1292 2664 123123.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\123123.exe"C:\Users\Admin\AppData\Local\Temp\123123.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 7202⤵
- Program crash
PID:1292
-