Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 13:43
Behavioral task
behavioral1
Sample
Activation.exe
Resource
win7-20240903-en
General
-
Target
Activation.exe
-
Size
3.2MB
-
MD5
aa3a94ba72728df41a815b060f5e9c52
-
SHA1
baec525e25786a3787b90b300a383f814e65377d
-
SHA256
573a6686dba8217e51b0c4fd9b041a4bf3ce193d6be69e201a6edcefa3dc42e6
-
SHA512
99772aa3f7837a205f1657730cafc93d8bdcd3cd3826669402f344db5ba28d48c84521dba2a7eab2e7a0c5b3b064fe8c364b9665d03253a94f6177565ef82962
-
SSDEEP
98304:Jj3eS6htWV1940j0wk0IySMGfEsiC0BDm+:0S67WVRjplgMJRVb
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7772275304:AAF3OSvWBzn5cIHkGD9ueBFz5ed91u-60-U/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Activation.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Activation.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Activation.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/3000-21-0x0000000001280000-0x0000000001B14000-memory.dmp themida behavioral1/memory/3000-22-0x0000000001280000-0x0000000001B14000-memory.dmp themida behavioral1/memory/3000-26-0x0000000001280000-0x0000000001B14000-memory.dmp themida -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Activation.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3000 Activation.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2796 3000 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Activation.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3000 Activation.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3000 Activation.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3000 wrote to memory of 2796 3000 Activation.exe 31 PID 3000 wrote to memory of 2796 3000 Activation.exe 31 PID 3000 wrote to memory of 2796 3000 Activation.exe 31 PID 3000 wrote to memory of 2796 3000 Activation.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Activation.exe"C:\Users\Admin\AppData\Local\Temp\Activation.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 8602⤵
- Program crash
PID:2796
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3