Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 13:44
Static task
static1
Behavioral task
behavioral1
Sample
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps1
Resource
win7-20240903-en
General
-
Target
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps1
-
Size
208B
-
MD5
f74352d968ebe606fcc81a9d827e5ccf
-
SHA1
1d6b0838ef4e437998b11ea7c15691e483d7b9d6
-
SHA256
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6
-
SHA512
b8cf2b1d9fd7b4c2557918d05b89cc179f60849c6959dcefd92a26619c4af53cd5deb13bca6b9028af1934628626a3f0d27c463f38d4f73f5e1aedc37c080178
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7772275304:AAF3OSvWBzn5cIHkGD9ueBFz5ed91u-60-U/sendDocument
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Activation.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 15 1144 powershell.exe -
pid Process 1144 powershell.exe 4848 powershell.exe 4848 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Activation.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Activation.exe -
Executes dropped EXE 1 IoCs
pid Process 3952 Activation.exe -
resource yara_rule behavioral2/files/0x000a000000023cac-36.dat themida behavioral2/memory/3952-46-0x0000000000DE0000-0x0000000001674000-memory.dmp themida behavioral2/memory/3952-47-0x0000000000DE0000-0x0000000001674000-memory.dmp themida behavioral2/memory/3952-50-0x0000000000DE0000-0x0000000001674000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Activation.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3952 Activation.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4284 3952 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Activation.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1144 powershell.exe 1144 powershell.exe 4848 powershell.exe 4848 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 4848 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1144 wrote to memory of 4848 1144 powershell.exe 83 PID 1144 wrote to memory of 4848 1144 powershell.exe 83 PID 1144 wrote to memory of 3952 1144 powershell.exe 84 PID 1144 wrote to memory of 3952 1144 powershell.exe 84 PID 1144 wrote to memory of 3952 1144 powershell.exe 84
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Users\Admin\AppData\Local\Activation.exe"C:\Users\Admin\AppData\Local\Activation.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 10083⤵
- Program crash
PID:4284
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3952 -ip 39521⤵PID:1348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5aa3a94ba72728df41a815b060f5e9c52
SHA1baec525e25786a3787b90b300a383f814e65377d
SHA256573a6686dba8217e51b0c4fd9b041a4bf3ce193d6be69e201a6edcefa3dc42e6
SHA51299772aa3f7837a205f1657730cafc93d8bdcd3cd3826669402f344db5ba28d48c84521dba2a7eab2e7a0c5b3b064fe8c364b9665d03253a94f6177565ef82962
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD552dd65727b6dc0b674fa40372ff08d66
SHA1b7f0df7e48f20b7f8897cd70206846a3129aff62
SHA256a00583734abe93d86d1b66629f0c9fdfd48c12f3d2940d30e6f88c147948095a
SHA5127a3a2f8a358382f9d5152fc309e1f48ac7c1fa7b734f00658fbfe2b762af2a8cc74ea3d0d0702336a3ebc6ea535241c8e33d78e86b7e071dcfa299080c92a724
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82