Analysis
-
max time kernel
803s -
max time network
544s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 10:26
Static task
static1
Behavioral task
behavioral1
Sample
Resource.zip
Resource
win10v2004-20241007-en
General
-
Target
Resource.zip
-
Size
137KB
-
MD5
de4eaf5a4da426a0bbfbbe0eb2dd0985
-
SHA1
61a2fb33f2611dd8d884b7525d85c7ac5f121b1c
-
SHA256
b5d297464944d519b49b2cf83916b390a7f43f3a7f8bb17b793640b042aaaa43
-
SHA512
6b585a725954ebba297d3373eca061a43f13b507607f8d2350f2d783a8047c7295354ac65b2c2549d0370255bcfa4e58fd44401c131bcfdc3c133d628041046c
-
SSDEEP
3072:eLykyx2xrZAoxRwUMlhFoi95j3pyI69Nr3tg+xy:4yKrZAwRwtHFB9Z3pyr3thw
Malware Config
Extracted
phemedrone
https://mined.to/gate.php
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Executes dropped EXE 4 IoCs
pid Process 396 Resource.exe 116 Resource.exe 2928 Resource.exe 4856 Resource.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 396 Resource.exe 4324 7zFM.exe 4324 7zFM.exe 4324 7zFM.exe 4324 7zFM.exe 4324 7zFM.exe 4324 7zFM.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 2928 Resource.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4324 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeRestorePrivilege 4324 7zFM.exe Token: 35 4324 7zFM.exe Token: SeSecurityPrivilege 4324 7zFM.exe Token: SeDebugPrivilege 396 Resource.exe Token: SeSecurityPrivilege 4324 7zFM.exe Token: SeDebugPrivilege 4204 taskmgr.exe Token: SeSystemProfilePrivilege 4204 taskmgr.exe Token: SeCreateGlobalPrivilege 4204 taskmgr.exe Token: 33 4204 taskmgr.exe Token: SeIncBasePriorityPrivilege 4204 taskmgr.exe Token: SeSecurityPrivilege 4324 7zFM.exe Token: SeDebugPrivilege 2928 Resource.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 4324 7zFM.exe 4324 7zFM.exe 4324 7zFM.exe 4324 7zFM.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4324 7zFM.exe -
Suspicious use of SendNotifyMessage 37 IoCs
pid Process 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe 4204 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4324 wrote to memory of 396 4324 7zFM.exe 85 PID 4324 wrote to memory of 396 4324 7zFM.exe 85 PID 4324 wrote to memory of 116 4324 7zFM.exe 91 PID 4324 wrote to memory of 116 4324 7zFM.exe 91
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Resource.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\7zO4E0B8BC7\Resource.exe"C:\Users\Admin\AppData\Local\Temp\7zO4E0B8BC7\Resource.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Users\Admin\AppData\Local\Temp\7zO4E068A87\Resource.exe"C:\Users\Admin\AppData\Local\Temp\7zO4E068A87\Resource.exe"2⤵
- Executes dropped EXE
PID:116
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4204
-
C:\Users\Admin\Desktop\Resource.exe"C:\Users\Admin\Desktop\Resource.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
C:\Users\Admin\Desktop\Resource.exe"C:\Users\Admin\Desktop\Resource.exe"1⤵
- Executes dropped EXE
PID:4856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bd147fb589a67207c08c07ccb0b2991c
SHA1ca95f9cb042c95e9b89b55f76a411e7324ce8f0f
SHA256cfb433e98e44829cb9824f1197568887d8c6ab7c36dd87a7bad0a1e829a0849a
SHA512ad0f6c98011e46abe322f61cda2265714b6b058806876bf36b13be15d9e6e178fd18d059b7d705040e17fe61aed62c3654c3adf28abdd9f51288ffe5a30add7a
-
Filesize
137KB
MD54f38c635b15d7f9087a758baca7c6662
SHA10cbfe507872829dc19e63436fb8e9759dfb42271
SHA2560404b9addf506f9b143521aed1b3a1003c2c8f16828221946a4d06dac6e85bfd
SHA512dde8048dc7add02f03196438f171c52e6bd04fe099be061c6f2adcb8ed893d4e9279a823d8bd1c6d506d6f1e1857bb1ff5f5a41292e643db8aa6f025f4a8fddb