Overview

overview

10

Static

static

10

Resource.zip

windows10-2004-x64

10

ReadMe.txt

windows10-2004-x64

1

Resource.zip

windows10-2004-x64

10

Resource.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-12-2024 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Resource.zip

  • Size

    138KB

  • MD5

    6174ba506514ec4b51459759c8d0f0cb

  • SHA1

    4c6340680c3ddaeae06d1a8cd34dfbba2de748c5

  • SHA256

    f22347457dcc1547a18a9aa2526dc2d355b4af14ebc468c0ac56ba1f1084041f

  • SHA512

    799ed2e2ed3837604edd51119424dbc749938a207cd414fa5a709f6b2eef7d9c2195e3b1ffb69a59242190dcf123113b21e895fbee0543e7d74f41abc5729df1

  • SSDEEP

    3072:LLykyx2xrZAoxRwUMlhFoi95j3pyI69Nr3tg+x5:RyKrZAwRwtHFB9Z3pyr3th7

Score
10/10
phemedronecredential_accessspywarestealer

Malware Config

Extracted

Family

phemedrone

C2

https://mined.to/gate.php

Signatures

  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Phemedrone family
    phemedrone
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Resource.zip"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Users\Admin\AppData\Local\Temp\7zO845304B7\Resource.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO845304B7\Resource.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zO845304B7\Resource.exe
    Filesize

    137KB

    MD5

    4f38c635b15d7f9087a758baca7c6662

    SHA1

    0cbfe507872829dc19e63436fb8e9759dfb42271

    SHA256

    0404b9addf506f9b143521aed1b3a1003c2c8f16828221946a4d06dac6e85bfd

    SHA512

    dde8048dc7add02f03196438f171c52e6bd04fe099be061c6f2adcb8ed893d4e9279a823d8bd1c6d506d6f1e1857bb1ff5f5a41292e643db8aa6f025f4a8fddb

    Download Submit

  • memory/2424-12-0x00007FF9DDC83000-0x00007FF9DDC85000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2424-13-0x000001EB25740000-0x000001EB25768000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2424-14-0x00007FF9DDC80000-0x00007FF9DE741000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2424-16-0x00007FF9DDC80000-0x00007FF9DE741000-memory.dmp

    Filesize

    10.8MB

    Download