Analysis
-
max time kernel
112s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2024 13:15
Behavioral task
behavioral1
Sample
Resource.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
ReadMe.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Resource.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
Resource.exe
Resource
win10v2004-20241007-en
General
-
Target
Resource.zip
-
Size
137KB
-
MD5
de4eaf5a4da426a0bbfbbe0eb2dd0985
-
SHA1
61a2fb33f2611dd8d884b7525d85c7ac5f121b1c
-
SHA256
b5d297464944d519b49b2cf83916b390a7f43f3a7f8bb17b793640b042aaaa43
-
SHA512
6b585a725954ebba297d3373eca061a43f13b507607f8d2350f2d783a8047c7295354ac65b2c2549d0370255bcfa4e58fd44401c131bcfdc3c133d628041046c
-
SSDEEP
3072:eLykyx2xrZAoxRwUMlhFoi95j3pyI69Nr3tg+xy:4yKrZAwRwtHFB9Z3pyr3thw
Malware Config
Extracted
phemedrone
https://mined.to/gate.php
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Phemedrone family
-
Executes dropped EXE 4 IoCs
pid Process 8 Resource.exe 3364 Resource.exe 3516 Resource.exe 4304 Resource.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 8 Resource.exe 4844 7zFM.exe 4844 7zFM.exe 3364 Resource.exe 3516 Resource.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 4304 Resource.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4844 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeRestorePrivilege 4844 7zFM.exe Token: 35 4844 7zFM.exe Token: SeSecurityPrivilege 4844 7zFM.exe Token: SeDebugPrivilege 8 Resource.exe Token: SeSecurityPrivilege 4844 7zFM.exe Token: SeDebugPrivilege 3364 Resource.exe Token: SeDebugPrivilege 3516 Resource.exe Token: SeDebugPrivilege 2264 taskmgr.exe Token: SeSystemProfilePrivilege 2264 taskmgr.exe Token: SeCreateGlobalPrivilege 2264 taskmgr.exe Token: SeDebugPrivilege 4304 Resource.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
pid Process 4844 7zFM.exe 4844 7zFM.exe 4844 7zFM.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe -
Suspicious use of SendNotifyMessage 55 IoCs
pid Process 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe 2264 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4844 wrote to memory of 8 4844 7zFM.exe 92 PID 4844 wrote to memory of 8 4844 7zFM.exe 92
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Resource.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\7zOCE2D5328\Resource.exe"C:\Users\Admin\AppData\Local\Temp\7zOCE2D5328\Resource.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Users\Admin\Desktop\Resource.exe"C:\Users\Admin\Desktop\Resource.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
C:\Users\Admin\Desktop\Resource.exe"C:\Users\Admin\Desktop\Resource.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2264
-
C:\Users\Admin\Desktop\Resource.exe"C:\Users\Admin\Desktop\Resource.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5047626f4219f08c857a1a37af444715b
SHA17f74cfd9086887bd61aa334b34fe7acc9bd515af
SHA256ca2859a46cc0902c28f5d7716a612ec15f8baf5856843fe20c036770b3a7cace
SHA512b6791ea8b9f6dbf90869fe0bd5f8d9a1c5bf50fab18633727972d556dee0337104d749c004bf587f7ea1f9c8a40378d536fd95b8cd45c1e7d90c35cac2aa73cf
-
Filesize
137KB
MD54f38c635b15d7f9087a758baca7c6662
SHA10cbfe507872829dc19e63436fb8e9759dfb42271
SHA2560404b9addf506f9b143521aed1b3a1003c2c8f16828221946a4d06dac6e85bfd
SHA512dde8048dc7add02f03196438f171c52e6bd04fe099be061c6f2adcb8ed893d4e9279a823d8bd1c6d506d6f1e1857bb1ff5f5a41292e643db8aa6f025f4a8fddb