webmonitor | fae42a1d8dbd274ade612e53f14f4f48213f7397e413b32fb499ecf4179409b0

Analysis

max time kernel
134s
max time network
132s
platform
windows10_x64
resource
win10v20210410
submitted
11-05-2021 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INVOICE20210511.exe
Size

1.3MB
MD5

63f0d02851b4513b062581c91b62132b
SHA1

18a60c599d7e5daba6d6982ae33ca14d4e4067df
SHA256

fae42a1d8dbd274ade612e53f14f4f48213f7397e413b32fb499ecf4179409b0
SHA512

6407a553565fecf34f2f6fb4afb755ee262be43f19469e67e529fb1fc2c6559eba7a6867f9d059d35f39d7c86ae0fa84e8b10c3ce4e07050ea2a2dafd11e862e

Score

10^/10

webmonitor backdoor infostealer rat

Malware Config

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/184-140-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral2/memory/184-142-0x000000000049D8CA-mapping.dmp	family_webmonitor
behavioral2/memory/184-162-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor

Suspicious use of SetThreadContext 1 IoCs

Processes:

INVOICE20210511.exe

description pid process target process

PID 3152 set thread context of 184 3152 INVOICE20210511.exe INVOICE20210511.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3960 schtasks.exe

description	pid	process	target process
PID 3152 set thread context of 184	3152	INVOICE20210511.exe	INVOICE20210511.exe

pid	process
3960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

INVOICE20210511.exepowershell.exepowershell.exepowershell.exe

pid	process
3152	INVOICE20210511.exe
2128	powershell.exe
1280	powershell.exe
356	powershell.exe
1280	powershell.exe
2128	powershell.exe
356	powershell.exe
1280	powershell.exe
2128	powershell.exe
356	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

INVOICE20210511.exe

pid process

184 INVOICE20210511.exe

pid	process
184	INVOICE20210511.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

INVOICE20210511.exepowershell.exepowershell.exepowershell.exeINVOICE20210511.exe

description	pid	process
Token: SeDebugPrivilege	3152	INVOICE20210511.exe
Token: SeDebugPrivilege	356	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeShutdownPrivilege	184	INVOICE20210511.exe
Token: SeCreatePagefilePrivilege	184	INVOICE20210511.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

INVOICE20210511.exeINVOICE20210511.exe

description	pid	process	target process
PID 3152 wrote to memory of 356	3152	INVOICE20210511.exe	powershell.exe
PID 3152 wrote to memory of 356	3152	INVOICE20210511.exe	powershell.exe
PID 3152 wrote to memory of 356	3152	INVOICE20210511.exe	powershell.exe
PID 3152 wrote to memory of 2128	3152	INVOICE20210511.exe	powershell.exe
PID 3152 wrote to memory of 2128	3152	INVOICE20210511.exe	powershell.exe
PID 3152 wrote to memory of 2128	3152	INVOICE20210511.exe	powershell.exe
PID 3152 wrote to memory of 3960	3152	INVOICE20210511.exe	schtasks.exe
PID 3152 wrote to memory of 3960	3152	INVOICE20210511.exe	schtasks.exe
PID 3152 wrote to memory of 3960	3152	INVOICE20210511.exe	schtasks.exe
PID 3152 wrote to memory of 1280	3152	INVOICE20210511.exe	powershell.exe
PID 3152 wrote to memory of 1280	3152	INVOICE20210511.exe	powershell.exe
PID 3152 wrote to memory of 1280	3152	INVOICE20210511.exe	powershell.exe
PID 3152 wrote to memory of 184	3152	INVOICE20210511.exe	INVOICE20210511.exe
PID 3152 wrote to memory of 184	3152	INVOICE20210511.exe	INVOICE20210511.exe
PID 3152 wrote to memory of 184	3152	INVOICE20210511.exe	INVOICE20210511.exe
PID 3152 wrote to memory of 184	3152	INVOICE20210511.exe	INVOICE20210511.exe
PID 3152 wrote to memory of 184	3152	INVOICE20210511.exe	INVOICE20210511.exe
PID 3152 wrote to memory of 184	3152	INVOICE20210511.exe	INVOICE20210511.exe
PID 3152 wrote to memory of 184	3152	INVOICE20210511.exe	INVOICE20210511.exe
PID 3152 wrote to memory of 184	3152	INVOICE20210511.exe	INVOICE20210511.exe
PID 3152 wrote to memory of 184	3152	INVOICE20210511.exe	INVOICE20210511.exe
PID 184 wrote to memory of 3700	184	INVOICE20210511.exe	cmd.exe
PID 184 wrote to memory of 3700	184	INVOICE20210511.exe	cmd.exe
PID 184 wrote to memory of 3700	184	INVOICE20210511.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE20210511.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE20210511.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\INVOICE20210511.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:356
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nbBnuvGQkNaCaX.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nbBnuvGQkNaCaX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB0D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nbBnuvGQkNaCaX.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Users\Admin\AppData\Local\Temp\INVOICE20210511.exe
  "C:\Users\Admin\AppData\Local\Temp\INVOICE20210511.exe"
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1z3qqTh3PVxdIZpT.bat" "
    3⤵
    PID:3700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
82b8cb07304cadf1ddd34023f4475302

SHA1
8d9f0eeffaa5f0a8c8cac50422f0c75412c6fa55

SHA256
dff2ea6e3482b2fa1d318dd284ec1dfe2e69f352c5b25d7a4d830a13c342944e

SHA512
6e276db0115408640e52b19f712f7e63944ca0502705373637c7c2097568990b843b9cd167f25a8faba3cfc9dcbd92618621167a9eae16fafd1647b6500f0e78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
e910b90681afe06ad7a744d6ab25eb38

SHA1
80a00fc9c8bed6bb57cb27fdd76f8d2e1a486db4

SHA256
5721789d48062c8c3ced3eb1f87616b59b370b3705dd3274bef4c30d81113458

SHA512
3a281c61d786c6b13d896dfe6c46411097e0a02d555a876de90bdfd508281fde1d4d3689c834c98595ca4cd20a2d77f44ed8095d54b8d833d636448226a58e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\1z3qqTh3PVxdIZpT.bat

MD5
1e65e7b95a88ad8339bde13bdb351dc4

SHA1
0226bde32eca0b6a538df8c408ca2133643f199b

SHA256
6786be62b28135b71bc0d633692efc337d8e6bd260533eec57bbd7ac47aa25b2

SHA512
c9e84983133661b7eae38b3dd1b3d99f1e18c7680d25fd672075504dd28ae383bdfb60b8cfa00bd733b97da093659fff7b25194f726cac9a54f17783d017e135

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB0D.tmp

MD5
942247a257c25d27f36809f5f9d48b08

SHA1
66163012f1df039363c992f1e1b6b8bbc2b8229e

SHA256
c4bb4b994c42ad458a8ee88c5a957ef2983b55d8ac3326d73d3cd269355859ec

SHA512
7d0b071d569477899afcfb0f0a4db293da31f7f8d4a4e936bf7cab1c1110b2aed85d4ebeb7d6731074f3dd093150b40e81109ba27fe63f8d42bbf9c26a94deba

Download Submit
memory/184-142-0x000000000049D8CA-mapping.dmp

Download
memory/184-140-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/184-162-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/356-153-0x00000000073A0000-0x00000000073A1000-memory.dmp

Filesize
4KB

Download
memory/356-193-0x000000007E820000-0x000000007E821000-memory.dmp

Filesize
4KB

Download
memory/356-156-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/356-146-0x0000000004292000-0x0000000004293000-memory.dmp

Filesize
4KB

Download
memory/356-125-0x0000000000000000-mapping.dmp

Download
memory/356-145-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/356-135-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/356-197-0x0000000004293000-0x0000000004294000-memory.dmp

Filesize
4KB

Download
memory/1280-195-0x0000000006A53000-0x0000000006A54000-memory.dmp

Filesize
4KB

Download
memory/1280-137-0x0000000000000000-mapping.dmp

Download
memory/1280-163-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/1280-164-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Filesize
4KB

Download
memory/1280-169-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/1280-159-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/1280-192-0x000000007ED60000-0x000000007ED61000-memory.dmp

Filesize
4KB

Download
memory/1280-148-0x0000000006A50000-0x0000000006A51000-memory.dmp

Filesize
4KB

Download
memory/1280-149-0x0000000006A52000-0x0000000006A53000-memory.dmp

Filesize
4KB

Download
memory/2128-126-0x0000000000000000-mapping.dmp

Download
memory/2128-194-0x000000007F410000-0x000000007F411000-memory.dmp

Filesize
4KB

Download
memory/2128-144-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/2128-147-0x00000000047F2000-0x00000000047F3000-memory.dmp

Filesize
4KB

Download
memory/2128-132-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/2128-150-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/2128-196-0x00000000047F3000-0x00000000047F4000-memory.dmp

Filesize
4KB

Download
memory/3152-120-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/3152-123-0x0000000006150000-0x0000000006296000-memory.dmp

Filesize
1.3MB

Download
memory/3152-122-0x0000000004F80000-0x0000000004F84000-memory.dmp

Filesize
16KB

Download
memory/3152-124-0x00000000096E0000-0x0000000009821000-memory.dmp

Filesize
1.3MB

Download
memory/3152-114-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/3152-121-0x0000000004A90000-0x0000000004F8E000-memory.dmp

Filesize
5.0MB

Download
memory/3152-119-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/3152-118-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/3152-117-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3152-116-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/3700-201-0x0000000000000000-mapping.dmp

Download
memory/3960-127-0x0000000000000000-mapping.dmp

Download