Overview

overview

10

Static

static

0b41b1f1d3...48.exe

windows7_x64

10

0b41b1f1d3...48.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe

  • Size

    1.6MB

  • MD5

    727c2d4c6016849316ae589295508acc

  • SHA1

    9782d9c356d7c7f83a92daf941cd0e34b2301e32

  • SHA256

    0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348

  • SHA512

    cf083b91c210cc43006410648d096519cc45f6d2db40f2980f4b2816784ddfa8cf2b40b5eec277e0986cd192d3285806293d17ffd944d3376e9fa6798324bab8

Score
10/10
webmonitorbackdoorinfostealerpersistenceratupx

Malware Config

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe
    "C:\Users\Admin\AppData\Local\Temp\0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\regsa.exe
      C:\Users\Admin\AppData\Local\Temp/regsa.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Adds Run key to start application
        PID:4004
    • C:\Users\Admin\AppData\Local\Temp\crd_kg.exe
      C:\Users\Admin\AppData\Local\Temp/crd_kg.exe
      2⤵
      • Executes dropped EXE
      PID:804

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/640-127-0x0000000005380000-0x0000000005381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/640-128-0x00000000052F0000-0x000000000533B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/640-120-0x0000000000750000-0x0000000000751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/640-122-0x0000000005580000-0x0000000005581000-memory.dmp

    Filesize

    4KB

    Download

  • memory/640-123-0x0000000005120000-0x000000000519B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/640-126-0x00000000051A0000-0x00000000051C1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/640-125-0x0000000005050000-0x000000000557C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/640-131-0x0000000005050000-0x000000000557C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/804-124-0x0000000000C50000-0x0000000000C51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/804-133-0x0000000000C53000-0x0000000000C55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4004-129-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

    Download

  • memory/4004-132-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

    Download