webmonitor | d4511fa399217b186b74d425d5a0857ae7fe394c9993d76f79beccf2ecea92e2

Analysis

max time kernel
135s
max time network
136s
platform
windows10_x64
resource
win10v20210408
submitted
25-05-2021 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BjHM6PDDCwG9GvC.exe
Size

1.3MB
MD5

58753a65f6bcaf7b06217d456bd3fa1a
SHA1

5031df39b31c8ceb0ad15e80156a2349c2fd5ade
SHA256

d4511fa399217b186b74d425d5a0857ae7fe394c9993d76f79beccf2ecea92e2
SHA512

47ba296df03054cf97a865d24de2ec87e20c9865963cdafa4eee86736e1af1003463d2b0623467d70756d286f9917d31a4a2deb9d0d8c28e7ed345f0b015fd35

Score

10^/10

webmonitor backdoor infostealer rat

Malware Config

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2064-143-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral2/memory/2064-144-0x000000000049D8CA-mapping.dmp	family_webmonitor
behavioral2/memory/2064-151-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/644-122-0x00000000051A0000-0x00000000051A5000-memory.dmp	CustAttr

Suspicious use of SetThreadContext 1 IoCs

Processes:

BjHM6PDDCwG9GvC.exe

description pid process target process

PID 644 set thread context of 2064 644 BjHM6PDDCwG9GvC.exe BjHM6PDDCwG9GvC.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1136 schtasks.exe

description	pid	process	target process
PID 644 set thread context of 2064	644	BjHM6PDDCwG9GvC.exe	BjHM6PDDCwG9GvC.exe

pid	process
1136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

BjHM6PDDCwG9GvC.exepowershell.exepowershell.exepowershell.exe

pid	process
644	BjHM6PDDCwG9GvC.exe
1864	powershell.exe
4092	powershell.exe
3872	powershell.exe
1864	powershell.exe
3872	powershell.exe
4092	powershell.exe
1864	powershell.exe
4092	powershell.exe
3872	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

BjHM6PDDCwG9GvC.exe

pid process

2064 BjHM6PDDCwG9GvC.exe

pid	process
2064	BjHM6PDDCwG9GvC.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

BjHM6PDDCwG9GvC.exepowershell.exepowershell.exepowershell.exeBjHM6PDDCwG9GvC.exe

description	pid	process
Token: SeDebugPrivilege	644	BjHM6PDDCwG9GvC.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeShutdownPrivilege	2064	BjHM6PDDCwG9GvC.exe
Token: SeCreatePagefilePrivilege	2064	BjHM6PDDCwG9GvC.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

BjHM6PDDCwG9GvC.exeBjHM6PDDCwG9GvC.exe

description	pid	process	target process
PID 644 wrote to memory of 1864	644	BjHM6PDDCwG9GvC.exe	powershell.exe
PID 644 wrote to memory of 1864	644	BjHM6PDDCwG9GvC.exe	powershell.exe
PID 644 wrote to memory of 1864	644	BjHM6PDDCwG9GvC.exe	powershell.exe
PID 644 wrote to memory of 4092	644	BjHM6PDDCwG9GvC.exe	powershell.exe
PID 644 wrote to memory of 4092	644	BjHM6PDDCwG9GvC.exe	powershell.exe
PID 644 wrote to memory of 4092	644	BjHM6PDDCwG9GvC.exe	powershell.exe
PID 644 wrote to memory of 1136	644	BjHM6PDDCwG9GvC.exe	schtasks.exe
PID 644 wrote to memory of 1136	644	BjHM6PDDCwG9GvC.exe	schtasks.exe
PID 644 wrote to memory of 1136	644	BjHM6PDDCwG9GvC.exe	schtasks.exe
PID 644 wrote to memory of 3872	644	BjHM6PDDCwG9GvC.exe	powershell.exe
PID 644 wrote to memory of 3872	644	BjHM6PDDCwG9GvC.exe	powershell.exe
PID 644 wrote to memory of 3872	644	BjHM6PDDCwG9GvC.exe	powershell.exe
PID 644 wrote to memory of 2064	644	BjHM6PDDCwG9GvC.exe	BjHM6PDDCwG9GvC.exe
PID 644 wrote to memory of 2064	644	BjHM6PDDCwG9GvC.exe	BjHM6PDDCwG9GvC.exe
PID 644 wrote to memory of 2064	644	BjHM6PDDCwG9GvC.exe	BjHM6PDDCwG9GvC.exe
PID 644 wrote to memory of 2064	644	BjHM6PDDCwG9GvC.exe	BjHM6PDDCwG9GvC.exe
PID 644 wrote to memory of 2064	644	BjHM6PDDCwG9GvC.exe	BjHM6PDDCwG9GvC.exe
PID 644 wrote to memory of 2064	644	BjHM6PDDCwG9GvC.exe	BjHM6PDDCwG9GvC.exe
PID 644 wrote to memory of 2064	644	BjHM6PDDCwG9GvC.exe	BjHM6PDDCwG9GvC.exe
PID 644 wrote to memory of 2064	644	BjHM6PDDCwG9GvC.exe	BjHM6PDDCwG9GvC.exe
PID 644 wrote to memory of 2064	644	BjHM6PDDCwG9GvC.exe	BjHM6PDDCwG9GvC.exe
PID 2064 wrote to memory of 1268	2064	BjHM6PDDCwG9GvC.exe	cmd.exe
PID 2064 wrote to memory of 1268	2064	BjHM6PDDCwG9GvC.exe	cmd.exe
PID 2064 wrote to memory of 1268	2064	BjHM6PDDCwG9GvC.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\BjHM6PDDCwG9GvC.exe
"C:\Users\Admin\AppData\Local\Temp\BjHM6PDDCwG9GvC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BjHM6PDDCwG9GvC.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FcngqEfa.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4092
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FcngqEfa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6117.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1136
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FcngqEfa.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3872
- C:\Users\Admin\AppData\Local\Temp\BjHM6PDDCwG9GvC.exe
  "C:\Users\Admin\AppData\Local\Temp\BjHM6PDDCwG9GvC.exe"
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMeWd68UncgSctQp.bat" "
    3⤵
    PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
140234987abcc7b60dc8264bb21247a4

SHA1
d083d0b2267c06e6e95ce5285260cfa8dcefe68e

SHA256
2f0fa25bdc2d5725f181763d442c94ae1fe4495fc866c28951cc4a09ca84b746

SHA512
f6db8ad8d9c8f1d951348cd9bc4824ef91bf7c9613402d4cd9a7a02d22896751ca972148865cdfdb4e24c50c63c93a90e353536c358adfefaa655e56ad666e9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3bb3c99c287b4befb547e2d5ce28922d

SHA1
29ed0d6f1c5157091d21788ebba7b7a66fa5c7e2

SHA256
3ad42c006f1e6429a5dadad871d67b02017dad777c3868c3499155c2314052af

SHA512
9d0ae49f22f906e051ca270eb518f0f33f9dc112a352704429b6d18a80359dba8ba8b145f6076b1827cd630f5027877698504c5b56c481d2341e5387882e42b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMeWd68UncgSctQp.bat

MD5
8c839ac1d0101454700065080a656ac8

SHA1
495a4471b07774819dabf9efb1142cf8bd29cf84

SHA256
22715665b0f74bf0c4108906532fbfe8cb0e18643c700fec5685d0eb0cb5fa4f

SHA512
1917840d81f77fbe0373d0886d9d858a16d9af3ea9c703361f7dc54d3a13d9a496fa9ba6682a7755588968e9d8ff9808baf37672f4f2ce0a3ac8c687b6fb2768

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6117.tmp

MD5
f1910e649554bad625433bc7127d0153

SHA1
d9b263277fc4ec3b92aec38b2b0ccee251beb878

SHA256
7814c471f2b0dcda21ffacfb2c55c0d058130345964f85557a21b8c010500169

SHA512
5c3cbd3a6c1a9ed381febec698db41ff92af32a719c1b596b3661b401eb2d10aabe810c8cc3a4f4b589b461d23361ad0964e2aa6e8cd028677c97ffc4cddfa47

Download Submit
memory/644-121-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/644-122-0x00000000051A0000-0x00000000051A5000-memory.dmp

Filesize
20KB

Download
memory/644-123-0x0000000004DE0000-0x00000000052DE000-memory.dmp

Filesize
5.0MB

Download
memory/644-124-0x00000000074C0000-0x00000000075CD000-memory.dmp

Filesize
1.1MB

Download
memory/644-125-0x0000000009C10000-0x0000000009D3F000-memory.dmp

Filesize
1.2MB

Download
memory/644-116-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/644-120-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/644-114-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/644-117-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/644-118-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/644-119-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1136-131-0x0000000000000000-mapping.dmp

Download
memory/1268-201-0x0000000000000000-mapping.dmp

Download
memory/1864-126-0x0000000000000000-mapping.dmp

Download
memory/1864-137-0x0000000004F62000-0x0000000004F63000-memory.dmp

Filesize
4KB

Download
memory/1864-136-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/1864-132-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/1864-129-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/1864-164-0x00000000082A0000-0x00000000082A1000-memory.dmp

Filesize
4KB

Download
memory/1864-197-0x0000000004F63000-0x0000000004F64000-memory.dmp

Filesize
4KB

Download
memory/1864-193-0x000000007F440000-0x000000007F441000-memory.dmp

Filesize
4KB

Download
memory/1864-167-0x0000000008750000-0x0000000008751000-memory.dmp

Filesize
4KB

Download
memory/2064-143-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2064-151-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2064-144-0x000000000049D8CA-mapping.dmp

Download
memory/3872-142-0x0000000000000000-mapping.dmp

Download
memory/3872-155-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/3872-152-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/3872-158-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/3872-150-0x0000000006B72000-0x0000000006B73000-memory.dmp

Filesize
4KB

Download
memory/3872-194-0x000000007E920000-0x000000007E921000-memory.dmp

Filesize
4KB

Download
memory/3872-196-0x0000000006B73000-0x0000000006B74000-memory.dmp

Filesize
4KB

Download
memory/3872-149-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/4092-195-0x0000000000F93000-0x0000000000F94000-memory.dmp

Filesize
4KB

Download
memory/4092-192-0x000000007F090000-0x000000007F091000-memory.dmp

Filesize
4KB

Download
memory/4092-170-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/4092-138-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/4092-139-0x0000000000F92000-0x0000000000F93000-memory.dmp

Filesize
4KB

Download
memory/4092-130-0x0000000000000000-mapping.dmp

Download