Overview

overview

10

Static

static

FILE_2932NH_9923.exe

windows7_x64

10

FILE_2932NH_9923.exe

windows10_x64

10

Analysis

  • max time kernel
    112s
  • max time network
    118s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    21-07-2021 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FILE_2932NH_9923.exe

  • Size

    1.9MB

  • MD5

    1372b32848411ad39f19abe9d74b052f

  • SHA1

    b47548451a323c3ae62b25ee6b65f1fe76837639

  • SHA256

    7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a

  • SHA512

    ed15a4855f25b2ff6a00c2e19c4def71aac1d27945d249dbb26718107dbe48a4c3176be1e07cd1f5de29b7d3aeffb2530fb89c70c0f1e9ba77dc0c9bd3396942

Score
10/10
webmonitorbackdoorinfostealerrat

Malware Config

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor Payload 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FILE_2932NH_9923.exe
    "C:\Users\Admin\AppData\Local\Temp\FILE_2932NH_9923.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FILE_2932NH_9923.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3116
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DqkJYq.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1648
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DqkJYq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A63.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3908
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DqkJYq.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1840
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwX5c3Yf8iQTU7td.bat" "
        3⤵
          PID:2608

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/996-121-0x0000000005880000-0x0000000005D7E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/996-117-0x0000000005D80000-0x0000000005D81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/996-124-0x0000000007700000-0x00000000077F5000-memory.dmp

      Filesize

      980KB

      Download

    • memory/996-122-0x0000000006450000-0x000000000646B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/996-116-0x0000000005740000-0x0000000005741000-memory.dmp

      Filesize

      4KB

      Download

    • memory/996-114-0x0000000000C00000-0x0000000000C01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/996-120-0x0000000005880000-0x0000000005881000-memory.dmp

      Filesize

      4KB

      Download

    • memory/996-119-0x0000000005720000-0x0000000005721000-memory.dmp

      Filesize

      4KB

      Download

    • memory/996-118-0x0000000005920000-0x0000000005921000-memory.dmp

      Filesize

      4KB

      Download

    • memory/996-123-0x00000000093D0000-0x0000000009507000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1648-228-0x000000007F8E0000-0x000000007F8E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1648-193-0x0000000009030000-0x0000000009063000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1648-166-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1648-265-0x00000000047F3000-0x00000000047F4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1648-156-0x00000000047F2000-0x00000000047F3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1648-152-0x00000000047F0000-0x00000000047F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1840-158-0x0000000004402000-0x0000000004403000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1840-148-0x00000000074B0000-0x00000000074B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1840-157-0x0000000004400000-0x0000000004401000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1840-233-0x000000007E4C0000-0x000000007E4C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1840-145-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1840-262-0x0000000004403000-0x0000000004404000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1840-214-0x0000000008B00000-0x0000000008B01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2056-159-0x0000000000400000-0x00000000004F3000-memory.dmp

      Filesize

      972KB

      Download

    • memory/2056-139-0x0000000000400000-0x00000000004F3000-memory.dmp

      Filesize

      972KB

      Download

    • memory/3116-153-0x0000000007FD0000-0x0000000007FD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3116-230-0x000000007EF30000-0x000000007EF31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3116-258-0x0000000007363000-0x0000000007364000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3116-169-0x00000000089B0000-0x00000000089B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3116-163-0x0000000008090000-0x0000000008091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3116-160-0x0000000008280000-0x0000000008281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3116-151-0x0000000007362000-0x0000000007363000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3116-132-0x00000000079A0000-0x00000000079A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3116-128-0x00000000071B0000-0x00000000071B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3116-130-0x0000000007360000-0x0000000007361000-memory.dmp

      Filesize

      4KB

      Download