webmonitor | 0ed8f93b98f9cfff89559df9e0a8d360cab3dde1abfa2992216b4a98c5ca1253

Analysis

max time kernel
84s
max time network
139s
platform
windows10_x64
resource
win10v20210410
submitted
27-07-2021 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HSBC_PAYMENT_COPY.pdf.exe
Size

1.4MB
MD5

08f2609e7f7daf0f78032f773a68b72c
SHA1

f00e4c61cce15ee5f43c032d8d595aba65fbdc86
SHA256

0ed8f93b98f9cfff89559df9e0a8d360cab3dde1abfa2992216b4a98c5ca1253
SHA512

8c1ba503d2956ad0c60b11547908b81e601a3bfb2c75ae73c03718bd883ff94451b0697f915049614470d59388d161c02893ad90b48466f77fc154a20215da74

Score

10^/10

webmonitor backdoor infostealer rat

Malware Config

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1784-137-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral2/memory/1784-138-0x000000000049D8CA-mapping.dmp	family_webmonitor
behavioral2/memory/1784-155-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/500-121-0x0000000006EA0000-0x0000000006EAB000-memory.dmp	CustAttr

Suspicious use of SetThreadContext 1 IoCs

Processes:

HSBC_PAYMENT_COPY.pdf.exe

description pid process target process

PID 500 set thread context of 1784 500 HSBC_PAYMENT_COPY.pdf.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1484 schtasks.exe

description	pid	process	target process
PID 500 set thread context of 1784	500	HSBC_PAYMENT_COPY.pdf.exe	RegSvcs.exe

pid	process
1484	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
1900	powershell.exe
500
420	powershell.exe
3880	powershell.exe
420	powershell.exe
1900	powershell.exe
3880	powershell.exe
420	powershell.exe
1900	powershell.exe
3880	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	420	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	500
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeShutdownPrivilege	1784	RegSvcs.exe
Token: SeCreatePagefilePrivilege	1784	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

HSBC_PAYMENT_COPY.pdf.exeRegSvcs.exe

description	pid	process	target process
PID 500 wrote to memory of 420	500	HSBC_PAYMENT_COPY.pdf.exe	powershell.exe
PID 500 wrote to memory of 420	500	HSBC_PAYMENT_COPY.pdf.exe	powershell.exe
PID 500 wrote to memory of 420	500	HSBC_PAYMENT_COPY.pdf.exe	powershell.exe
PID 500 wrote to memory of 1900	500	HSBC_PAYMENT_COPY.pdf.exe	powershell.exe
PID 500 wrote to memory of 1900	500	HSBC_PAYMENT_COPY.pdf.exe	powershell.exe
PID 500 wrote to memory of 1900	500	HSBC_PAYMENT_COPY.pdf.exe	powershell.exe
PID 500 wrote to memory of 1484	500	HSBC_PAYMENT_COPY.pdf.exe	schtasks.exe
PID 500 wrote to memory of 1484	500	HSBC_PAYMENT_COPY.pdf.exe	schtasks.exe
PID 500 wrote to memory of 1484	500	HSBC_PAYMENT_COPY.pdf.exe	schtasks.exe
PID 500 wrote to memory of 3880	500	HSBC_PAYMENT_COPY.pdf.exe	powershell.exe
PID 500 wrote to memory of 3880	500	HSBC_PAYMENT_COPY.pdf.exe	powershell.exe
PID 500 wrote to memory of 3880	500	HSBC_PAYMENT_COPY.pdf.exe	powershell.exe
PID 500 wrote to memory of 1784	500	HSBC_PAYMENT_COPY.pdf.exe	RegSvcs.exe
PID 500 wrote to memory of 1784	500	HSBC_PAYMENT_COPY.pdf.exe	RegSvcs.exe
PID 500 wrote to memory of 1784	500	HSBC_PAYMENT_COPY.pdf.exe	RegSvcs.exe
PID 500 wrote to memory of 1784	500	HSBC_PAYMENT_COPY.pdf.exe	RegSvcs.exe
PID 500 wrote to memory of 1784	500	HSBC_PAYMENT_COPY.pdf.exe	RegSvcs.exe
PID 500 wrote to memory of 1784	500	HSBC_PAYMENT_COPY.pdf.exe	RegSvcs.exe
PID 500 wrote to memory of 1784	500	HSBC_PAYMENT_COPY.pdf.exe	RegSvcs.exe
PID 500 wrote to memory of 1784	500	HSBC_PAYMENT_COPY.pdf.exe	RegSvcs.exe
PID 500 wrote to memory of 1784	500	HSBC_PAYMENT_COPY.pdf.exe	RegSvcs.exe
PID 1784 wrote to memory of 972	1784	RegSvcs.exe	cmd.exe
PID 1784 wrote to memory of 972	1784	RegSvcs.exe	cmd.exe
PID 1784 wrote to memory of 972	1784	RegSvcs.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_COPY.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_COPY.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:500
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT_COPY.pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WTddvQz.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WTddvQz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp180D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1484
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WTddvQz.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYOrcE0MxYGeHPSA.bat" "
    3⤵
    PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
685371624d168679e07afe4dc6f2fa0c

SHA1
57ba31b8da51809c261b502e11dfb66790fdb490

SHA256
b5540cef6e441a74c4c29e059a8b7e30939baf8f87bf0a9a2e08e3e3974d91ae

SHA512
263b4f6d3703e82c74e3ffb4ea32600b6fa789658663e4285d04d08bf87f198be0e311b3444ab08acadb38624f55c7c4f9bf18a99a87e9c3fd6a85359c0ec1eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
685371624d168679e07afe4dc6f2fa0c

SHA1
57ba31b8da51809c261b502e11dfb66790fdb490

SHA256
b5540cef6e441a74c4c29e059a8b7e30939baf8f87bf0a9a2e08e3e3974d91ae

SHA512
263b4f6d3703e82c74e3ffb4ea32600b6fa789658663e4285d04d08bf87f198be0e311b3444ab08acadb38624f55c7c4f9bf18a99a87e9c3fd6a85359c0ec1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYOrcE0MxYGeHPSA.bat

MD5
8839bf78c88a47f926aad0cad9485f18

SHA1
d3d5bb115f4f2f2d74999c18483e6ce2773a3fe8

SHA256
f084280b68a8c284c33e1705bdb88cad7c3c73624b4353331315fd1f59cc7d16

SHA512
1e2e3a620e38112e9226d6762d40c4d5f575d460b4bd3d37b82c219d39948ee05519d21d3eb231695bd9563d05e91835eef431b47b7c06faa300c3f1a830355d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp180D.tmp

MD5
b09c39ec8d3fe0050b3f5742571b0a7a

SHA1
2b185059761351b3466fb8c1d2eba182b1b99beb

SHA256
f676c7c0ee5734bc5326878ece55ce7916e7b2d3c6c9faa6f2fbb7ced4cefeab

SHA512
1847f0a3396cfedc1b457d511f828a763ab6bc6808f5df864521311bad166dc53b2e6662160fbd853e56406a788e40721b4683516163ab8b8c44361555d84ef9

Download Submit
memory/420-144-0x0000000006752000-0x0000000006753000-memory.dmp

Filesize
4KB

Download
memory/420-252-0x0000000006753000-0x0000000006754000-memory.dmp

Filesize
4KB

Download
memory/420-142-0x0000000006750000-0x0000000006751000-memory.dmp

Filesize
4KB

Download
memory/420-163-0x0000000007F60000-0x0000000007F61000-memory.dmp

Filesize
4KB

Download
memory/420-124-0x0000000000000000-mapping.dmp

Download
memory/420-168-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/420-190-0x0000000008AC0000-0x0000000008AF3000-memory.dmp

Filesize
204KB

Download
memory/420-130-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/420-132-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/420-202-0x000000007FDD0000-0x000000007FDD1000-memory.dmp

Filesize
4KB

Download
memory/420-210-0x0000000008AA0000-0x0000000008AA1000-memory.dmp

Filesize
4KB

Download
memory/420-161-0x00000000075A0000-0x00000000075A1000-memory.dmp

Filesize
4KB

Download
memory/420-224-0x0000000008E80000-0x0000000008E81000-memory.dmp

Filesize
4KB

Download
memory/500-114-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/500-116-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/500-117-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/500-118-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/500-119-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/500-121-0x0000000006EA0000-0x0000000006EAB000-memory.dmp

Filesize
44KB

Download
memory/500-120-0x0000000004DE0000-0x00000000052DE000-memory.dmp

Filesize
5.0MB

Download
memory/500-123-0x0000000008B90000-0x0000000008C85000-memory.dmp

Filesize
980KB

Download
memory/500-122-0x00000000089D0000-0x0000000008AF5000-memory.dmp

Filesize
1.1MB

Download
memory/972-362-0x0000000000000000-mapping.dmp

Download
memory/1484-126-0x0000000000000000-mapping.dmp

Download
memory/1784-138-0x000000000049D8CA-mapping.dmp

Download
memory/1784-137-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1784-155-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1900-147-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/1900-256-0x0000000006BB3000-0x0000000006BB4000-memory.dmp

Filesize
4KB

Download
memory/1900-206-0x000000007E4B0000-0x000000007E4B1000-memory.dmp

Filesize
4KB

Download
memory/1900-125-0x0000000000000000-mapping.dmp

Download
memory/1900-149-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

Filesize
4KB

Download
memory/1900-143-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/1900-141-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/1900-151-0x0000000006BB2000-0x0000000006BB3000-memory.dmp

Filesize
4KB

Download
memory/1900-139-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/3880-260-0x0000000006A33000-0x0000000006A34000-memory.dmp

Filesize
4KB

Download
memory/3880-154-0x0000000006A30000-0x0000000006A31000-memory.dmp

Filesize
4KB

Download
memory/3880-167-0x0000000006A32000-0x0000000006A33000-memory.dmp

Filesize
4KB

Download
memory/3880-136-0x0000000000000000-mapping.dmp

Download
memory/3880-209-0x000000007E2E0000-0x000000007E2E1000-memory.dmp

Filesize
4KB

Download