webmonitor | 3caf291b46329aef3a6dc1b90284ad350ead66ffbceb0abbb08f00a06ced7a25

Analysis

max time kernel
113s
max time network
136s
platform
windows10_x64
resource
win10v20210408
submitted
05-08-2021 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe
Size

1.9MB
MD5

1372b32848411ad39f19abe9d74b052f
SHA1

b47548451a323c3ae62b25ee6b65f1fe76837639
SHA256

7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a
SHA512

ed15a4855f25b2ff6a00c2e19c4def71aac1d27945d249dbb26718107dbe48a4c3176be1e07cd1f5de29b7d3aeffb2530fb89c70c0f1e9ba77dc0c9bd3396942

Score

10^/10

webmonitor backdoor infostealer rat

Malware Config

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2180-145-0x000000000049D8CA-mapping.dmp	family_webmonitor
behavioral2/memory/2180-143-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral2/memory/2180-159-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor

Suspicious use of SetThreadContext 1 IoCs

Processes:

7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe

description	pid	process	target process
PID 3128 set thread context of 2180	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2108 schtasks.exe

pid	process
2108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exepowershell.exepowershell.exepowershell.exe

pid	process
3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe
3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe
3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe
3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe
3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe
1264	powershell.exe
3356	powershell.exe
1524	powershell.exe
1524	powershell.exe
1264	powershell.exe
3356	powershell.exe
1264	powershell.exe
3356	powershell.exe
1524	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exepowershell.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeShutdownPrivilege	2180	RegSvcs.exe
Token: SeCreatePagefilePrivilege	2180	RegSvcs.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exeRegSvcs.exe

description	pid	process	target process
PID 3128 wrote to memory of 1524	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	powershell.exe
PID 3128 wrote to memory of 1524	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	powershell.exe
PID 3128 wrote to memory of 1524	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	powershell.exe
PID 3128 wrote to memory of 3356	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	powershell.exe
PID 3128 wrote to memory of 3356	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	powershell.exe
PID 3128 wrote to memory of 3356	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	powershell.exe
PID 3128 wrote to memory of 2108	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	schtasks.exe
PID 3128 wrote to memory of 2108	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	schtasks.exe
PID 3128 wrote to memory of 2108	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	schtasks.exe
PID 3128 wrote to memory of 1264	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	powershell.exe
PID 3128 wrote to memory of 1264	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	powershell.exe
PID 3128 wrote to memory of 1264	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	powershell.exe
PID 3128 wrote to memory of 1296	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe
PID 3128 wrote to memory of 1296	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe
PID 3128 wrote to memory of 1296	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe
PID 3128 wrote to memory of 900	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe
PID 3128 wrote to memory of 900	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe
PID 3128 wrote to memory of 900	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe
PID 3128 wrote to memory of 2180	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe
PID 3128 wrote to memory of 2180	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe
PID 3128 wrote to memory of 2180	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe
PID 3128 wrote to memory of 2180	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe
PID 3128 wrote to memory of 2180	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe
PID 3128 wrote to memory of 2180	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe
PID 3128 wrote to memory of 2180	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe
PID 3128 wrote to memory of 2180	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe
PID 3128 wrote to memory of 2180	3128	7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe	RegSvcs.exe
PID 2180 wrote to memory of 408	2180	RegSvcs.exe	cmd.exe
PID 2180 wrote to memory of 408	2180	RegSvcs.exe	cmd.exe
PID 2180 wrote to memory of 408	2180	RegSvcs.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe
"C:\Users\Admin\AppData\Local\Temp\7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DqkJYq.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3356
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DqkJYq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7ACE.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2108
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DqkJYq.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j9Vqy1KSegqWt2eb.bat" "
    3⤵
    PID:408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
9510c35ad147f04c44ab0dc1b4eddf06

SHA1
ff9cffcaaf739d2f794c8fef838cf3d2c6c48dc6

SHA256
385f44204b6a29386710816a7bf9e259c4e33f7903e1740a5827c23f84534303

SHA512
77dd2a01f9321a2d1c1b4e2001b6a506611cc27a257a662d1d74ad60ef3289de5c2bd2481f57fecb7508acf3a75f526c1ab6d7ed8c95fdb5d6bedf0b4221366f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
9510c35ad147f04c44ab0dc1b4eddf06

SHA1
ff9cffcaaf739d2f794c8fef838cf3d2c6c48dc6

SHA256
385f44204b6a29386710816a7bf9e259c4e33f7903e1740a5827c23f84534303

SHA512
77dd2a01f9321a2d1c1b4e2001b6a506611cc27a257a662d1d74ad60ef3289de5c2bd2481f57fecb7508acf3a75f526c1ab6d7ed8c95fdb5d6bedf0b4221366f

Download Submit
C:\Users\Admin\AppData\Local\Temp\j9Vqy1KSegqWt2eb.bat

MD5
6d118bfaaaab3f29a4f10987b2528d0f

SHA1
eb041ab84984b521cc633b89e64c4923fed2f5fe

SHA256
2cd44590f375fafdd288d55cf0a9b6e45fa3d81e8713214274d6c976084d3c9f

SHA512
5eb552d6825b3226093835e3dddd293f6a1ef45e76379004f0d0922bf6a03bf872fcfdd90a23ee3f6133340814cbfd668fcc0b36e436842fdbaffd7eb7044e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7ACE.tmp

MD5
9d3d1196c4fb801994c20ddd945b6317

SHA1
d2ea040bc327607376d87376cde89dfb11969b03

SHA256
a2d3f984cf2e45e1b93e353d1676c1db3f193b7b6d65210fc89369dfefd765bc

SHA512
c9e9c45457f87922f69471803ced26333363cd80ccd4cd2fe081935141e1072d4a56d1e7cc751476e76f9fb4773d3cdeaa6d08e8aa7f902211fb6638a9571fd0

Download Submit
memory/408-564-0x0000000000000000-mapping.dmp

Download
memory/1264-237-0x0000000004E63000-0x0000000004E64000-memory.dmp

Filesize
4KB

Download
memory/1264-214-0x000000007EDF0000-0x000000007EDF1000-memory.dmp

Filesize
4KB

Download
memory/1264-160-0x0000000008200000-0x0000000008201000-memory.dmp

Filesize
4KB

Download
memory/1264-158-0x0000000004E62000-0x0000000004E63000-memory.dmp

Filesize
4KB

Download
memory/1264-157-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/1264-146-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/1264-139-0x0000000000000000-mapping.dmp

Download
memory/1524-153-0x0000000007B60000-0x0000000007B61000-memory.dmp

Filesize
4KB

Download
memory/1524-207-0x000000007ED40000-0x000000007ED41000-memory.dmp

Filesize
4KB

Download
memory/1524-131-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/1524-132-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/1524-238-0x0000000006E63000-0x0000000006E64000-memory.dmp

Filesize
4KB

Download
memory/1524-192-0x0000000009170000-0x00000000091A3000-memory.dmp

Filesize
204KB

Download
memory/1524-134-0x0000000006E62000-0x0000000006E63000-memory.dmp

Filesize
4KB

Download
memory/1524-149-0x0000000007C10000-0x0000000007C11000-memory.dmp

Filesize
4KB

Download
memory/1524-166-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/1524-125-0x0000000000000000-mapping.dmp

Download
memory/1524-129-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/2108-130-0x0000000000000000-mapping.dmp

Download
memory/2180-145-0x000000000049D8CA-mapping.dmp

Download
memory/2180-159-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2180-143-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3128-114-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3128-116-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/3128-119-0x0000000004C40000-0x000000000513E000-memory.dmp

Filesize
5.0MB

Download
memory/3128-118-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/3128-122-0x0000000005100000-0x000000000511B000-memory.dmp

Filesize
108KB

Download
memory/3128-120-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/3128-124-0x0000000008790000-0x0000000008885000-memory.dmp

Filesize
980KB

Download
memory/3128-121-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/3128-123-0x0000000008650000-0x0000000008787000-memory.dmp

Filesize
1.2MB

Download
memory/3128-117-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/3356-169-0x0000000008730000-0x0000000008731000-memory.dmp

Filesize
4KB

Download
memory/3356-239-0x0000000006F73000-0x0000000006F74000-memory.dmp

Filesize
4KB

Download
memory/3356-216-0x0000000008900000-0x0000000008901000-memory.dmp

Filesize
4KB

Download
memory/3356-211-0x000000007FBD0000-0x000000007FBD1000-memory.dmp

Filesize
4KB

Download
memory/3356-163-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/3356-128-0x0000000000000000-mapping.dmp

Download
memory/3356-156-0x0000000006F72000-0x0000000006F73000-memory.dmp

Filesize
4KB

Download
memory/3356-152-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download