webmonitor | bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0

General

Target

bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0.exe
Size

721KB
MD5

1502cb8a7caf4853614f9fd8f860631e
SHA1

813dc57d206536db600a16f8a5da362240cb8516
SHA256

bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0
SHA512

fa4c28bb760aabba20e7dbf98fe093687cd18c072bca07ed650c01fdee2c498bc8a89e2a6b41a6ca72762d7a2616e207562ee5f3b253fe375b8ff239294bef08

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Malware Config

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1720-125-0x0000000000400000-0x00000000004EA000-memory.dmp	family_webmonitor

Executes dropped EXE 1 IoCs

Processes:

despacito.exe

pid process

2128 despacito.exe

pid	process
2128	despacito.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1720-123-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral1/memory/1720-125-0x0000000000400000-0x00000000004EA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

despacito.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\updator = "C:\\Users\\Admin\\Music\\despacito.exe -boot"	despacito.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

despacito.exe

description pid process target process

PID 2128 set thread context of 1720 2128 despacito.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

despacito.exe

pid process

2128 despacito.exe
2128 despacito.exe
2128 despacito.exe
2128 despacito.exe

description	pid	process	target process
PID 2128 set thread context of 1720	2128	despacito.exe	AppLaunch.exe

pid	process
2128	despacito.exe
2128	despacito.exe
2128	despacito.exe
2128	despacito.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0.exedespacito.exe

description	pid	process
Token: SeDebugPrivilege	3728	bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0.exe
Token: SeDebugPrivilege	2128	despacito.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0.exeexplorer.exedespacito.exe

description	pid	process	target process
PID 3728 wrote to memory of 2404	3728	bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0.exe	cmd.exe
PID 3728 wrote to memory of 2404	3728	bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0.exe	cmd.exe
PID 3728 wrote to memory of 2404	3728	bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0.exe	cmd.exe
PID 3728 wrote to memory of 2460	3728	bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0.exe	explorer.exe
PID 3728 wrote to memory of 2460	3728	bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0.exe	explorer.exe
PID 3728 wrote to memory of 2460	3728	bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0.exe	explorer.exe
PID 3148 wrote to memory of 2128	3148	explorer.exe	despacito.exe
PID 3148 wrote to memory of 2128	3148	explorer.exe	despacito.exe
PID 3148 wrote to memory of 2128	3148	explorer.exe	despacito.exe
PID 2128 wrote to memory of 1720	2128	despacito.exe	AppLaunch.exe
PID 2128 wrote to memory of 1720	2128	despacito.exe	AppLaunch.exe
PID 2128 wrote to memory of 1720	2128	despacito.exe	AppLaunch.exe
PID 2128 wrote to memory of 1720	2128	despacito.exe	AppLaunch.exe
PID 2128 wrote to memory of 1720	2128	despacito.exe	AppLaunch.exe
PID 2128 wrote to memory of 1720	2128	despacito.exe	AppLaunch.exe
PID 2128 wrote to memory of 1720	2128	despacito.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0.exe
"C:\Users\Admin\AppData\Local\Temp\bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0.exe" "C:\Users\Admin\Music\despacito.exe"
  2⤵
  PID:2404
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\Music\despacito.exe"
  2⤵
  PID:2460

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\Music\despacito.exe
  "C:\Users\Admin\Music\despacito.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
    3⤵
    PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Music\despacito.exe

MD5
1502cb8a7caf4853614f9fd8f860631e

SHA1
813dc57d206536db600a16f8a5da362240cb8516

SHA256
bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0

SHA512
fa4c28bb760aabba20e7dbf98fe093687cd18c072bca07ed650c01fdee2c498bc8a89e2a6b41a6ca72762d7a2616e207562ee5f3b253fe375b8ff239294bef08

Download Submit
C:\Users\Admin\Music\despacito.exe

MD5
1502cb8a7caf4853614f9fd8f860631e

SHA1
813dc57d206536db600a16f8a5da362240cb8516

SHA256
bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0

SHA512
fa4c28bb760aabba20e7dbf98fe093687cd18c072bca07ed650c01fdee2c498bc8a89e2a6b41a6ca72762d7a2616e207562ee5f3b253fe375b8ff239294bef08

Download Submit
memory/1720-123-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1720-124-0x00000000004E7F50-mapping.dmp

Download
memory/1720-125-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2128-119-0x0000000000000000-mapping.dmp

Download
memory/2128-121-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/2128-122-0x0000000001391000-0x0000000001392000-memory.dmp

Filesize
4KB

Download
memory/2404-116-0x0000000000000000-mapping.dmp

Download
memory/2460-117-0x0000000000000000-mapping.dmp

Download
memory/3728-114-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/3728-115-0x0000000000AA1000-0x0000000000AA2000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads