Analysis
-
max time kernel
303s -
max time network
318s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-08-2021 12:57
General
-
Target
dvdfab_player_6115.exe
-
Size
102.3MB
-
MD5
12880e15e937216cb83b7a2cb328909e
-
SHA1
56fec932ebad7b73b1629bd510416dc33a186ea3
-
SHA256
fcbf364dfa1211e904b23c5fbd6bb67159d4e4f56777f0445977e38b6d49777f
-
SHA512
2d63cc5db2eb219c4349e2fdf2436b334779b50b6184c8e54ed65fba0fb803c74dfe0f19f9e404b53511df0d249b8adbd3646dd8f7404b5d9fbb67ab5c42d87d
Malware Config
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor Payload 1 IoCs
-
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
-
Executes dropped EXE 3 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 14 IoCs
-
Suspicious use of SetThreadContext 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dvdfab_player_6115.exe"C:\Users\Admin\AppData\Local\Temp\dvdfab_player_6115.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe-d 56007 TCP3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe-a 10.10.0.21 56007 56007 TCP3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe-d 56008 TCP3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe-a 10.10.0.21 56008 56008 TCP3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe'" /f3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\dvdfab_player_6115.exe" "C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe"2⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exeC:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 200 -s 19362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exeC:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 19082⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exeC:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 200 -s 14002⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
12880e15e937216cb83b7a2cb328909e
SHA156fec932ebad7b73b1629bd510416dc33a186ea3
SHA256fcbf364dfa1211e904b23c5fbd6bb67159d4e4f56777f0445977e38b6d49777f
SHA5122d63cc5db2eb219c4349e2fdf2436b334779b50b6184c8e54ed65fba0fb803c74dfe0f19f9e404b53511df0d249b8adbd3646dd8f7404b5d9fbb67ab5c42d87d
-
MD5
12880e15e937216cb83b7a2cb328909e
SHA156fec932ebad7b73b1629bd510416dc33a186ea3
SHA256fcbf364dfa1211e904b23c5fbd6bb67159d4e4f56777f0445977e38b6d49777f
SHA5122d63cc5db2eb219c4349e2fdf2436b334779b50b6184c8e54ed65fba0fb803c74dfe0f19f9e404b53511df0d249b8adbd3646dd8f7404b5d9fbb67ab5c42d87d
-
MD5
12880e15e937216cb83b7a2cb328909e
SHA156fec932ebad7b73b1629bd510416dc33a186ea3
SHA256fcbf364dfa1211e904b23c5fbd6bb67159d4e4f56777f0445977e38b6d49777f
SHA5122d63cc5db2eb219c4349e2fdf2436b334779b50b6184c8e54ed65fba0fb803c74dfe0f19f9e404b53511df0d249b8adbd3646dd8f7404b5d9fbb67ab5c42d87d
-
MD5
12880e15e937216cb83b7a2cb328909e
SHA156fec932ebad7b73b1629bd510416dc33a186ea3
SHA256fcbf364dfa1211e904b23c5fbd6bb67159d4e4f56777f0445977e38b6d49777f
SHA5122d63cc5db2eb219c4349e2fdf2436b334779b50b6184c8e54ed65fba0fb803c74dfe0f19f9e404b53511df0d249b8adbd3646dd8f7404b5d9fbb67ab5c42d87d
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
Filesize
108KB
-
Filesize
108KB
-
-
-
-
-
-
Filesize
4KB
-
-
-
-
-
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-