webmonitor | f4743b96b2336504bd9b8207b0794da22e9eaf583703a7e3dd58cf872314ac4f

Analysis

max time kernel
146s
max time network
138s
platform
windows7_x64
resource
win7-en-20210920
submitted
15-10-2021 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
Size

2.0MB
MD5

517e0a4d7e27837a7075615032a6cc69
SHA1

f010795b19f2c56b230b7de0f9803cd3aeea208a
SHA256

f4743b96b2336504bd9b8207b0794da22e9eaf583703a7e3dd58cf872314ac4f
SHA512

5c9f1b9c874587b79852e98fe7adb06f544dbbb5b5af7bd60205cd4c24a43e5ab37d85d4ccb1fb22815942e6546cf936f1caa371718440cd01618094a0f18bb7

Score

10^/10

webmonitor agilenet backdoor infostealer persistence rat

Malware Config

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/580-74-0x0000000000420000-0x0000000000513000-memory.dmp	family_webmonitor
behavioral1/memory/580-75-0x0000000000420000-0x0000000000513000-memory.dmp	family_webmonitor
behavioral1/memory/580-76-0x0000000000420000-0x0000000000513000-memory.dmp	family_webmonitor
behavioral1/memory/580-78-0x000000000049D8CA-mapping.dmp	family_webmonitor
behavioral1/memory/580-80-0x0000000000421000-0x000000000050B000-memory.dmp	family_webmonitor

Executes dropped EXE 4 IoCs

Processes:

Updates.exeAddInProcess32.exeAntivirus.exeAntivirus.exe

pid process

1220 Updates.exe
580 AddInProcess32.exe
1688 Antivirus.exe
1068 Antivirus.exe
Loads dropped DLL 4 IoCs

Processes:

f010795b19f2c56b230b7de0f9803cd3aeea208a.exeUpdates.exeAntivirus.exe

pid process

1516 f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
1220 Updates.exe
1220 Updates.exe
1688 Antivirus.exe

pid	process
1220	Updates.exe
580	AddInProcess32.exe
1688	Antivirus.exe
1068	Antivirus.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1516-56-0x00000000020F0000-0x0000000002111000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Updates1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Updates.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Updates.exe

description pid process target process

PID 1220 set thread context of 580 1220 Updates.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1220 set thread context of 580	1220	Updates.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

f010795b19f2c56b230b7de0f9803cd3aeea208a.exeUpdates.exeAntivirus.exeAntivirus.exe

pid	process
1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
1220	Updates.exe
1220	Updates.exe
1220	Updates.exe
1220	Updates.exe
1688	Antivirus.exe
1068	Antivirus.exe
1068	Antivirus.exe
1068	Antivirus.exe
1220	Updates.exe
1220	Updates.exe
1220	Updates.exe
1220	Updates.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

f010795b19f2c56b230b7de0f9803cd3aeea208a.exeUpdates.exeAntivirus.exeAntivirus.exe

description	pid	process
Token: SeDebugPrivilege	1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
Token: SeDebugPrivilege	1220	Updates.exe
Token: SeDebugPrivilege	1688	Antivirus.exe
Token: SeDebugPrivilege	1068	Antivirus.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

f010795b19f2c56b230b7de0f9803cd3aeea208a.execmd.exeUpdates.exeAntivirus.exe

description	pid	process	target process
PID 1516 wrote to memory of 1012	1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	cmd.exe
PID 1516 wrote to memory of 1012	1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	cmd.exe
PID 1516 wrote to memory of 1012	1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	cmd.exe
PID 1516 wrote to memory of 1012	1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	cmd.exe
PID 1012 wrote to memory of 1736	1012	cmd.exe	reg.exe
PID 1012 wrote to memory of 1736	1012	cmd.exe	reg.exe
PID 1012 wrote to memory of 1736	1012	cmd.exe	reg.exe
PID 1012 wrote to memory of 1736	1012	cmd.exe	reg.exe
PID 1516 wrote to memory of 1220	1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	Updates.exe
PID 1516 wrote to memory of 1220	1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	Updates.exe
PID 1516 wrote to memory of 1220	1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	Updates.exe
PID 1516 wrote to memory of 1220	1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	Updates.exe
PID 1516 wrote to memory of 1220	1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	Updates.exe
PID 1516 wrote to memory of 1220	1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	Updates.exe
PID 1516 wrote to memory of 1220	1516	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	Updates.exe
PID 1220 wrote to memory of 580	1220	Updates.exe	AddInProcess32.exe
PID 1220 wrote to memory of 580	1220	Updates.exe	AddInProcess32.exe
PID 1220 wrote to memory of 580	1220	Updates.exe	AddInProcess32.exe
PID 1220 wrote to memory of 580	1220	Updates.exe	AddInProcess32.exe
PID 1220 wrote to memory of 580	1220	Updates.exe	AddInProcess32.exe
PID 1220 wrote to memory of 580	1220	Updates.exe	AddInProcess32.exe
PID 1220 wrote to memory of 580	1220	Updates.exe	AddInProcess32.exe
PID 1220 wrote to memory of 580	1220	Updates.exe	AddInProcess32.exe
PID 1220 wrote to memory of 580	1220	Updates.exe	AddInProcess32.exe
PID 1220 wrote to memory of 580	1220	Updates.exe	AddInProcess32.exe
PID 1220 wrote to memory of 1688	1220	Updates.exe	Antivirus.exe
PID 1220 wrote to memory of 1688	1220	Updates.exe	Antivirus.exe
PID 1220 wrote to memory of 1688	1220	Updates.exe	Antivirus.exe
PID 1220 wrote to memory of 1688	1220	Updates.exe	Antivirus.exe
PID 1688 wrote to memory of 1068	1688	Antivirus.exe	Antivirus.exe
PID 1688 wrote to memory of 1068	1688	Antivirus.exe	Antivirus.exe
PID 1688 wrote to memory of 1068	1688	Antivirus.exe	Antivirus.exe
PID 1688 wrote to memory of 1068	1688	Antivirus.exe	Antivirus.exe

C:\Users\Admin\AppData\Local\Temp\f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
"C:\Users\Admin\AppData\Local\Temp\f010795b19f2c56b230b7de0f9803cd3aeea208a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Updates1" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Updates1" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe"
    3⤵
    - Adds Run key to start application
    PID:1736
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
    3⤵
    - Executes dropped EXE
    PID:580
- - C:\Users\Admin\AppData\Local\Temp\Antivirus.exe
    "C:\Users\Admin\AppData\Local\Temp\Antivirus.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\Antivirus.exe
      "C:\Users\Admin\AppData\Local\Temp\Antivirus.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antivirus.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antivirus.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antivirus.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antivirus.txt

MD5
0c3736f5f21ba3a2cf189c2bfda8aa61

SHA1
c28ed526041713c2283ae2ab06966e935c48c1dd

SHA256
250c00f3d3d6da2b8141eee0091187f34067268e658dc189b41fc9589e256a54

SHA512
d03cbf230e218137e48c3f3f23b99e9bf73a5b8c94013aff49ab8c4369530b0fbb0b3a2c6bdc6a4caee40e89cd02fac558b971a6076ccfa3f5200b12c1680570

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antivirus.txt

MD5
70d65563bb85d1af2c53339de2fec5c6

SHA1
34aaa0e5d4488cdf791a6d45ba37c4102a81bce4

SHA256
1ec5ab82dd70c6411e49979852bd8bf7d0cd7639daf053157c8da2a0e701a56e

SHA512
3ea5078ab0f0f55c4a8fd5f30528594206b847cbbbd6332ab9e52fce7538c3e917bb7b6d4630e22c5431f241af113474596f5ccbef610849848f9c2f0e90f871

Download Submit
C:\Users\Admin\AppData\Local\Temp\Antivirus.txt

MD5
70d65563bb85d1af2c53339de2fec5c6

SHA1
34aaa0e5d4488cdf791a6d45ba37c4102a81bce4

SHA256
1ec5ab82dd70c6411e49979852bd8bf7d0cd7639daf053157c8da2a0e701a56e

SHA512
3ea5078ab0f0f55c4a8fd5f30528594206b847cbbbd6332ab9e52fce7538c3e917bb7b6d4630e22c5431f241af113474596f5ccbef610849848f9c2f0e90f871

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe

MD5
517e0a4d7e27837a7075615032a6cc69

SHA1
f010795b19f2c56b230b7de0f9803cd3aeea208a

SHA256
f4743b96b2336504bd9b8207b0794da22e9eaf583703a7e3dd58cf872314ac4f

SHA512
5c9f1b9c874587b79852e98fe7adb06f544dbbb5b5af7bd60205cd4c24a43e5ab37d85d4ccb1fb22815942e6546cf936f1caa371718440cd01618094a0f18bb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe

MD5
517e0a4d7e27837a7075615032a6cc69

SHA1
f010795b19f2c56b230b7de0f9803cd3aeea208a

SHA256
f4743b96b2336504bd9b8207b0794da22e9eaf583703a7e3dd58cf872314ac4f

SHA512
5c9f1b9c874587b79852e98fe7adb06f544dbbb5b5af7bd60205cd4c24a43e5ab37d85d4ccb1fb22815942e6546cf936f1caa371718440cd01618094a0f18bb7

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Local\Temp\Antivirus.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\Antivirus.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe

MD5
517e0a4d7e27837a7075615032a6cc69

SHA1
f010795b19f2c56b230b7de0f9803cd3aeea208a

SHA256
f4743b96b2336504bd9b8207b0794da22e9eaf583703a7e3dd58cf872314ac4f

SHA512
5c9f1b9c874587b79852e98fe7adb06f544dbbb5b5af7bd60205cd4c24a43e5ab37d85d4ccb1fb22815942e6546cf936f1caa371718440cd01618094a0f18bb7

Download Submit
memory/580-80-0x0000000000421000-0x000000000050B000-memory.dmp

Filesize
936KB

Download
memory/580-73-0x0000000000421000-0x000000000050B000-memory.dmp

Filesize
936KB

Download
memory/580-74-0x0000000000420000-0x0000000000513000-memory.dmp

Filesize
972KB

Download
memory/580-75-0x0000000000420000-0x0000000000513000-memory.dmp

Filesize
972KB

Download
memory/580-76-0x0000000000420000-0x0000000000513000-memory.dmp

Filesize
972KB

Download
memory/580-78-0x000000000049D8CA-mapping.dmp

Download
memory/1012-58-0x0000000000000000-mapping.dmp

Download
memory/1068-91-0x0000000000000000-mapping.dmp

Download
memory/1220-69-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1220-61-0x0000000000000000-mapping.dmp

Download
memory/1220-68-0x0000000000AC0000-0x0000000000ACB000-memory.dmp

Filesize
44KB

Download
memory/1220-66-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1220-64-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/1516-53-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1516-57-0x0000000001FB1000-0x0000000001FB2000-memory.dmp

Filesize
4KB

Download
memory/1516-56-0x00000000020F0000-0x0000000002111000-memory.dmp

Filesize
132KB

Download
memory/1516-55-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/1688-87-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/1688-84-0x0000000000000000-mapping.dmp

Download
memory/1736-59-0x0000000000000000-mapping.dmp

Download