Overview

overview

10

Static

static

f010795b19...8a.exe

windows7_x64

10

f010795b19...8a.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    15-10-2021 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f010795b19f2c56b230b7de0f9803cd3aeea208a.exe

  • Size

    2.0MB

  • MD5

    517e0a4d7e27837a7075615032a6cc69

  • SHA1

    f010795b19f2c56b230b7de0f9803cd3aeea208a

  • SHA256

    f4743b96b2336504bd9b8207b0794da22e9eaf583703a7e3dd58cf872314ac4f

  • SHA512

    5c9f1b9c874587b79852e98fe7adb06f544dbbb5b5af7bd60205cd4c24a43e5ab37d85d4ccb1fb22815942e6546cf936f1caa371718440cd01618094a0f18bb7

Score
10/10
webmonitoragilenetbackdoorinfostealerpersistencerat

Malware Config

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor Payload 5 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
    "C:\Users\Admin\AppData\Local\Temp\f010795b19f2c56b230b7de0f9803cd3aeea208a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Updates1" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Updates1" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe"
        3⤵
        • Adds Run key to start application
        PID:1736
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
        • Executes dropped EXE
        PID:580
      • C:\Users\Admin\AppData\Local\Temp\Antivirus.exe
        "C:\Users\Admin\AppData\Local\Temp\Antivirus.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Users\Admin\AppData\Local\Temp\Antivirus.exe
          "C:\Users\Admin\AppData\Local\Temp\Antivirus.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1068

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/580-80-0x0000000000421000-0x000000000050B000-memory.dmp

    Filesize

    936KB

    Download

  • memory/580-73-0x0000000000421000-0x000000000050B000-memory.dmp

    Filesize

    936KB

    Download

  • memory/580-74-0x0000000000420000-0x0000000000513000-memory.dmp

    Filesize

    972KB

    Download

  • memory/580-75-0x0000000000420000-0x0000000000513000-memory.dmp

    Filesize

    972KB

    Download

  • memory/580-76-0x0000000000420000-0x0000000000513000-memory.dmp

    Filesize

    972KB

    Download

  • memory/1220-69-0x00000000002F0000-0x00000000002F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1220-68-0x0000000000AC0000-0x0000000000ACB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1220-66-0x0000000000690000-0x0000000000691000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1220-64-0x0000000000F60000-0x0000000000F61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1516-53-0x0000000000130000-0x0000000000131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1516-57-0x0000000001FB1000-0x0000000001FB2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1516-56-0x00000000020F0000-0x0000000002111000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1516-55-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1688-87-0x0000000001130000-0x0000000001131000-memory.dmp

    Filesize

    4KB

    Download