webmonitor | f4743b96b2336504bd9b8207b0794da22e9eaf583703a7e3dd58cf872314ac4f

Analysis

max time kernel
133s
max time network
127s
platform
windows10_x64
resource
win10-en-20211014
submitted
15-10-2021 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
Size

2.0MB
MD5

517e0a4d7e27837a7075615032a6cc69
SHA1

f010795b19f2c56b230b7de0f9803cd3aeea208a
SHA256

f4743b96b2336504bd9b8207b0794da22e9eaf583703a7e3dd58cf872314ac4f
SHA512

5c9f1b9c874587b79852e98fe7adb06f544dbbb5b5af7bd60205cd4c24a43e5ab37d85d4ccb1fb22815942e6546cf936f1caa371718440cd01618094a0f18bb7

Score

10^/10

webmonitor agilenet backdoor infostealer persistence rat

Malware Config

Extracted

Family

webmonitor

niiarmah.wm01.to:443

Attributes

config_key
4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O
private_key
yvkn5wM8E
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 5 IoCs

resource	yara_rule
behavioral2/memory/3164-144-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral2/memory/3164-145-0x000000000049D8CA-mapping.dmp	family_webmonitor
behavioral2/memory/3164-147-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral2/memory/1056-182-0x000000000049D8CA-mapping.dmp	family_webmonitor
behavioral2/memory/1056-184-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor

Executes dropped EXE 9 IoCs

pid	Process
2732	Updates.exe
3164	AddInProcess32.exe
3772	Antivirus.exe
936	Antivirus.exe
3064	Updates.exe
1056	AddInProcess32.exe
2104	Antivirus.exe
1828	Antivirus.exe
2100	Updates.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/3076-122-0x00000000053D0000-0x00000000053F1000-memory.dmp	agile_net
behavioral2/memory/3076-127-0x0000000004D60000-0x0000000004DF2000-memory.dmp	agile_net
behavioral2/memory/3064-175-0x0000000005970000-0x0000000005A02000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Updates1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Updates.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2732 set thread context of 3164	2732	Updates.exe	78
PID 3064 set thread context of 1056	3064	Updates.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
2732	Updates.exe
2732	Updates.exe
2732	Updates.exe
2732	Updates.exe
3772	Antivirus.exe
936	Antivirus.exe
936	Antivirus.exe
936	Antivirus.exe
2732	Updates.exe
2732	Updates.exe
2732	Updates.exe
2732	Updates.exe
3064	Updates.exe
3064	Updates.exe
3064	Updates.exe
3064	Updates.exe
2104	Antivirus.exe
1828	Antivirus.exe
1828	Antivirus.exe
1828	Antivirus.exe
2100	Updates.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
Token: SeDebugPrivilege	2732	Updates.exe
Token: SeDebugPrivilege	3772	Antivirus.exe
Token: SeDebugPrivilege	936	Antivirus.exe
Token: SeDebugPrivilege	3064	Updates.exe
Token: SeShutdownPrivilege	3164	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	3164	AddInProcess32.exe
Token: SeDebugPrivilege	2104	Antivirus.exe
Token: SeDebugPrivilege	1828	Antivirus.exe
Token: SeDebugPrivilege	2100	Updates.exe
Token: SeShutdownPrivilege	1056	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	1056	AddInProcess32.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3764	3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	70
PID 3076 wrote to memory of 3764	3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	70
PID 3076 wrote to memory of 3764	3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	70
PID 3764 wrote to memory of 1800	3764	cmd.exe	72
PID 3764 wrote to memory of 1800	3764	cmd.exe	72
PID 3764 wrote to memory of 1800	3764	cmd.exe	72
PID 3076 wrote to memory of 2732	3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	73
PID 3076 wrote to memory of 2732	3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	73
PID 3076 wrote to memory of 2732	3076	f010795b19f2c56b230b7de0f9803cd3aeea208a.exe	73
PID 2732 wrote to memory of 3164	2732	Updates.exe	78
PID 2732 wrote to memory of 3164	2732	Updates.exe	78
PID 2732 wrote to memory of 3164	2732	Updates.exe	78
PID 2732 wrote to memory of 3164	2732	Updates.exe	78
PID 2732 wrote to memory of 3164	2732	Updates.exe	78
PID 2732 wrote to memory of 3164	2732	Updates.exe	78
PID 2732 wrote to memory of 3164	2732	Updates.exe	78
PID 2732 wrote to memory of 3164	2732	Updates.exe	78
PID 2732 wrote to memory of 3164	2732	Updates.exe	78
PID 2732 wrote to memory of 3772	2732	Updates.exe	79
PID 2732 wrote to memory of 3772	2732	Updates.exe	79
PID 2732 wrote to memory of 3772	2732	Updates.exe	79
PID 3772 wrote to memory of 936	3772	Antivirus.exe	80
PID 3772 wrote to memory of 936	3772	Antivirus.exe	80
PID 3772 wrote to memory of 936	3772	Antivirus.exe	80
PID 936 wrote to memory of 3064	936	Antivirus.exe	81
PID 936 wrote to memory of 3064	936	Antivirus.exe	81
PID 936 wrote to memory of 3064	936	Antivirus.exe	81
PID 3164 wrote to memory of 508	3164	AddInProcess32.exe	83
PID 3164 wrote to memory of 508	3164	AddInProcess32.exe	83
PID 3164 wrote to memory of 508	3164	AddInProcess32.exe	83
PID 3064 wrote to memory of 1056	3064	Updates.exe	85
PID 3064 wrote to memory of 1056	3064	Updates.exe	85
PID 3064 wrote to memory of 1056	3064	Updates.exe	85
PID 3064 wrote to memory of 1056	3064	Updates.exe	85
PID 3064 wrote to memory of 1056	3064	Updates.exe	85
PID 3064 wrote to memory of 1056	3064	Updates.exe	85
PID 3064 wrote to memory of 1056	3064	Updates.exe	85
PID 3064 wrote to memory of 1056	3064	Updates.exe	85
PID 3064 wrote to memory of 1056	3064	Updates.exe	85
PID 3064 wrote to memory of 2104	3064	Updates.exe	86
PID 3064 wrote to memory of 2104	3064	Updates.exe	86
PID 3064 wrote to memory of 2104	3064	Updates.exe	86
PID 2104 wrote to memory of 1828	2104	Antivirus.exe	87
PID 2104 wrote to memory of 1828	2104	Antivirus.exe	87
PID 2104 wrote to memory of 1828	2104	Antivirus.exe	87
PID 1828 wrote to memory of 2100	1828	Antivirus.exe	88
PID 1828 wrote to memory of 2100	1828	Antivirus.exe	88
PID 1828 wrote to memory of 2100	1828	Antivirus.exe	88
PID 1056 wrote to memory of 2936	1056	AddInProcess32.exe	89
PID 1056 wrote to memory of 2936	1056	AddInProcess32.exe	89
PID 1056 wrote to memory of 2936	1056	AddInProcess32.exe	89

C:\Users\Admin\AppData\Local\Temp\f010795b19f2c56b230b7de0f9803cd3aeea208a.exe
"C:\Users\Admin\AppData\Local\Temp\f010795b19f2c56b230b7de0f9803cd3aeea208a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Updates1" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Updates1" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe"
    3⤵
    - Adds Run key to start application
    PID:1800
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EbjlEPhYZrruwPz7.bat" "
      4⤵
      PID:508
- - C:\Users\Admin\AppData\Local\Temp\Antivirus.exe
    "C:\Users\Admin\AppData\Local\Temp\Antivirus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\Antivirus.exe
      "C:\Users\Admin\AppData\Local\Temp\Antivirus.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:936
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OBG7SXrqhKZ2EUzG.bat" "
        7⤵
        
        PID:2936
      - C:\Users\Admin\AppData\Local\Temp\Antivirus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Antivirus.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\Antivirus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Antivirus.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Updates.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-184-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2100-211-0x0000000006501000-0x0000000006502000-memory.dmp

Filesize
4KB

Download
memory/2100-210-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/2732-142-0x00000000075E0000-0x00000000075EB000-memory.dmp

Filesize
44KB

Download
memory/2732-143-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/2732-140-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/2732-141-0x0000000005C41000-0x0000000005C42000-memory.dmp

Filesize
4KB

Download
memory/3064-169-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/3064-174-0x0000000005970000-0x0000000005A02000-memory.dmp

Filesize
584KB

Download
memory/3064-175-0x0000000005970000-0x0000000005A02000-memory.dmp

Filesize
584KB

Download
memory/3076-120-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/3076-127-0x0000000004D60000-0x0000000004DF2000-memory.dmp

Filesize
584KB

Download
memory/3076-124-0x00000000064A0000-0x00000000064A1000-memory.dmp

Filesize
4KB

Download
memory/3076-123-0x00000000064D0000-0x00000000064D1000-memory.dmp

Filesize
4KB

Download
memory/3076-122-0x00000000053D0000-0x00000000053F1000-memory.dmp

Filesize
132KB

Download
memory/3076-117-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/3076-121-0x0000000004D60000-0x0000000004DF2000-memory.dmp

Filesize
584KB

Download
memory/3076-115-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/3076-119-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/3076-118-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/3164-147-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3164-144-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3772-151-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download