Overview

overview

10

Static

static

PREVIOUS C...df.exe

windows7_x64

10

PREVIOUS C...df.exe

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    06-12-2021 11:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PREVIOUS CONVERSATION.pdf.exe

  • Size

    2.2MB

  • MD5

    28241aafe5b6018c984e310c33e9e48b

  • SHA1

    d126c0cf51a98d9f3bd38efa6e61d4091104c624

  • SHA256

    9e6563c2c5e8a869bfdbf4ff1336bf2abcd238695d87f79a01b308216acc9cb5

  • SHA512

    730ae328d0cc82be717d24130073d8a3d0ec8e3b118e88dcb2b13071499c2efa03cf98905be68b2bc041a3245d792a113403272f67052963f3c4baeae15d0c98

Score
10/10
webmonitorbackdoorinfostealerrat

Malware Config

Extracted

Family

webmonitor

C2

niiarmah.wm01.to:443

Attributes
  • config_key

    4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O

  • private_key

    yvkn5wM8E

  • url_path

    /recv5.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor Payload 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PREVIOUS CONVERSATION.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\PREVIOUS CONVERSATION.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FeqVzOoxhxw.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1012
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FeqVzOoxhxw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp89C8.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:416
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HRqCnM8UvH7AWTFZ.bat" "
        3⤵
          PID:2704

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\HRqCnM8UvH7AWTFZ.bat
      MD5

      a19d8429b1504a77c6313b2442022fb2

      SHA1

      ad3e6cf2183394efc2c2d00e969e97472e5310d3

      SHA256

      4c0e8ae40d0ab3911abd658ac5a8b95415c5d21c060ec8a1a94351ab0b0b97cd

      SHA512

      fe9455f9d46b4f7e209423f1ebfe3d5bb999ec302f6e4dda8c5d03e7b7544a88c9aade96fb0bd8f4d8f7bac8234bda3b73135000de417709680181723c71e7eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp89C8.tmp
      MD5

      d283be636c829638bc73ce3e6a72231b

      SHA1

      58e1d372d643039e6217d8eb34698820c710cea6

      SHA256

      869669b72e6f512185cd796cf9094b3d8fc5324212fee44993c9f86acc6d99ca

      SHA512

      16ecb1c2d482518628dca61068504b03cdaf65210286a00504468cf593c60dbd017a73a6f45311efd776e814492a551f791ad331c5cf61026f86e0aeaec86c28

      Download Submit

    • memory/416-129-0x0000000000000000-mapping.dmp

      Download

    • memory/1012-137-0x0000000007E60000-0x0000000007E61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-147-0x0000000001110000-0x0000000001111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-237-0x0000000004B03000-0x0000000004B04000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-236-0x000000007F5E0000-0x000000007F5E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-167-0x0000000009830000-0x0000000009831000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-166-0x0000000009660000-0x0000000009661000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-128-0x0000000000000000-mapping.dmp

      Download

    • memory/1012-161-0x00000000094F0000-0x00000000094F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-130-0x0000000001110000-0x0000000001111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-140-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-132-0x0000000004A50000-0x0000000004A51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-133-0x0000000007500000-0x0000000007501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-154-0x0000000009530000-0x0000000009563000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1012-135-0x00000000074B0000-0x00000000074B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-136-0x0000000007D80000-0x0000000007D81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-146-0x0000000008690000-0x0000000008691000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-145-0x0000000008640000-0x0000000008641000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-144-0x0000000007D50000-0x0000000007D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-131-0x0000000001110000-0x0000000001111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-142-0x0000000004B02000-0x0000000004B03000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1012-141-0x0000000004B00000-0x0000000004B01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2000-143-0x0000000000400000-0x00000000004F3000-memory.dmp

      Filesize

      972KB

      Download

    • memory/2000-138-0x0000000000400000-0x00000000004F3000-memory.dmp

      Filesize

      972KB

      Download

    • memory/2000-139-0x000000000049D8CA-mapping.dmp

      Download

    • memory/2704-383-0x0000000000000000-mapping.dmp

      Download

    • memory/4296-121-0x00000000057B0000-0x00000000057B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4296-123-0x00000000058F0000-0x00000000058F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4296-118-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4296-125-0x0000000005710000-0x0000000005C0E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/4296-126-0x0000000006530000-0x0000000006531000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4296-127-0x00000000065D0000-0x00000000067EC000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-124-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4296-122-0x0000000005760000-0x0000000005761000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4296-120-0x0000000005C10000-0x0000000005C11000-memory.dmp

      Filesize

      4KB

      Download