webmonitor | 9e6563c2c5e8a869bfdbf4ff1336bf2abcd238695d87f79a01b308216acc9cb5

General

Target

PREVIOUS CONVERSATION.pdf.exe
Size

2.2MB
MD5

28241aafe5b6018c984e310c33e9e48b
SHA1

d126c0cf51a98d9f3bd38efa6e61d4091104c624
SHA256

9e6563c2c5e8a869bfdbf4ff1336bf2abcd238695d87f79a01b308216acc9cb5
SHA512

730ae328d0cc82be717d24130073d8a3d0ec8e3b118e88dcb2b13071499c2efa03cf98905be68b2bc041a3245d792a113403272f67052963f3c4baeae15d0c98

Score

10^/10

webmonitor backdoor infostealer rat

Malware Config

Extracted

Family

webmonitor

C2

niiarmah.wm01.to:443

Attributes

config_key
4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O
private_key
yvkn5wM8E
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2000-138-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral2/memory/2000-139-0x000000000049D8CA-mapping.dmp	family_webmonitor
behavioral2/memory/2000-143-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor

Suspicious use of SetThreadContext 1 IoCs

Processes:

PREVIOUS CONVERSATION.pdf.exe

description pid process target process

PID 4296 set thread context of 2000 4296 PREVIOUS CONVERSATION.pdf.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

416 schtasks.exe

description	pid	process	target process
PID 4296 set thread context of 2000	4296	PREVIOUS CONVERSATION.pdf.exe	RegSvcs.exe

pid	process
416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

PREVIOUS CONVERSATION.pdf.exepowershell.exe

pid	process
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
4296	PREVIOUS CONVERSATION.pdf.exe
1012	powershell.exe
4296	PREVIOUS CONVERSATION.pdf.exe
1012	powershell.exe
1012	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PREVIOUS CONVERSATION.pdf.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4296	PREVIOUS CONVERSATION.pdf.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeShutdownPrivilege	2000	RegSvcs.exe
Token: SeCreatePagefilePrivilege	2000	RegSvcs.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

PREVIOUS CONVERSATION.pdf.exeRegSvcs.exe

description	pid	process	target process
PID 4296 wrote to memory of 1012	4296	PREVIOUS CONVERSATION.pdf.exe	powershell.exe
PID 4296 wrote to memory of 1012	4296	PREVIOUS CONVERSATION.pdf.exe	powershell.exe
PID 4296 wrote to memory of 1012	4296	PREVIOUS CONVERSATION.pdf.exe	powershell.exe
PID 4296 wrote to memory of 416	4296	PREVIOUS CONVERSATION.pdf.exe	schtasks.exe
PID 4296 wrote to memory of 416	4296	PREVIOUS CONVERSATION.pdf.exe	schtasks.exe
PID 4296 wrote to memory of 416	4296	PREVIOUS CONVERSATION.pdf.exe	schtasks.exe
PID 4296 wrote to memory of 2000	4296	PREVIOUS CONVERSATION.pdf.exe	RegSvcs.exe
PID 4296 wrote to memory of 2000	4296	PREVIOUS CONVERSATION.pdf.exe	RegSvcs.exe
PID 4296 wrote to memory of 2000	4296	PREVIOUS CONVERSATION.pdf.exe	RegSvcs.exe
PID 4296 wrote to memory of 2000	4296	PREVIOUS CONVERSATION.pdf.exe	RegSvcs.exe
PID 4296 wrote to memory of 2000	4296	PREVIOUS CONVERSATION.pdf.exe	RegSvcs.exe
PID 4296 wrote to memory of 2000	4296	PREVIOUS CONVERSATION.pdf.exe	RegSvcs.exe
PID 4296 wrote to memory of 2000	4296	PREVIOUS CONVERSATION.pdf.exe	RegSvcs.exe
PID 4296 wrote to memory of 2000	4296	PREVIOUS CONVERSATION.pdf.exe	RegSvcs.exe
PID 4296 wrote to memory of 2000	4296	PREVIOUS CONVERSATION.pdf.exe	RegSvcs.exe
PID 2000 wrote to memory of 2704	2000	RegSvcs.exe	cmd.exe
PID 2000 wrote to memory of 2704	2000	RegSvcs.exe	cmd.exe
PID 2000 wrote to memory of 2704	2000	RegSvcs.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\PREVIOUS CONVERSATION.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PREVIOUS CONVERSATION.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FeqVzOoxhxw.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FeqVzOoxhxw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp89C8.tmp"
2⤵
- Creates scheduled task(s)
PID:416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HRqCnM8UvH7AWTFZ.bat" "
3⤵
PID:2704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HRqCnM8UvH7AWTFZ.bat
MD5
a19d8429b1504a77c6313b2442022fb2

SHA1
ad3e6cf2183394efc2c2d00e969e97472e5310d3

SHA256
4c0e8ae40d0ab3911abd658ac5a8b95415c5d21c060ec8a1a94351ab0b0b97cd

SHA512
fe9455f9d46b4f7e209423f1ebfe3d5bb999ec302f6e4dda8c5d03e7b7544a88c9aade96fb0bd8f4d8f7bac8234bda3b73135000de417709680181723c71e7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp89C8.tmp
MD5
d283be636c829638bc73ce3e6a72231b

SHA1
58e1d372d643039e6217d8eb34698820c710cea6

SHA256
869669b72e6f512185cd796cf9094b3d8fc5324212fee44993c9f86acc6d99ca

SHA512
16ecb1c2d482518628dca61068504b03cdaf65210286a00504468cf593c60dbd017a73a6f45311efd776e814492a551f791ad331c5cf61026f86e0aeaec86c28

Download Submit
memory/416-129-0x0000000000000000-mapping.dmp

Download
memory/1012-137-0x0000000007E60000-0x0000000007E61000-memory.dmp

Filesize
4KB

Download
memory/1012-147-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/1012-237-0x0000000004B03000-0x0000000004B04000-memory.dmp

Filesize
4KB

Download
memory/1012-236-0x000000007F5E0000-0x000000007F5E1000-memory.dmp

Filesize
4KB

Download
memory/1012-167-0x0000000009830000-0x0000000009831000-memory.dmp

Filesize
4KB

Download
memory/1012-166-0x0000000009660000-0x0000000009661000-memory.dmp

Filesize
4KB

Download
memory/1012-128-0x0000000000000000-mapping.dmp

Download
memory/1012-161-0x00000000094F0000-0x00000000094F1000-memory.dmp

Filesize
4KB

Download
memory/1012-130-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/1012-140-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/1012-132-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/1012-133-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/1012-154-0x0000000009530000-0x0000000009563000-memory.dmp

Filesize
204KB

Download
memory/1012-135-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/1012-136-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/1012-146-0x0000000008690000-0x0000000008691000-memory.dmp

Filesize
4KB

Download
memory/1012-145-0x0000000008640000-0x0000000008641000-memory.dmp

Filesize
4KB

Download
memory/1012-144-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/1012-131-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/1012-142-0x0000000004B02000-0x0000000004B03000-memory.dmp

Filesize
4KB

Download
memory/1012-141-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/2000-143-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2000-138-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2000-139-0x000000000049D8CA-mapping.dmp

Download
memory/2704-383-0x0000000000000000-mapping.dmp

Download
memory/4296-121-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/4296-123-0x00000000058F0000-0x00000000058F8000-memory.dmp

Filesize
32KB

Download
memory/4296-118-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4296-125-0x0000000005710000-0x0000000005C0E000-memory.dmp

Filesize
5.0MB

Download
memory/4296-126-0x0000000006530000-0x0000000006531000-memory.dmp

Filesize
4KB

Download
memory/4296-127-0x00000000065D0000-0x00000000067EC000-memory.dmp

Filesize
2.1MB

Download
memory/4296-124-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

Filesize
4KB

Download
memory/4296-122-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/4296-120-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads