webmonitor | bd2c2c4d451fbf0d9a21766f08469add420e1ebd09e8f3cec61f200418b238d5

Analysis

max time kernel
152s
max time network
120s
platform
windows7_x64
resource
win7-en-20211208
submitted
11-12-2021 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Perfectly Clear Workbench.exe
Size

22.7MB
MD5

07c8ab309a013e4786c9587db7a65bdf
SHA1

ef8ab1daf015590cf14ce47a350a99c82b71d125
SHA256

9f9f34da4353b46d4b59673ac0520cdf7bd5a513c0590dfde99363cf5f1db657
SHA512

ef392d50539d36eac9609ffcd76a68fa2e18b9fde03e2f8d4554a557e1bd093129aae302211b0ccd04f39b277feff7067cf0bf33b34604e0ab5a3f8d34dfadf2

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

regasm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\255P0r6tYV31PInc\\AqBLOT4psgtW.exe\",explorer.exe"	regasm.exe

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1852-113-0x0000000000400000-0x00000000005F7000-memory.dmp	family_webmonitor

Executes dropped EXE 1 IoCs

Processes:

IDMan.exe

pid process

1400 IDMan.exe

pid	process
1400	IDMan.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IDMan.exe	upx
C:\Users\Admin\AppData\Local\Temp\IDMan.exe	upx
behavioral1/memory/1852-108-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/1852-109-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/1852-110-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/1852-113-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/1852-114-0x0000000000400000-0x00000000005F7000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

Perfectly Clear Workbench.exe

pid process

1904 Perfectly Clear Workbench.exe

pid	process
1904	Perfectly Clear Workbench.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AppLaunch.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\WM-3631 = "C:\\Users\\Admin\\AppData\\Roaming\\WM-3631.exe"	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WM-3631 = "C:\\Users\\Admin\\AppData\\Roaming\\WM-3631.exe"	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Perfectly Clear Workbench.exeregasm.exe

description	pid	process	target process
PID 1904 set thread context of 1156	1904	Perfectly Clear Workbench.exe	regasm.exe
PID 1156 set thread context of 1852	1156	regasm.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1172 1852 WerFault.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regasm.exeWerFault.exe

pid process

1156 regasm.exe
1172 WerFault.exe
1172 WerFault.exe
1172 WerFault.exe
1172 WerFault.exe
1172 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1172 WerFault.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Perfectly Clear Workbench.exe

pid process

1904 Perfectly Clear Workbench.exe

pid	pid_target	process	target process
1172	1852	WerFault.exe	AppLaunch.exe

pid	process
1156	regasm.exe
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe

pid	process
1172	WerFault.exe

pid	process
1904	Perfectly Clear Workbench.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

regasm.exeAppLaunch.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1156	regasm.exe
Token: SeDebugPrivilege	1852	AppLaunch.exe
Token: SeShutdownPrivilege	1852	AppLaunch.exe
Token: SeDebugPrivilege	1172	WerFault.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Perfectly Clear Workbench.exeAppLaunch.exe

pid process

1904 Perfectly Clear Workbench.exe
1852 AppLaunch.exe

pid	process
1904	Perfectly Clear Workbench.exe
1852	AppLaunch.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

Perfectly Clear Workbench.exeregasm.exeAppLaunch.exe

description	pid	process	target process
PID 1904 wrote to memory of 1400	1904	Perfectly Clear Workbench.exe	IDMan.exe
PID 1904 wrote to memory of 1400	1904	Perfectly Clear Workbench.exe	IDMan.exe
PID 1904 wrote to memory of 1400	1904	Perfectly Clear Workbench.exe	IDMan.exe
PID 1904 wrote to memory of 1400	1904	Perfectly Clear Workbench.exe	IDMan.exe
PID 1904 wrote to memory of 1156	1904	Perfectly Clear Workbench.exe	regasm.exe
PID 1904 wrote to memory of 1156	1904	Perfectly Clear Workbench.exe	regasm.exe
PID 1904 wrote to memory of 1156	1904	Perfectly Clear Workbench.exe	regasm.exe
PID 1904 wrote to memory of 1156	1904	Perfectly Clear Workbench.exe	regasm.exe
PID 1904 wrote to memory of 1156	1904	Perfectly Clear Workbench.exe	regasm.exe
PID 1904 wrote to memory of 1156	1904	Perfectly Clear Workbench.exe	regasm.exe
PID 1904 wrote to memory of 1156	1904	Perfectly Clear Workbench.exe	regasm.exe
PID 1904 wrote to memory of 1156	1904	Perfectly Clear Workbench.exe	regasm.exe
PID 1156 wrote to memory of 1852	1156	regasm.exe	AppLaunch.exe
PID 1156 wrote to memory of 1852	1156	regasm.exe	AppLaunch.exe
PID 1156 wrote to memory of 1852	1156	regasm.exe	AppLaunch.exe
PID 1156 wrote to memory of 1852	1156	regasm.exe	AppLaunch.exe
PID 1156 wrote to memory of 1852	1156	regasm.exe	AppLaunch.exe
PID 1156 wrote to memory of 1852	1156	regasm.exe	AppLaunch.exe
PID 1156 wrote to memory of 1852	1156	regasm.exe	AppLaunch.exe
PID 1156 wrote to memory of 1852	1156	regasm.exe	AppLaunch.exe
PID 1156 wrote to memory of 1852	1156	regasm.exe	AppLaunch.exe
PID 1156 wrote to memory of 1852	1156	regasm.exe	AppLaunch.exe
PID 1156 wrote to memory of 1852	1156	regasm.exe	AppLaunch.exe
PID 1852 wrote to memory of 1172	1852	AppLaunch.exe	WerFault.exe
PID 1852 wrote to memory of 1172	1852	AppLaunch.exe	WerFault.exe
PID 1852 wrote to memory of 1172	1852	AppLaunch.exe	WerFault.exe
PID 1852 wrote to memory of 1172	1852	AppLaunch.exe	WerFault.exe
PID 1852 wrote to memory of 1172	1852	AppLaunch.exe	WerFault.exe
PID 1852 wrote to memory of 1172	1852	AppLaunch.exe	WerFault.exe
PID 1852 wrote to memory of 1172	1852	AppLaunch.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Perfectly Clear Workbench.exe
"C:\Users\Admin\AppData\Local\Temp\Perfectly Clear Workbench.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\IDMan.exe
  C:\Users\Admin\AppData\Local\Temp\IDMan.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1692
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IDMan.exe

MD5
840f6ec78053bc2351083006c19eb6ec

SHA1
0ea47ee5f735b227e47228332a4349dbaf951a7c

SHA256
973e4e3d6328c0fc06194b424ee902673831c894a70b1e34ef48f15e5ac916af

SHA512
9dc8f809b7cbc9b1742111b7c3112ff07b9c2d4cb9e7369bfc0e556e740fbe46a06cbae465807ae995b1b34e5321cf6ec219d2237cb1a53b51d97a2190419d9e

Download Submit
\Users\Admin\AppData\Local\Temp\IDMan.exe

MD5
840f6ec78053bc2351083006c19eb6ec

SHA1
0ea47ee5f735b227e47228332a4349dbaf951a7c

SHA256
973e4e3d6328c0fc06194b424ee902673831c894a70b1e34ef48f15e5ac916af

SHA512
9dc8f809b7cbc9b1742111b7c3112ff07b9c2d4cb9e7369bfc0e556e740fbe46a06cbae465807ae995b1b34e5321cf6ec219d2237cb1a53b51d97a2190419d9e

Download Submit
memory/1156-105-0x0000000000BA1000-0x0000000000BA2000-memory.dmp

Filesize
4KB

Download
memory/1156-99-0x000000000056927E-mapping.dmp

Download
memory/1156-100-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1156-102-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/1156-103-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1156-104-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/1156-106-0x0000000000BA6000-0x0000000000BB7000-memory.dmp

Filesize
68KB

Download
memory/1172-118-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/1172-116-0x0000000000000000-mapping.dmp

Download
memory/1400-94-0x0000000000000000-mapping.dmp

Download
memory/1852-113-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1852-108-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1852-109-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1852-110-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1852-107-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1852-111-0x00000000005F5A70-mapping.dmp

Download
memory/1852-114-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1852-115-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/1904-67-0x0000000001B6C000-0x0000000001B6E000-memory.dmp

Filesize
8KB

Download
memory/1904-71-0x0000000001B6A000-0x0000000001B6C000-memory.dmp

Filesize
8KB

Download
memory/1904-80-0x0000000001B6C000-0x0000000001B6E000-memory.dmp

Filesize
8KB

Download
memory/1904-81-0x0000000001B6C000-0x0000000001B6E000-memory.dmp

Filesize
8KB

Download
memory/1904-82-0x0000000001B6A000-0x0000000001B6C000-memory.dmp

Filesize
8KB

Download
memory/1904-85-0x0000000001B6C000-0x0000000001B6E000-memory.dmp

Filesize
8KB

Download
memory/1904-92-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1904-77-0x0000000001B6A000-0x0000000001B6C000-memory.dmp

Filesize
8KB

Download
memory/1904-74-0x0000000001B6C000-0x0000000001B6E000-memory.dmp

Filesize
8KB

Download
memory/1904-75-0x0000000001B6C000-0x0000000001B6E000-memory.dmp

Filesize
8KB

Download
memory/1904-96-0x0000000001B6C000-0x0000000001B6E000-memory.dmp

Filesize
8KB

Download
memory/1904-97-0x0000000001B6C000-0x0000000001B6E000-memory.dmp

Filesize
8KB

Download
memory/1904-98-0x0000000001B6A000-0x0000000001B6C000-memory.dmp

Filesize
8KB

Download
memory/1904-73-0x0000000001B6C000-0x0000000001B6E000-memory.dmp

Filesize
8KB

Download
memory/1904-72-0x0000000001B6A000-0x0000000001B6C000-memory.dmp

Filesize
8KB

Download
memory/1904-79-0x0000000001B6C000-0x0000000001B6E000-memory.dmp

Filesize
8KB

Download
memory/1904-69-0x0000000001B6C000-0x0000000001B6E000-memory.dmp

Filesize
8KB

Download
memory/1904-101-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/1904-68-0x0000000001B6C000-0x0000000001B6E000-memory.dmp

Filesize
8KB

Download
memory/1904-53-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1904-65-0x0000000001B6A000-0x0000000001B6C000-memory.dmp

Filesize
8KB

Download
memory/1904-64-0x0000000001B6A000-0x0000000001B6C000-memory.dmp

Filesize
8KB

Download
memory/1904-63-0x0000000001B6C000-0x0000000001B6E000-memory.dmp

Filesize
8KB

Download
memory/1904-62-0x0000000001B6C000-0x0000000001B6E000-memory.dmp

Filesize
8KB

Download
memory/1904-60-0x0000000001B6A000-0x0000000001B6C000-memory.dmp

Filesize
8KB

Download
memory/1904-61-0x0000000001B58000-0x0000000001B5A000-memory.dmp

Filesize
8KB

Download
memory/1904-59-0x0000000001B6A000-0x0000000001B6C000-memory.dmp

Filesize
8KB

Download
memory/1904-58-0x0000000001B5E000-0x0000000001B5F000-memory.dmp

Filesize
4KB

Download
memory/1904-56-0x0000000001B5D000-0x0000000001B5E000-memory.dmp

Filesize
4KB

Download
memory/1904-55-0x0000000001B5D000-0x0000000001B5E000-memory.dmp

Filesize
4KB

Download
memory/1904-54-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download