Overview

overview

10

Static

static

IMAGE20210...92.exe

windows7_x64

10

IMAGE20210...92.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    05-02-2022 13:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMAGE20210406_490133692.exe

  • Size

    1.6MB

  • MD5

    432494553bb7b05ce1970f180968aac3

  • SHA1

    c1147f87babcf9c0ce3e278ded158c1343dc7e92

  • SHA256

    ecf20ba9055ef6e87d3c8565f3eedf67f02b068c844056d7a5c1d60bb9e67e5b

  • SHA512

    bf961ad8680d045a9a2555018695ed2e0a607feda2b60a3936be19f380985742075349d3d9112a8894f5a0c0fef2c9c668e5469ca4005ca7109bf8925b5067fd

Score
10/10
webmonitorbackdoorinfostealerrat

Malware Config

Extracted

Family

webmonitor

C2

saudi101.wm01.to:443

Attributes
  • config_key

    lTAZJgwyYrKf0HlGbBwDnSIl6MwJkb96

  • private_key

    R048cDPMf

  • url_path

    /recv5.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor Payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IMAGE20210406_490133692.exe
    "C:\Users\Admin\AppData\Local\Temp\IMAGE20210406_490133692.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IMAGE20210406_490133692.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1384
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nTLvOJ.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1320
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nTLvOJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A11.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2644
    • C:\Users\Admin\AppData\Local\Temp\IMAGE20210406_490133692.exe
      "C:\Users\Admin\AppData\Local\Temp\IMAGE20210406_490133692.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AX2LT6Z2it8SYkbu.bat" "
        3⤵
          PID:3168
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nTLvOJ.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1964
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:976
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1268

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      a37ec211ba4451a8aaf8efb3e15e3f6e

      SHA1

      bf9447c2ea8409ee62f8a8fb57019d96dfec39f7

      SHA256

      06fc349d10b645d977669a73fc5c5b5f912d94934b46c62a69e236f92a16956a

      SHA512

      c8d55fc70e7cf9fa86d208b3fb0e3ada92eb426365f7a99264317bc6f65be346a98a516ca51d6f55996774031d82ecd0de965a798a2044d406b98c9a6f61549a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AX2LT6Z2it8SYkbu.bat
      MD5

      19ca82e41368266cbbc05f8365242690

      SHA1

      9d2dfeda322a6b84e8bfede98857cc034ac5ed27

      SHA256

      3998817b01c48888822156727244d6a52a44a27e67bf2ee3d612f1ecf70afaf9

      SHA512

      5303dd5e32eda13e20ce4a35d768e159cec5d510df4dd0c21b028b3c4cb8f30dbc644ec826f27d641dfa33f30014451dd73fceb6323e90409ce94f693f64862b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp9A11.tmp
      MD5

      857478802c401722ce4addd61b079d69

      SHA1

      fb2d7a1ce76f27abbbd830a4fdd8c33564788111

      SHA256

      a1d12f5c81e07d579a37f5f32d2e5957a65a8d198a8fa7e5062201501d3ec918

      SHA512

      dbd7ddfac6dac88c2cde2d938dd803d68899b598754e82bc488359d5dc117208e01092e28052a8d8f4a9326ca2ab6b2551df19a2263835d77a5fa73ff81c4a90

      Download Submit

    • memory/1280-155-0x0000000000400000-0x00000000004F3000-memory.dmp

      Filesize

      972KB

      Download

    • memory/1280-152-0x0000000000400000-0x00000000004F3000-memory.dmp

      Filesize

      972KB

      Download

    • memory/1320-150-0x00000000076E0000-0x0000000007746000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1320-151-0x0000000007FC0000-0x0000000008026000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1320-165-0x00000000752E0000-0x000000007532C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1320-175-0x0000000009BE0000-0x0000000009BFA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1320-161-0x0000000007355000-0x0000000007357000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1320-158-0x0000000008570000-0x000000000858E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1320-169-0x000000007F960000-0x000000007F961000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1320-146-0x0000000007350000-0x0000000007351000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1320-147-0x0000000007352000-0x0000000007353000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1320-149-0x00000000074C0000-0x00000000074E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1384-174-0x0000000008FF0000-0x0000000008FFE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1384-140-0x0000000004180000-0x00000000041B6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1384-159-0x00000000041C5000-0x00000000041C7000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1384-143-0x0000000006D80000-0x00000000073A8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1384-168-0x000000007EE30000-0x000000007EE31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1384-173-0x0000000009030000-0x00000000090C6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1384-163-0x00000000752E0000-0x000000007532C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1384-144-0x00000000041C0000-0x00000000041C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1384-170-0x0000000009400000-0x0000000009A7A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1384-145-0x00000000041C2000-0x00000000041C3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1568-134-0x0000000005970000-0x0000000005F14000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1568-136-0x0000000005BC0000-0x0000000005C16000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1568-135-0x0000000005880000-0x000000000588A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1568-137-0x000000007FDA0000-0x000000007FDA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1568-132-0x0000000005F20000-0x00000000064C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1568-130-0x0000000000D50000-0x0000000000EE6000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1568-133-0x0000000005970000-0x0000000005A02000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1568-131-0x00000000058D0000-0x000000000596C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1964-157-0x0000000006DF2000-0x0000000006DF3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1964-171-0x00000000095C0000-0x00000000095DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1964-167-0x000000007FAA0000-0x000000007FAA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1964-172-0x0000000009630000-0x000000000963A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1964-166-0x00000000087C0000-0x00000000087DE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1964-164-0x00000000752E0000-0x000000007532C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1964-162-0x00000000087E0000-0x0000000008812000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1964-176-0x00000000098E0000-0x00000000098E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1964-160-0x0000000006DF5000-0x0000000006DF7000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1964-156-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

      Filesize

      4KB

      Download