Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 19:59
Static task
static1
Behavioral task
behavioral1
Sample
JANUARY OVERDUE INVOICE.pdf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
JANUARY OVERDUE INVOICE.pdf.exe
Resource
win10v2004-en-20220113
General
-
Target
JANUARY OVERDUE INVOICE.pdf.exe
-
Size
1.5MB
-
MD5
f7d79ec6a3bf524f8f0c0e8d54949948
-
SHA1
ff9535613f977f6321a1eca20c50e97d23c83259
-
SHA256
b4fbe906439597a3d05b94f3a7001069687e598cabc9a82e47d6c43046be10a5
-
SHA512
27dd0344afe613f24147e08aa1208e0fbea2c6618a69a97e48b94a9f412b44273dfd268653dcaec7a83e7fdb10601b6c58ee90bc412601879308f69f7d5d2783
Malware Config
Extracted
webmonitor
niiarmah.wm01.to:443
-
config_key
4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O
-
private_key
yvkn5wM8E
-
url_path
/recv5.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1840-63-0x0000000000400000-0x00000000004F3000-memory.dmp family_webmonitor behavioral1/memory/1840-64-0x0000000000400000-0x00000000004F3000-memory.dmp family_webmonitor behavioral1/memory/1840-65-0x0000000000400000-0x00000000004F3000-memory.dmp family_webmonitor behavioral1/memory/1840-68-0x0000000000400000-0x00000000004F3000-memory.dmp family_webmonitor behavioral1/memory/1840-69-0x0000000000401000-0x00000000004F3000-memory.dmp family_webmonitor -
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/1100-57-0x0000000000BD0000-0x0000000000BDA000-memory.dmp CustAttr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
JANUARY OVERDUE INVOICE.pdf.exedescription pid process target process PID 1100 set thread context of 1840 1100 JANUARY OVERDUE INVOICE.pdf.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
JANUARY OVERDUE INVOICE.pdf.exepid process 1100 JANUARY OVERDUE INVOICE.pdf.exe 1100 JANUARY OVERDUE INVOICE.pdf.exe 1100 JANUARY OVERDUE INVOICE.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
JANUARY OVERDUE INVOICE.pdf.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1100 JANUARY OVERDUE INVOICE.pdf.exe Token: SeShutdownPrivilege 1840 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
JANUARY OVERDUE INVOICE.pdf.exedescription pid process target process PID 1100 wrote to memory of 304 1100 JANUARY OVERDUE INVOICE.pdf.exe schtasks.exe PID 1100 wrote to memory of 304 1100 JANUARY OVERDUE INVOICE.pdf.exe schtasks.exe PID 1100 wrote to memory of 304 1100 JANUARY OVERDUE INVOICE.pdf.exe schtasks.exe PID 1100 wrote to memory of 304 1100 JANUARY OVERDUE INVOICE.pdf.exe schtasks.exe PID 1100 wrote to memory of 1840 1100 JANUARY OVERDUE INVOICE.pdf.exe RegSvcs.exe PID 1100 wrote to memory of 1840 1100 JANUARY OVERDUE INVOICE.pdf.exe RegSvcs.exe PID 1100 wrote to memory of 1840 1100 JANUARY OVERDUE INVOICE.pdf.exe RegSvcs.exe PID 1100 wrote to memory of 1840 1100 JANUARY OVERDUE INVOICE.pdf.exe RegSvcs.exe PID 1100 wrote to memory of 1840 1100 JANUARY OVERDUE INVOICE.pdf.exe RegSvcs.exe PID 1100 wrote to memory of 1840 1100 JANUARY OVERDUE INVOICE.pdf.exe RegSvcs.exe PID 1100 wrote to memory of 1840 1100 JANUARY OVERDUE INVOICE.pdf.exe RegSvcs.exe PID 1100 wrote to memory of 1840 1100 JANUARY OVERDUE INVOICE.pdf.exe RegSvcs.exe PID 1100 wrote to memory of 1840 1100 JANUARY OVERDUE INVOICE.pdf.exe RegSvcs.exe PID 1100 wrote to memory of 1840 1100 JANUARY OVERDUE INVOICE.pdf.exe RegSvcs.exe PID 1100 wrote to memory of 1840 1100 JANUARY OVERDUE INVOICE.pdf.exe RegSvcs.exe PID 1100 wrote to memory of 1840 1100 JANUARY OVERDUE INVOICE.pdf.exe RegSvcs.exe PID 1100 wrote to memory of 1840 1100 JANUARY OVERDUE INVOICE.pdf.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JANUARY OVERDUE INVOICE.pdf.exe"C:\Users\Admin\AppData\Local\Temp\JANUARY OVERDUE INVOICE.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LbDmDauhDnWnVS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp730D.tmp"2⤵
- Creates scheduled task(s)
PID:304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e9770f75c77fd3b67cd2d075663087b3
SHA149baecc09000e1ee24b31284d3ef52af484eed83
SHA2565494fe9c0da46481e2157fb40fc945e6111cccb26fa12993dc5d7c57f4ce3baf
SHA512054494cb1b5118e4e35a980e93f44fbcbb5a060900a37ab2752be9934b5564d3accaaaf4495ab2e20501eaff733e4012976e120d9c9bf9daf85d2b577d1397cb