webmonitor | 98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a

General

Target

98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe
Size

1.6MB
MD5

a8004453810b0b62da1aa007091ce3e2
SHA1

d8eab7301e6ac2ac9a24f6395e4024e04e15697d
SHA256

98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a
SHA512

c6cb7c15b0b0b17d383853e072dd77ca7bd32d2698add1d5277ebb144cc4c0bc60164723e63c9e768129059b160ff7f7a7bf3d33eecf4fdd5ab4362272ec4ae6

Score

10^/10

webmonitor backdoor evasion infostealer rat upx

Malware Config

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1996-69-0x0000000000400000-0x00000000005F7000-memory.dmp	family_webmonitor
behavioral1/memory/1996-70-0x0000000000400000-0x00000000005F7000-memory.dmp	family_webmonitor
behavioral1/memory/1996-72-0x0000000002CE0000-0x0000000003CE0000-memory.dmp	family_webmonitor

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1996-62-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/1996-64-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/1996-66-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/1996-67-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/1996-68-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/1996-69-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/1996-70-0x0000000000400000-0x00000000005F7000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 1996	1632	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
476	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe
Token: SeDebugPrivilege	1996	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe
Token: SeShutdownPrivilege	1996	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 476	1632	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe	30
PID 1632 wrote to memory of 476	1632	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe	30
PID 1632 wrote to memory of 476	1632	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe	30
PID 1632 wrote to memory of 476	1632	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe	30
PID 1632 wrote to memory of 1996	1632	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe	32
PID 1632 wrote to memory of 1996	1632	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe	32
PID 1632 wrote to memory of 1996	1632	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe	32
PID 1632 wrote to memory of 1996	1632	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe	32
PID 1632 wrote to memory of 1996	1632	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe	32
PID 1632 wrote to memory of 1996	1632	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe	32
PID 1632 wrote to memory of 1996	1632	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe	32
PID 1632 wrote to memory of 1996	1632	98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe	32

C:\Users\Admin\AppData\Local\Temp\98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe
"C:\Users\Admin\AppData\Local\Temp\98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ydmvezGInX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6068.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:476
- C:\Users\Admin\AppData\Local\Temp\98c04d9dbe5fcb2d920502beeb6dd342459d0d2ee48ad06402d538c8cdeb806a.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-54-0x0000000000F70000-0x0000000001118000-memory.dmp

Filesize
1.7MB

Download
memory/1632-55-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/1632-56-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/1632-57-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/1632-58-0x0000000008560000-0x00000000086A2000-memory.dmp

Filesize
1.3MB

Download
memory/1996-64-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1996-62-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1996-60-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1996-66-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1996-67-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1996-68-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1996-69-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1996-70-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1996-71-0x0000000075611000-0x0000000075613000-memory.dmp

Filesize
8KB

Download
memory/1996-72-0x0000000002CE0000-0x0000000003CE0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads