Analysis
-
max time kernel
161s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-03-2022 03:28
Static task
static1
Behavioral task
behavioral1
Sample
502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe
Resource
win10v2004-en-20220113
General
-
Target
502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe
-
Size
1.6MB
-
MD5
32f9e259ffcd8c8aecafb3aba2e4be45
-
SHA1
7d2d41402dbfbf62b352df96c27a56cd6f8e11e1
-
SHA256
502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6
-
SHA512
aa6f8fdb3efae11e7e498ecfe4077a365c7b1fba8da765ceba69a83319a61911c0c7950555f6ac28ed6c65a6571aca6c70c6e728d0bb3cb5a5896ad9de6635bc
Malware Config
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/212-142-0x0000000000400000-0x00000000005F7000-memory.dmp family_webmonitor behavioral2/memory/212-143-0x0000000000400000-0x00000000005F7000-memory.dmp family_webmonitor -
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Processes:
resource yara_rule behavioral2/memory/212-139-0x0000000000400000-0x00000000005F7000-memory.dmp upx behavioral2/memory/212-140-0x0000000000400000-0x00000000005F7000-memory.dmp upx behavioral2/memory/212-141-0x0000000000400000-0x00000000005F7000-memory.dmp upx behavioral2/memory/212-142-0x0000000000400000-0x00000000005F7000-memory.dmp upx behavioral2/memory/212-143-0x0000000000400000-0x00000000005F7000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exedescription pid process target process PID 2744 set thread context of 212 2744 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exepid process 2744 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exedescription pid process Token: SeDebugPrivilege 2744 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe Token: SeDebugPrivilege 212 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe Token: SeShutdownPrivilege 212 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe Token: SeCreatePagefilePrivilege 212 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exedescription pid process target process PID 2744 wrote to memory of 3632 2744 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe schtasks.exe PID 2744 wrote to memory of 3632 2744 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe schtasks.exe PID 2744 wrote to memory of 3632 2744 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe schtasks.exe PID 2744 wrote to memory of 212 2744 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe PID 2744 wrote to memory of 212 2744 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe PID 2744 wrote to memory of 212 2744 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe PID 2744 wrote to memory of 212 2744 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe PID 2744 wrote to memory of 212 2744 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe PID 2744 wrote to memory of 212 2744 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe PID 2744 wrote to memory of 212 2744 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe"C:\Users\Admin\AppData\Local\Temp\502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCSdYczDdDBi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9C0A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9C0A.tmpMD5
12ab8543d8271f6d8a2b0e51f0a7cbe8
SHA1e9ab9dd18b7918c8916cba447ad330acf46bac05
SHA256de2808b6e1a3943857edc93fd52b1493f1b188c694a2280964c8a138c0f6fd1f
SHA5126ba44ab2037d39c705e466c306537d4e9c30c7b876002485fd9fcc1b2a367aeeb008969a612e07a1f45fbf51e4364b7be595ba5416ed97626df75d10e4301190
-
memory/212-144-0x0000000003500000-0x0000000004500000-memory.dmpFilesize
16.0MB
-
memory/212-143-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/212-142-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/212-141-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/212-140-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/212-139-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/2744-133-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/2744-137-0x0000000000D90000-0x0000000000DF6000-memory.dmpFilesize
408KB
-
memory/2744-136-0x0000000008810000-0x00000000088AC000-memory.dmpFilesize
624KB
-
memory/2744-135-0x0000000005020000-0x00000000055C4000-memory.dmpFilesize
5.6MB
-
memory/2744-134-0x0000000005120000-0x000000000512A000-memory.dmpFilesize
40KB
-
memory/2744-130-0x0000000000430000-0x00000000005D6000-memory.dmpFilesize
1.6MB
-
memory/2744-132-0x0000000004F70000-0x0000000005002000-memory.dmpFilesize
584KB
-
memory/2744-131-0x00000000055D0000-0x0000000005B74000-memory.dmpFilesize
5.6MB