webmonitor | 502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6

General

Target

502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe
Size

1.6MB
MD5

32f9e259ffcd8c8aecafb3aba2e4be45
SHA1

7d2d41402dbfbf62b352df96c27a56cd6f8e11e1
SHA256

502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6
SHA512

aa6f8fdb3efae11e7e498ecfe4077a365c7b1fba8da765ceba69a83319a61911c0c7950555f6ac28ed6c65a6571aca6c70c6e728d0bb3cb5a5896ad9de6635bc

Score

10^/10

webmonitor backdoor evasion infostealer rat suricata upx

Malware Config

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 2 IoCs

resource	yara_rule
behavioral2/memory/212-142-0x0000000000400000-0x00000000005F7000-memory.dmp	family_webmonitor
behavioral2/memory/212-143-0x0000000000400000-0x00000000005F7000-memory.dmp	family_webmonitor

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/212-139-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/212-140-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/212-141-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/212-142-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/212-143-0x0000000000400000-0x00000000005F7000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2744 set thread context of 212	2744	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2744	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe
Token: SeDebugPrivilege	212	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe
Token: SeShutdownPrivilege	212	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe
Token: SeCreatePagefilePrivilege	212	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 3632	2744	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe	89
PID 2744 wrote to memory of 3632	2744	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe	89
PID 2744 wrote to memory of 3632	2744	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe	89
PID 2744 wrote to memory of 212	2744	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe	91
PID 2744 wrote to memory of 212	2744	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe	91
PID 2744 wrote to memory of 212	2744	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe	91
PID 2744 wrote to memory of 212	2744	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe	91
PID 2744 wrote to memory of 212	2744	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe	91
PID 2744 wrote to memory of 212	2744	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe	91
PID 2744 wrote to memory of 212	2744	502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe	91

C:\Users\Admin\AppData\Local\Temp\502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe
"C:\Users\Admin\AppData\Local\Temp\502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCSdYczDdDBi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9C0A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3632
- C:\Users\Admin\AppData\Local\Temp\502b22daccb38e891942b4eb37474dd0d62fdf4a74bd79946bf5c96d3ef67bf6.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-144-0x0000000003500000-0x0000000004500000-memory.dmp

Filesize
16.0MB

Download
memory/212-143-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/212-142-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/212-141-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/212-140-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/212-139-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2744-133-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/2744-137-0x0000000000D90000-0x0000000000DF6000-memory.dmp

Filesize
408KB

Download
memory/2744-136-0x0000000008810000-0x00000000088AC000-memory.dmp

Filesize
624KB

Download
memory/2744-135-0x0000000005020000-0x00000000055C4000-memory.dmp

Filesize
5.6MB

Download
memory/2744-134-0x0000000005120000-0x000000000512A000-memory.dmp

Filesize
40KB

Download
memory/2744-130-0x0000000000430000-0x00000000005D6000-memory.dmp

Filesize
1.6MB

Download
memory/2744-132-0x0000000004F70000-0x0000000005002000-memory.dmp

Filesize
584KB

Download
memory/2744-131-0x00000000055D0000-0x0000000005B74000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads