Overview

overview

10

Static

static

18ee3ef649...52.exe

windows7_x64

10

18ee3ef649...52.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    15-04-2022 00:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18ee3ef64924f4dd006ac40ef62aba58ffa82c49b705209bda9d378c183a6c52.exe

  • Size

    1.1MB

  • MD5

    46251cfdab21778b84b03cf7ce34f48c

  • SHA1

    a30a503554703f2f9d4839636433f69ae0cd0ceb

  • SHA256

    18ee3ef64924f4dd006ac40ef62aba58ffa82c49b705209bda9d378c183a6c52

  • SHA512

    34b413075368fa09b2b6c7cbd76f7cae2f734f1cf0f47f839b2eed1747ee99d054a57753ebf13202f762ab735961b6011b5b400bafce2cf4913873b23f49bb5f

Score
10/10
webmonitorbackdoorinfostealerrat

Malware Config

Extracted

Family

webmonitor

C2

niiarmah.wm01.to:443

Attributes
  • config_key

    4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O

  • private_key

    yvkn5wM8E

  • url_path

    /recv5.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor Payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18ee3ef64924f4dd006ac40ef62aba58ffa82c49b705209bda9d378c183a6c52.exe
    "C:\Users\Admin\AppData\Local\Temp\18ee3ef64924f4dd006ac40ef62aba58ffa82c49b705209bda9d378c183a6c52.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3596
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ehAogNZTRGcpoLOu.bat" "
        3⤵
          PID:3428
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/18ee3ef64924f4dd006ac40ef62aba58ffa82c49b705209bda9d378c183a6c52.exe" "%appdata%\FolderN\Security.exe" /Y
        2⤵
          PID:2056
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%appdata%\FolderN\Security.exe.lnk" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2300
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\Security.exe.lnk" /f
            3⤵
              PID:2760
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\FolderN\Security.exe:Zone.Identifier
            2⤵
            • NTFS ADS
            PID:936
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ren "%appdata%\FolderN\Security.exe.jpg" Security.exe
            2⤵
              PID:3648
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderN\Security.exe.bat
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3120
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 1140
                3⤵
                • Delays execution with timeout.exe
                PID:4012

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ehAogNZTRGcpoLOu.bat
            Filesize

            204B

            MD5

            ce54bce40a77e64da5e338f7cb6b8813

            SHA1

            e28d3d7dd266e09401787191a132fbbbb5d4603b

            SHA256

            e761b801d8750415e729699ec34a3ebb193f35d73e5ddbe463a4d87461b7d01d

            SHA512

            acef6b4d5922381c83f31494f1802b14aa128bea4af4aa5bd2d4fec21bf8ab98bc9825ea4d33920865734bc9e241c93f3c36721205a11bb9e01b7fa989ed925e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            Filesize

            2.5MB

            MD5

            0a7608db01cae07792cea95e792aa866

            SHA1

            71dff876e4d5edb6cea78fee7aa15845d4950e24

            SHA256

            c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e

            SHA512

            990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            Filesize

            2.5MB

            MD5

            0a7608db01cae07792cea95e792aa866

            SHA1

            71dff876e4d5edb6cea78fee7aa15845d4950e24

            SHA256

            c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e

            SHA512

            990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42

            Download Submit

          • C:\Users\Admin\AppData\Roaming\FolderN\Security.exe
            Filesize

            1.1MB

            MD5

            46251cfdab21778b84b03cf7ce34f48c

            SHA1

            a30a503554703f2f9d4839636433f69ae0cd0ceb

            SHA256

            18ee3ef64924f4dd006ac40ef62aba58ffa82c49b705209bda9d378c183a6c52

            SHA512

            34b413075368fa09b2b6c7cbd76f7cae2f734f1cf0f47f839b2eed1747ee99d054a57753ebf13202f762ab735961b6011b5b400bafce2cf4913873b23f49bb5f

            Download Submit

          • C:\Users\Admin\AppData\Roaming\FolderN\Security.exe.bat
            Filesize

            206B

            MD5

            a3690ef376097df8129f156e5d2fecbc

            SHA1

            b8b00356978f0d75ccbfba0833444d577623c96d

            SHA256

            a071146f80adadcf680d776f45042f10e3698f3ef223c9fce6196d2cc0cdaa85

            SHA512

            256b20ebe2d6fa4cce2eaf2b861329b91b2f8b69c2c383fb7f7b9d106568b82e2dd44cd8d04bc52a6a5c863e4e92976dbacb74d009d86302695d214c8fcda5a1

            Download Submit

          • memory/3596-138-0x0000000000400000-0x00000000004F3000-memory.dmp

            Filesize

            972KB

            Download

          • memory/3596-137-0x0000000000400000-0x00000000004F3000-memory.dmp

            Filesize

            972KB

            Download

          • memory/3596-136-0x0000000000400000-0x00000000004F3000-memory.dmp

            Filesize

            972KB

            Download

          • memory/3596-133-0x0000000000400000-0x00000000004F3000-memory.dmp

            Filesize

            972KB

            Download

          • memory/4092-130-0x0000000000C70000-0x0000000000D8A000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/4092-131-0x00000000056C0000-0x000000000575C000-memory.dmp

            Filesize

            624KB

            Download