Analysis
-
max time kernel
132s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-04-2022 12:45
General
-
Target
Statement for due invoices.exe
-
Size
1020KB
-
MD5
39812fe18840e436a74aff55785f08d4
-
SHA1
88c0f62af95c53b0a4d1f2d9422c9016490851ed
-
SHA256
0d2cf62b947967dcece71936fe76d44d03d97f11c6ec580c67f33761a99ef708
-
SHA512
7188efcc5c683c4bdab4ad5dace8df49402e64de6c3bf6c6be980e831ae1aca9a7a094aee89f97236f1f00468e6ba93988dad2ca8c2778557f8f5d5418ccaa24
Malware Config
Extracted
webmonitor
blackwire.wm01.to:443
-
config_key
XHSPjxLqnkGzEknQM1EIWtzFAMfNcnJY
-
private_key
Bm19W87ME
-
url_path
/recv5.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor Payload 3 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Statement for due invoices.exe"C:\Users\Admin\AppData\Local\Temp\Statement for due invoices.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iPiuyFhOmJALV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE071.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Statement for due invoices.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE071.tmpFilesize
1KB
MD5da176821e55af7dcad375ba593082684
SHA1edb7dec1d8ebb16f086a32f40f7aaf258226ee26
SHA2569727d50a2f2da4774cfc70b6a607106f84ce12df2d3819a49e84b1cf6e8a87aa
SHA512480a858a540b670d8398cfb8d6678d447ce47190da238c9721e2ad4f29266e283102a6e0ff1056e6be8ea67bccd0cf6bf4083ae7daec6b6c24f0ebc71d8bd9ce
-
memory/1804-63-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/1804-64-0x00000000004F4AC0-mapping.dmp
-
memory/1804-71-0x00000000032C0000-0x00000000042C0000-memory.dmpFilesize
16.0MB
-
memory/1804-69-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/1804-59-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/1804-60-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/1804-68-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/1804-67-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/1804-62-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/1804-65-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/1804-66-0x0000000075841000-0x0000000075843000-memory.dmpFilesize
8KB
-
memory/1820-57-0x0000000000000000-mapping.dmp
-
memory/2044-54-0x0000000000C80000-0x0000000000D86000-memory.dmpFilesize
1.0MB
-
memory/2044-56-0x00000000051C0000-0x000000000526C000-memory.dmpFilesize
688KB
-
memory/2044-55-0x0000000000770000-0x000000000078E000-memory.dmpFilesize
120KB