Overview

overview

10

Static

static

b2c9e863e2...69.exe

windows7_x64

10

b2c9e863e2...69.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    198s
  • max time network
    206s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    18-04-2022 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe

  • Size

    1.1MB

  • MD5

    4d08cd26844d557101ce21938812261c

  • SHA1

    fce26de220032955493d70dfb7b2b3e9bf04d909

  • SHA256

    b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769

  • SHA512

    dcf1b8fed11f5b4bbc54e0e80bf5cda4cd7cf34bb2f478bbf4971a36d78bc6c7cb36b5e57539bc7bbc1445d476913dca818ef7cab208ef7da7beed17f2dd0809

Score
10/10
webmonitorbackdoorinfostealerrat

Malware Config

Extracted

Family

webmonitor

C2

niiarmah.wm01.to:443

Attributes
  • config_key

    4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O

  • private_key

    yvkn5wM8E

  • url_path

    /recv5.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor Payload 7 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe
    "C:\Users\Admin\AppData\Local\Temp\b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2012
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe" "%appdata%\Mail\Mail Service.exe" /Y
      2⤵
        PID:692
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%appdata%\Mail\Mail Service.exe.lnk" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:364
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Mail\Mail Service.exe.lnk" /f
          3⤵
            PID:652
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\Mail\Mail Service.exe:Zone.Identifier
          2⤵
            PID:1496

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          Filesize

          2.6MB

          MD5

          1f7bccc57d21a4bfeddaafe514cfd74d

          SHA1

          4dab09179a12468cb1757cb7ca26e06d616b0a8d

          SHA256

          d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

          SHA512

          9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mail\Mail Service.exe
          Filesize

          1.1MB

          MD5

          4d08cd26844d557101ce21938812261c

          SHA1

          fce26de220032955493d70dfb7b2b3e9bf04d909

          SHA256

          b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769

          SHA512

          dcf1b8fed11f5b4bbc54e0e80bf5cda4cd7cf34bb2f478bbf4971a36d78bc6c7cb36b5e57539bc7bbc1445d476913dca818ef7cab208ef7da7beed17f2dd0809

          Download Submit

        • \Users\Admin\AppData\Local\Temp\svhost.exe
          Filesize

          2.6MB

          MD5

          1f7bccc57d21a4bfeddaafe514cfd74d

          SHA1

          4dab09179a12468cb1757cb7ca26e06d616b0a8d

          SHA256

          d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

          SHA512

          9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

          Download Submit

        • \Users\Admin\AppData\Roaming\Mail\Mail Service.exe
          Filesize

          1.1MB

          MD5

          4d08cd26844d557101ce21938812261c

          SHA1

          fce26de220032955493d70dfb7b2b3e9bf04d909

          SHA256

          b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769

          SHA512

          dcf1b8fed11f5b4bbc54e0e80bf5cda4cd7cf34bb2f478bbf4971a36d78bc6c7cb36b5e57539bc7bbc1445d476913dca818ef7cab208ef7da7beed17f2dd0809

          Download Submit

        • memory/2012-59-0x0000000000400000-0x00000000004F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/2012-68-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2012-69-0x0000000000400000-0x00000000004F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/2012-71-0x0000000000400000-0x00000000004F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/2012-63-0x0000000000400000-0x00000000004F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/2012-61-0x0000000000400000-0x00000000004F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/2012-57-0x0000000000400000-0x00000000004F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/2012-56-0x0000000000400000-0x00000000004F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/2012-78-0x00000000031A0000-0x00000000041A0000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/2016-54-0x0000000000160000-0x000000000027E000-memory.dmp

          Filesize

          1.1MB

          Download