Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-05-2022 17:55
General
-
Target
a902b091e859022ae263bab22a5cf75d5b892314c455752a2d9195d326537118.exe
-
Size
2.9MB
-
MD5
87a119cb90e4c20d11fe569b9e26f0b6
-
SHA1
bf548af2eaf6272b3e7810b36595451542e5b4ba
-
SHA256
a902b091e859022ae263bab22a5cf75d5b892314c455752a2d9195d326537118
-
SHA512
c4ae15f80ee122c35694259e48155a69b5bdf4a7d1b4cf753cdb40dc6efd3833eb4b54afb087060ba51ec6c6f54c0d897df68fa5b26b1d4406ea6c568f6b213f
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor Payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a902b091e859022ae263bab22a5cf75d5b892314c455752a2d9195d326537118.exe"C:\Users\Admin\AppData\Local\Temp\a902b091e859022ae263bab22a5cf75d5b892314c455752a2d9195d326537118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"2⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeFilesize
1.5MB
MD5d6972e3b20498bd9f03aa5a4193544a6
SHA13ffd0be5ae8b65470e5bc3c1acb847913539955d
SHA256f3fa89eda7795d606f0e0deeb8d6ee0633def02f2fb6c5a7a177913a844be2ca
SHA512a412b031f4ce0902d3f606a253bfc75f98d69a7e0d74b0e37db2994f91b74e425954b3f34542234fbd6d8f7737a698d879f85c855d4cc0c409e08304d0c42135
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeFilesize
1.5MB
MD5d6972e3b20498bd9f03aa5a4193544a6
SHA13ffd0be5ae8b65470e5bc3c1acb847913539955d
SHA256f3fa89eda7795d606f0e0deeb8d6ee0633def02f2fb6c5a7a177913a844be2ca
SHA512a412b031f4ce0902d3f606a253bfc75f98d69a7e0d74b0e37db2994f91b74e425954b3f34542234fbd6d8f7737a698d879f85c855d4cc0c409e08304d0c42135
-
\Users\Admin\AppData\Local\SkinSoft\VisualStyler\2.4.59444.6\x86\ssapihook.dllFilesize
57KB
MD59e7f44b8f1512476aa896e977c58830b
SHA1eddd878d9e16502ee1eb7f583dd04e01b458ba42
SHA2568e6195b50bb0d22e4d346263f708f166db726c84884fe78a6bb477caed19e708
SHA512ea52b71dc58e081d0e6c1336e7bf8422d7240c8a502c790075c6ebfe88f8ff70cd2bf43d34b8c604c08d867202359f8bd35c3a0b8d2eefefe826ccd2e5c8c802
-
\Users\Admin\AppData\Local\Temp\Setup.exeFilesize
1.5MB
MD5d6972e3b20498bd9f03aa5a4193544a6
SHA13ffd0be5ae8b65470e5bc3c1acb847913539955d
SHA256f3fa89eda7795d606f0e0deeb8d6ee0633def02f2fb6c5a7a177913a844be2ca
SHA512a412b031f4ce0902d3f606a253bfc75f98d69a7e0d74b0e37db2994f91b74e425954b3f34542234fbd6d8f7737a698d879f85c855d4cc0c409e08304d0c42135
-
memory/684-70-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/684-62-0x00000000007DE000-0x00000000007E3000-memory.dmpFilesize
20KB
-
memory/684-65-0x00000000007DE000-0x00000000007E3000-memory.dmpFilesize
20KB
-
memory/684-69-0x00000000007DE000-0x00000000007E3000-memory.dmpFilesize
20KB
-
memory/684-68-0x00000000007DE000-0x00000000007E3000-memory.dmpFilesize
20KB
-
memory/684-71-0x00000000007DE000-0x00000000007E3000-memory.dmpFilesize
20KB
-
memory/684-60-0x00000000007DE000-0x00000000007E3000-memory.dmpFilesize
20KB
-
memory/684-66-0x00000000007DE000-0x00000000007E3000-memory.dmpFilesize
20KB
-
memory/684-56-0x00000000007DE000-0x00000000007E3000-memory.dmpFilesize
20KB
-
memory/684-63-0x00000000007DE000-0x00000000007E3000-memory.dmpFilesize
20KB
-
memory/684-59-0x00000000007DE000-0x00000000007E3000-memory.dmpFilesize
20KB
-
memory/684-76-0x00000000027B0000-0x00000000027B8000-memory.dmpFilesize
32KB
-
memory/1204-85-0x00000000011F6000-0x0000000001207000-memory.dmpFilesize
68KB
-
memory/1204-83-0x000000006F470000-0x000000006FA1B000-memory.dmpFilesize
5.7MB
-
memory/1204-80-0x00000000004EED8E-mapping.dmp
-
memory/1204-82-0x0000000000400000-0x00000000004F9000-memory.dmpFilesize
996KB
-
memory/1376-78-0x00000000012C0000-0x0000000001450000-memory.dmpFilesize
1.6MB
-
memory/1376-79-0x0000000004F30000-0x0000000005030000-memory.dmpFilesize
1024KB
-
memory/1376-73-0x0000000000000000-mapping.dmp
-
memory/1376-86-0x00000000050F5000-0x0000000005106000-memory.dmpFilesize
68KB
-
memory/1524-87-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/1524-88-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/1524-90-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/1524-91-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/1524-92-0x00000000005F5A70-mapping.dmp
-
memory/1524-93-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/1524-94-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/1524-97-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/1524-98-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/1524-99-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/1524-100-0x0000000002AD0000-0x0000000003AD0000-memory.dmpFilesize
16.0MB