Analysis
-
max time kernel
131s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:21
Static task
static1
Behavioral task
behavioral1
Sample
zd4vWiNB908TG99.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
zd4vWiNB908TG99.exe
Resource
win10v2004-20220414-en
General
-
Target
zd4vWiNB908TG99.exe
-
Size
1007KB
-
MD5
f3370ea593b2afe30af97925d3a63295
-
SHA1
628af1ff11ecd9101e73dc0971d432e1c64e26fe
-
SHA256
3c8d5a42b3b1e9ec4c489d8ec98ba60d6d107e62b2d1a2cc43570840374ff05f
-
SHA512
182118828e580fe8e0e1188be751c93fde397af83dbff40f79e439ab3858cd3ce04d81e6c18b9bf264734b92a5bd302746b7a036c6a956ba70020da25532654c
Malware Config
Extracted
webmonitor
niiarmah.wm01.to:443
-
config_key
4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O
-
private_key
yvkn5wM8E
-
url_path
/recv5.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor Payload 7 IoCs
resource yara_rule behavioral1/memory/1604-63-0x0000000000400000-0x00000000004F3000-memory.dmp family_webmonitor behavioral1/memory/1604-65-0x0000000000400000-0x00000000004F3000-memory.dmp family_webmonitor behavioral1/memory/1604-67-0x0000000000400000-0x00000000004F3000-memory.dmp family_webmonitor behavioral1/memory/1604-69-0x000000000049D8CA-mapping.dmp family_webmonitor behavioral1/memory/1604-72-0x0000000000400000-0x00000000004F3000-memory.dmp family_webmonitor behavioral1/memory/1604-73-0x0000000000400000-0x00000000004F3000-memory.dmp family_webmonitor behavioral1/memory/1604-74-0x0000000002F70000-0x0000000003F70000-memory.dmp family_webmonitor -
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
-
Unexpected DNS network traffic destination 7 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 1.2.4.8 Destination IP 185.243.215.214 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 1.2.4.8 Destination IP 185.243.215.214 Destination IP 185.243.215.214 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1800 set thread context of 1604 1800 zd4vWiNB908TG99.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 828 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1800 zd4vWiNB908TG99.exe 1800 zd4vWiNB908TG99.exe 1800 zd4vWiNB908TG99.exe 1800 zd4vWiNB908TG99.exe 1800 zd4vWiNB908TG99.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1800 zd4vWiNB908TG99.exe Token: SeShutdownPrivilege 1604 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1800 wrote to memory of 828 1800 zd4vWiNB908TG99.exe 27 PID 1800 wrote to memory of 828 1800 zd4vWiNB908TG99.exe 27 PID 1800 wrote to memory of 828 1800 zd4vWiNB908TG99.exe 27 PID 1800 wrote to memory of 828 1800 zd4vWiNB908TG99.exe 27 PID 1800 wrote to memory of 1604 1800 zd4vWiNB908TG99.exe 29 PID 1800 wrote to memory of 1604 1800 zd4vWiNB908TG99.exe 29 PID 1800 wrote to memory of 1604 1800 zd4vWiNB908TG99.exe 29 PID 1800 wrote to memory of 1604 1800 zd4vWiNB908TG99.exe 29 PID 1800 wrote to memory of 1604 1800 zd4vWiNB908TG99.exe 29 PID 1800 wrote to memory of 1604 1800 zd4vWiNB908TG99.exe 29 PID 1800 wrote to memory of 1604 1800 zd4vWiNB908TG99.exe 29 PID 1800 wrote to memory of 1604 1800 zd4vWiNB908TG99.exe 29 PID 1800 wrote to memory of 1604 1800 zd4vWiNB908TG99.exe 29 PID 1800 wrote to memory of 1604 1800 zd4vWiNB908TG99.exe 29 PID 1800 wrote to memory of 1604 1800 zd4vWiNB908TG99.exe 29 PID 1800 wrote to memory of 1604 1800 zd4vWiNB908TG99.exe 29 PID 1800 wrote to memory of 1604 1800 zd4vWiNB908TG99.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\zd4vWiNB908TG99.exe"C:\Users\Admin\AppData\Local\Temp\zd4vWiNB908TG99.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TqIIWvfdyqgCej" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCCB2.tmp"2⤵
- Creates scheduled task(s)
PID:828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b24dde483a003fd09cda758986ccf2ff
SHA1dec0cca6e9b52939b9bbf0c463d93d05098c37b1
SHA2562a737ef643a5ecaee6c39c979cc42ffbdc06649f037db17d61e5e00a0016dc93
SHA512d7e53b39e06d49013ee66fb7b6836e0d8c7b1f6a2b8a03cd32c79b5763a5d9c6a841e9bfb96955cd377a164161e7c8a46abc61b0056c3e52e8e493b139da1f18