Overview

overview

10

Static

static

zd4vWiNB908TG99.exe

windows7_x64

10

zd4vWiNB908TG99.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 00:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    zd4vWiNB908TG99.exe

  • Size

    1007KB

  • MD5

    f3370ea593b2afe30af97925d3a63295

  • SHA1

    628af1ff11ecd9101e73dc0971d432e1c64e26fe

  • SHA256

    3c8d5a42b3b1e9ec4c489d8ec98ba60d6d107e62b2d1a2cc43570840374ff05f

  • SHA512

    182118828e580fe8e0e1188be751c93fde397af83dbff40f79e439ab3858cd3ce04d81e6c18b9bf264734b92a5bd302746b7a036c6a956ba70020da25532654c

Score
10/10
webmonitorbackdoorinfostealerrat

Malware Config

Extracted

Family

webmonitor

C2

niiarmah.wm01.to:443

Attributes
  • config_key

    4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O

  • private_key

    yvkn5wM8E

  • url_path

    /recv5.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor Payload 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\zd4vWiNB908TG99.exe
    "C:\Users\Admin\AppData\Local\Temp\zd4vWiNB908TG99.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TqIIWvfdyqgCej" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC10E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1224
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
        PID:2396
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        2⤵
          PID:808
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "{path}"
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1TPbuU4XVAthR3Zs.bat" "
            3⤵
              PID:708

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1TPbuU4XVAthR3Zs.bat
          Filesize

          204B

          MD5

          fd86cdb31479cbddd575886747dfd0c6

          SHA1

          98d3e3bb7e8412fc23bd3ea146070de50fa5c152

          SHA256

          0b40247226a541cb059c620c66a317fd08785927815915c79cf7f5f8e5aa449c

          SHA512

          96d1ec21001b6a7ead401baec198557d0cb504222e4be36b5a91cc5b743fa1a32229e0d10ff1917d70c26bd07dcbc72358fd59f86f1e5b346d69b2d3e90c446e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpC10E.tmp
          Filesize

          1KB

          MD5

          be72930530f932ea219aadfcc6a390ed

          SHA1

          33c40cb3b8bc4c46d21885e4bfae206f972b71b9

          SHA256

          b73559d5d9a153b9cdbe0337fa8b95717b5e2226fa612ec2a9e6dd48be11e3a2

          SHA512

          645c791feae5122abecd1384209e7edc9b0f6512cae2df8de79f08162217ae038f31d7ed6328aca8fbb950026e453db917cb43cc76c85c99e29b64cd5292f531

          Download Submit

        • memory/708-142-0x0000000000000000-mapping.dmp

          Download

        • memory/808-136-0x0000000000000000-mapping.dmp

          Download

        • memory/1224-133-0x0000000000000000-mapping.dmp

          Download

        • memory/2292-130-0x00000000006F0000-0x00000000007F2000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2292-132-0x0000000005630000-0x00000000056C2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2292-131-0x00000000054F0000-0x000000000558C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2396-135-0x0000000000000000-mapping.dmp

          Download

        • memory/2844-137-0x0000000000000000-mapping.dmp

          Download

        • memory/2844-138-0x0000000000400000-0x00000000004F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/2844-139-0x0000000000400000-0x00000000004F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/2844-140-0x0000000000400000-0x00000000004F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/2844-141-0x0000000000400000-0x00000000004F3000-memory.dmp

          Filesize

          972KB

          Download