webmonitor | 6e66134aa8b2a4317e0e2fff2d8665c2476238c8a37d66359f3e94804f5f86f8

General

Target

zd4vWiNB908TG99.exe
Size

1007KB
MD5

f3370ea593b2afe30af97925d3a63295
SHA1

628af1ff11ecd9101e73dc0971d432e1c64e26fe
SHA256

3c8d5a42b3b1e9ec4c489d8ec98ba60d6d107e62b2d1a2cc43570840374ff05f
SHA512

182118828e580fe8e0e1188be751c93fde397af83dbff40f79e439ab3858cd3ce04d81e6c18b9bf264734b92a5bd302746b7a036c6a956ba70020da25532654c

Score

10^/10

webmonitor backdoor infostealer rat

Malware Config

Extracted

Family

webmonitor

C2

niiarmah.wm01.to:443

Attributes

config_key
4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O
private_key
yvkn5wM8E
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2844-138-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral2/memory/2844-139-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral2/memory/2844-140-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral2/memory/2844-141-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

zd4vWiNB908TG99.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	zd4vWiNB908TG99.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

zd4vWiNB908TG99.exe

description pid process target process

PID 2292 set thread context of 2844 2292 zd4vWiNB908TG99.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1224 schtasks.exe

description	pid	process	target process
PID 2292 set thread context of 2844	2292	zd4vWiNB908TG99.exe	RegSvcs.exe

pid	process
1224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

zd4vWiNB908TG99.exe

pid	process
2292	zd4vWiNB908TG99.exe
2292	zd4vWiNB908TG99.exe
2292	zd4vWiNB908TG99.exe
2292	zd4vWiNB908TG99.exe
2292	zd4vWiNB908TG99.exe
2292	zd4vWiNB908TG99.exe
2292	zd4vWiNB908TG99.exe
2292	zd4vWiNB908TG99.exe
2292	zd4vWiNB908TG99.exe
2292	zd4vWiNB908TG99.exe
2292	zd4vWiNB908TG99.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

zd4vWiNB908TG99.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2292	zd4vWiNB908TG99.exe
Token: SeShutdownPrivilege	2844	RegSvcs.exe
Token: SeCreatePagefilePrivilege	2844	RegSvcs.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

zd4vWiNB908TG99.exeRegSvcs.exe

description	pid	process	target process
PID 2292 wrote to memory of 1224	2292	zd4vWiNB908TG99.exe	schtasks.exe
PID 2292 wrote to memory of 1224	2292	zd4vWiNB908TG99.exe	schtasks.exe
PID 2292 wrote to memory of 1224	2292	zd4vWiNB908TG99.exe	schtasks.exe
PID 2292 wrote to memory of 2396	2292	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 2292 wrote to memory of 2396	2292	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 2292 wrote to memory of 2396	2292	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 2292 wrote to memory of 808	2292	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 2292 wrote to memory of 808	2292	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 2292 wrote to memory of 808	2292	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 2292 wrote to memory of 2844	2292	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 2292 wrote to memory of 2844	2292	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 2292 wrote to memory of 2844	2292	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 2292 wrote to memory of 2844	2292	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 2292 wrote to memory of 2844	2292	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 2292 wrote to memory of 2844	2292	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 2292 wrote to memory of 2844	2292	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 2292 wrote to memory of 2844	2292	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 2292 wrote to memory of 2844	2292	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 2844 wrote to memory of 708	2844	RegSvcs.exe	cmd.exe
PID 2844 wrote to memory of 708	2844	RegSvcs.exe	cmd.exe
PID 2844 wrote to memory of 708	2844	RegSvcs.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\zd4vWiNB908TG99.exe
"C:\Users\Admin\AppData\Local\Temp\zd4vWiNB908TG99.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TqIIWvfdyqgCej" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC10E.tmp"
2⤵
- Creates scheduled task(s)
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1TPbuU4XVAthR3Zs.bat" "
3⤵
PID:708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1TPbuU4XVAthR3Zs.bat
Filesize
204B

MD5
fd86cdb31479cbddd575886747dfd0c6

SHA1
98d3e3bb7e8412fc23bd3ea146070de50fa5c152

SHA256
0b40247226a541cb059c620c66a317fd08785927815915c79cf7f5f8e5aa449c

SHA512
96d1ec21001b6a7ead401baec198557d0cb504222e4be36b5a91cc5b743fa1a32229e0d10ff1917d70c26bd07dcbc72358fd59f86f1e5b346d69b2d3e90c446e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC10E.tmp
Filesize
1KB

MD5
be72930530f932ea219aadfcc6a390ed

SHA1
33c40cb3b8bc4c46d21885e4bfae206f972b71b9

SHA256
b73559d5d9a153b9cdbe0337fa8b95717b5e2226fa612ec2a9e6dd48be11e3a2

SHA512
645c791feae5122abecd1384209e7edc9b0f6512cae2df8de79f08162217ae038f31d7ed6328aca8fbb950026e453db917cb43cc76c85c99e29b64cd5292f531

Download Submit
memory/708-142-0x0000000000000000-mapping.dmp

Download
memory/808-136-0x0000000000000000-mapping.dmp

Download
memory/1224-133-0x0000000000000000-mapping.dmp

Download
memory/2292-130-0x00000000006F0000-0x00000000007F2000-memory.dmp

Filesize
1.0MB

Download
memory/2292-132-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/2292-131-0x00000000054F0000-0x000000000558C000-memory.dmp

Filesize
624KB

Download
memory/2396-135-0x0000000000000000-mapping.dmp

Download
memory/2844-137-0x0000000000000000-mapping.dmp

Download
memory/2844-138-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2844-139-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2844-140-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2844-141-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads