Analysis
-
max time kernel
117s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:21
Static task
static1
Behavioral task
behavioral1
Sample
zd4vWiNB908TG99.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
zd4vWiNB908TG99.exe
Resource
win10v2004-20220414-en
General
-
Target
zd4vWiNB908TG99.exe
-
Size
1007KB
-
MD5
f3370ea593b2afe30af97925d3a63295
-
SHA1
628af1ff11ecd9101e73dc0971d432e1c64e26fe
-
SHA256
3c8d5a42b3b1e9ec4c489d8ec98ba60d6d107e62b2d1a2cc43570840374ff05f
-
SHA512
182118828e580fe8e0e1188be751c93fde397af83dbff40f79e439ab3858cd3ce04d81e6c18b9bf264734b92a5bd302746b7a036c6a956ba70020da25532654c
Malware Config
Extracted
webmonitor
niiarmah.wm01.to:443
-
config_key
4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O
-
private_key
yvkn5wM8E
-
url_path
/recv5.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor Payload 4 IoCs
resource yara_rule behavioral2/memory/2844-138-0x0000000000400000-0x00000000004F3000-memory.dmp family_webmonitor behavioral2/memory/2844-139-0x0000000000400000-0x00000000004F3000-memory.dmp family_webmonitor behavioral2/memory/2844-140-0x0000000000400000-0x00000000004F3000-memory.dmp family_webmonitor behavioral2/memory/2844-141-0x0000000000400000-0x00000000004F3000-memory.dmp family_webmonitor -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation zd4vWiNB908TG99.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2292 set thread context of 2844 2292 zd4vWiNB908TG99.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1224 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2292 zd4vWiNB908TG99.exe 2292 zd4vWiNB908TG99.exe 2292 zd4vWiNB908TG99.exe 2292 zd4vWiNB908TG99.exe 2292 zd4vWiNB908TG99.exe 2292 zd4vWiNB908TG99.exe 2292 zd4vWiNB908TG99.exe 2292 zd4vWiNB908TG99.exe 2292 zd4vWiNB908TG99.exe 2292 zd4vWiNB908TG99.exe 2292 zd4vWiNB908TG99.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2292 zd4vWiNB908TG99.exe Token: SeShutdownPrivilege 2844 RegSvcs.exe Token: SeCreatePagefilePrivilege 2844 RegSvcs.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2292 wrote to memory of 1224 2292 zd4vWiNB908TG99.exe 82 PID 2292 wrote to memory of 1224 2292 zd4vWiNB908TG99.exe 82 PID 2292 wrote to memory of 1224 2292 zd4vWiNB908TG99.exe 82 PID 2292 wrote to memory of 2396 2292 zd4vWiNB908TG99.exe 84 PID 2292 wrote to memory of 2396 2292 zd4vWiNB908TG99.exe 84 PID 2292 wrote to memory of 2396 2292 zd4vWiNB908TG99.exe 84 PID 2292 wrote to memory of 808 2292 zd4vWiNB908TG99.exe 85 PID 2292 wrote to memory of 808 2292 zd4vWiNB908TG99.exe 85 PID 2292 wrote to memory of 808 2292 zd4vWiNB908TG99.exe 85 PID 2292 wrote to memory of 2844 2292 zd4vWiNB908TG99.exe 86 PID 2292 wrote to memory of 2844 2292 zd4vWiNB908TG99.exe 86 PID 2292 wrote to memory of 2844 2292 zd4vWiNB908TG99.exe 86 PID 2292 wrote to memory of 2844 2292 zd4vWiNB908TG99.exe 86 PID 2292 wrote to memory of 2844 2292 zd4vWiNB908TG99.exe 86 PID 2292 wrote to memory of 2844 2292 zd4vWiNB908TG99.exe 86 PID 2292 wrote to memory of 2844 2292 zd4vWiNB908TG99.exe 86 PID 2292 wrote to memory of 2844 2292 zd4vWiNB908TG99.exe 86 PID 2292 wrote to memory of 2844 2292 zd4vWiNB908TG99.exe 86 PID 2844 wrote to memory of 708 2844 RegSvcs.exe 87 PID 2844 wrote to memory of 708 2844 RegSvcs.exe 87 PID 2844 wrote to memory of 708 2844 RegSvcs.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\zd4vWiNB908TG99.exe"C:\Users\Admin\AppData\Local\Temp\zd4vWiNB908TG99.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TqIIWvfdyqgCej" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC10E.tmp"2⤵
- Creates scheduled task(s)
PID:1224
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵PID:2396
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵PID:808
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1TPbuU4XVAthR3Zs.bat" "3⤵PID:708
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204B
MD5fd86cdb31479cbddd575886747dfd0c6
SHA198d3e3bb7e8412fc23bd3ea146070de50fa5c152
SHA2560b40247226a541cb059c620c66a317fd08785927815915c79cf7f5f8e5aa449c
SHA51296d1ec21001b6a7ead401baec198557d0cb504222e4be36b5a91cc5b743fa1a32229e0d10ff1917d70c26bd07dcbc72358fd59f86f1e5b346d69b2d3e90c446e
-
Filesize
1KB
MD5be72930530f932ea219aadfcc6a390ed
SHA133c40cb3b8bc4c46d21885e4bfae206f972b71b9
SHA256b73559d5d9a153b9cdbe0337fa8b95717b5e2226fa612ec2a9e6dd48be11e3a2
SHA512645c791feae5122abecd1384209e7edc9b0f6512cae2df8de79f08162217ae038f31d7ed6328aca8fbb950026e453db917cb43cc76c85c99e29b64cd5292f531