Overview

overview

10

Static

static

2699fd4e11...16.exe

windows7_x64

10

2699fd4e11...16.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-05-2022 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016.exe

  • Size

    546KB

  • MD5

    ea8bd15c924883beb0675399bc9e790a

  • SHA1

    0b18ec8eaa1b11315be4d08618f2df14d60a9be1

  • SHA256

    2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016

  • SHA512

    7d0c8cadee1a10cdcc039603a114f39cbf9b514a90d98f3142eb300bd73082672e7dae7cc2611f28e89175d600964a7f81cfd5c045b92212cd1dff5ee1665ce6

Score
10/10
webmonitorbackdoorinfostealerpersistenceratsuricataupx

Malware Config

Extracted

Family

webmonitor

C2

roxter666.wm01.to:443

Attributes
  • config_key

    9rwqIhLhP1v4mc4fDkpMWCPyZZA3jLtP

  • private_key

    ifcSJLpGN

  • url_path

    /recv5.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor Payload 3 IoCs
  • suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

    suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

    suricata
  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Unexpected DNS network traffic destination 9 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016.exe
    "C:\Users\Admin\AppData\Local\Temp\2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:324
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
        3⤵
          PID:1980
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        2⤵
        • NTFS ADS
        PID:648
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016.exe" "%temp%\FolderN\name.exe" /Y
        2⤵
          PID:940

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
        Filesize

        546KB

        MD5

        ea8bd15c924883beb0675399bc9e790a

        SHA1

        0b18ec8eaa1b11315be4d08618f2df14d60a9be1

        SHA256

        2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016

        SHA512

        7d0c8cadee1a10cdcc039603a114f39cbf9b514a90d98f3142eb300bd73082672e7dae7cc2611f28e89175d600964a7f81cfd5c045b92212cd1dff5ee1665ce6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        Filesize

        2.6MB

        MD5

        1f7bccc57d21a4bfeddaafe514cfd74d

        SHA1

        4dab09179a12468cb1757cb7ca26e06d616b0a8d

        SHA256

        d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

        SHA512

        9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

        Download Submit

      • \Users\Admin\AppData\Local\Temp\FolderN\name.exe
        Filesize

        546KB

        MD5

        ea8bd15c924883beb0675399bc9e790a

        SHA1

        0b18ec8eaa1b11315be4d08618f2df14d60a9be1

        SHA256

        2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016

        SHA512

        7d0c8cadee1a10cdcc039603a114f39cbf9b514a90d98f3142eb300bd73082672e7dae7cc2611f28e89175d600964a7f81cfd5c045b92212cd1dff5ee1665ce6

        Download Submit

      • \Users\Admin\AppData\Local\Temp\svhost.exe
        Filesize

        2.6MB

        MD5

        1f7bccc57d21a4bfeddaafe514cfd74d

        SHA1

        4dab09179a12468cb1757cb7ca26e06d616b0a8d

        SHA256

        d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

        SHA512

        9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

        Download Submit

      • memory/324-61-0x0000000000400000-0x00000000004F6000-memory.dmp

        Filesize

        984KB

        Download

      • memory/324-69-0x0000000000400000-0x00000000004F6000-memory.dmp

        Filesize

        984KB

        Download

      • memory/324-68-0x0000000000400000-0x00000000004F6000-memory.dmp

        Filesize

        984KB

        Download

      • memory/324-65-0x0000000000400000-0x00000000004F6000-memory.dmp

        Filesize

        984KB

        Download

      • memory/324-62-0x0000000000400000-0x00000000004F6000-memory.dmp

        Filesize

        984KB

        Download

      • memory/324-76-0x00000000030C0000-0x00000000040C0000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/324-58-0x0000000000400000-0x00000000004F6000-memory.dmp

        Filesize

        984KB

        Download

      • memory/324-59-0x0000000000400000-0x00000000004F6000-memory.dmp

        Filesize

        984KB

        Download

      • memory/324-67-0x0000000000400000-0x00000000004F6000-memory.dmp

        Filesize

        984KB

        Download

      • memory/1968-56-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1968-55-0x0000000004600000-0x0000000004664000-memory.dmp

        Filesize

        400KB

        Download

      • memory/1968-54-0x0000000000980000-0x0000000000A0E000-memory.dmp

        Filesize

        568KB

        Download