Overview

overview

10

Static

static

2699fd4e11...16.exe

windows7_x64

10

2699fd4e11...16.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-05-2022 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016.exe

  • Size

    546KB

  • MD5

    ea8bd15c924883beb0675399bc9e790a

  • SHA1

    0b18ec8eaa1b11315be4d08618f2df14d60a9be1

  • SHA256

    2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016

  • SHA512

    7d0c8cadee1a10cdcc039603a114f39cbf9b514a90d98f3142eb300bd73082672e7dae7cc2611f28e89175d600964a7f81cfd5c045b92212cd1dff5ee1665ce6

Score
10/10
webmonitorbackdoorinfostealerratupx

Malware Config

Extracted

Family

webmonitor

C2

roxter666.wm01.to:443

Attributes
  • config_key

    9rwqIhLhP1v4mc4fDkpMWCPyZZA3jLtP

  • private_key

    ifcSJLpGN

  • url_path

    /recv5.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016.exe
    "C:\Users\Admin\AppData\Local\Temp\2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4200
    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmKOJxz8XdIkZRl9.bat" "
        3⤵
          PID:4064
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016.exe" "%temp%\FolderN\name.exe" /Y
        2⤵
          PID:4508
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1316
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
            3⤵
              PID:3532
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
            2⤵
            • NTFS ADS
            PID:4872

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
          Filesize

          546KB

          MD5

          ea8bd15c924883beb0675399bc9e790a

          SHA1

          0b18ec8eaa1b11315be4d08618f2df14d60a9be1

          SHA256

          2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016

          SHA512

          7d0c8cadee1a10cdcc039603a114f39cbf9b514a90d98f3142eb300bd73082672e7dae7cc2611f28e89175d600964a7f81cfd5c045b92212cd1dff5ee1665ce6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\OmKOJxz8XdIkZRl9.bat
          Filesize

          204B

          MD5

          5df96170fc27ad8dd0a5b6f303fe9352

          SHA1

          a8464dbabf2a6fa435560503ea3fc1f601acce4f

          SHA256

          72223ebdb01dd29e8d290762c56bf3609ac6cc38b4697daacd4a6d50696eba9d

          SHA512

          b91b56bbe009459731602d8ecc61d40f0d7a51137e3a71df09a34780f0796c2286f3bcf96a8a587969d9b3365af11f92b9bcc353fa61b8fe50cbe46242ab5b85

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          Filesize

          2.5MB

          MD5

          0a7608db01cae07792cea95e792aa866

          SHA1

          71dff876e4d5edb6cea78fee7aa15845d4950e24

          SHA256

          c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e

          SHA512

          990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          Filesize

          2.5MB

          MD5

          0a7608db01cae07792cea95e792aa866

          SHA1

          71dff876e4d5edb6cea78fee7aa15845d4950e24

          SHA256

          c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e

          SHA512

          990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42

          Download Submit

        • memory/2948-138-0x0000000000400000-0x00000000004F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/2948-139-0x0000000000400000-0x00000000004F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/2948-140-0x0000000000400000-0x00000000004F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/2948-144-0x0000000000400000-0x00000000004F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/2948-135-0x0000000000400000-0x00000000004F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/4200-133-0x0000000005400000-0x0000000005492000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4200-132-0x0000000005910000-0x0000000005EB4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4200-130-0x0000000000700000-0x000000000078E000-memory.dmp

          Filesize

          568KB

          Download

        • memory/4200-131-0x0000000005160000-0x00000000051FC000-memory.dmp

          Filesize

          624KB

          Download