Analysis
-
max time kernel
94s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
29-05-2022 20:23
Static task
static1
Behavioral task
behavioral1
Sample
0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe
Resource
win10v2004-20220414-en
General
-
Target
0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe
-
Size
361KB
-
MD5
92175d22a32d45d8d1beadf1e99ad9f6
-
SHA1
13dfbe33cc691dd6533c45d001970f5e6b0e26d0
-
SHA256
0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85
-
SHA512
5ea867093683a1a4f920ad0d4a35b3ce935be982a44ada394d74213dcdea70aff66a93eb782c345c3bbf0bb3ea2f4afb28e6e96d3f08e8eee0997b778d3ac187
Malware Config
Extracted
webmonitor
pitbullcant.wm01.to:443
-
config_key
A7HOB9ROz2LrVrPGPRzC4MVB2KltDr7S
-
private_key
i9KVkEro3
-
url_path
/recv5.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor Payload 1 IoCs
resource yara_rule behavioral2/memory/1820-132-0x0000000000400000-0x00000000004F2000-memory.dmp family_webmonitor -
resource yara_rule behavioral2/memory/1820-130-0x0000000000400000-0x00000000004F2000-memory.dmp upx behavioral2/memory/1820-132-0x0000000000400000-0x00000000004F2000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1820 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 1820 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe Token: SeCreatePagefilePrivilege 1820 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1820 wrote to memory of 1832 1820 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe 78 PID 1820 wrote to memory of 1832 1820 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe 78 PID 1820 wrote to memory of 1832 1820 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe"C:\Users\Admin\AppData\Local\Temp\0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe"1⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCiELHaDRw3pvRqX.bat" "2⤵PID:1832
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204B
MD5a89a54519907450414a2887f45848ea3
SHA1997db49502fc1638f77e8f932458cfc627220882
SHA25642044c81bc71782a0d0def358973e87c8834f772e843752e495ca7e9adcc2fba
SHA512f65bab7c1f4dc20e2948cefdca8699d7a0a004f2f0f490d21af42bff7a7aa720acdd3d35fdc2f1f87e055e47e13452e8c7e00e90c64d720802865b52eaacd849