webmonitor | 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7

General

Target

089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
Size

1.5MB
MD5

a95b331fccf2956d61809a5cd4c8ae80
SHA1

2c174632ebdb5a799763d0d798f73513065ec28c
SHA256

089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7
SHA512

be7a0217dae7eb90974aeffde0c3ca660f07fb9fc8ade2766455bbffee93c6fe5d081a78ea1a4cddbe29da359912f5f2f98a38fa27154cb39d3142bb196d9e22

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Malware Config

Extracted

Family

webmonitor

C2

preetha.wm01.to:443

Attributes

config_key
QuvlUX1F0t9VVObPIMdFN2IC4RdIDe8m
private_key
32i3qiVRG
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1168-82-0x0000000000400000-0x00000000004F2000-memory.dmp	family_webmonitor
behavioral1/memory/1168-86-0x0000000000400000-0x00000000004F2000-memory.dmp	family_webmonitor
behavioral1/memory/1168-87-0x0000000003500000-0x0000000004500000-memory.dmp	family_webmonitor
behavioral1/memory/1168-88-0x0000000000400000-0x00000000004F2000-memory.dmp	family_webmonitor

Executes dropped EXE 1 IoCs

Processes:

089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

pid process

1168 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

pid	process
1168	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1168-72-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral1/memory/1168-75-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral1/memory/1168-74-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral1/memory/1168-78-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral1/memory/1168-80-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral1/memory/1168-82-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral1/memory/1168-86-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral1/memory/1168-87-0x0000000003500000-0x0000000004500000-memory.dmp	upx
behavioral1/memory/1168-88-0x0000000000400000-0x00000000004F2000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

pid process

1324 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 185.243.215.214
Destination IP 1.2.4.8
Destination IP 185.243.215.214
Destination IP 185.243.215.214

pid	process
1324	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

description	ioc
Destination IP	185.243.215.214
Destination IP	1.2.4.8
Destination IP	185.243.215.214
Destination IP	185.243.215.214

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\WebMonitor-3033 = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-3033.exe"	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

description	pid	process	target process
PID 1324 set thread context of 1168	1324	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe:Zone.Identifier	cmd.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

pid process

1168 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

pid	process
1168	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

description	pid	process
Token: SeDebugPrivilege	1324	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
Token: SeShutdownPrivilege	1168	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

description	pid	process	target process
PID 1324 wrote to memory of 1604	1324	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	cmd.exe
PID 1324 wrote to memory of 1604	1324	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	cmd.exe
PID 1324 wrote to memory of 1604	1324	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	cmd.exe
PID 1324 wrote to memory of 1604	1324	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	cmd.exe
PID 1324 wrote to memory of 1168	1324	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
PID 1324 wrote to memory of 1168	1324	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
PID 1324 wrote to memory of 1168	1324	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
PID 1324 wrote to memory of 1168	1324	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
PID 1324 wrote to memory of 1168	1324	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
PID 1324 wrote to memory of 1168	1324	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
PID 1324 wrote to memory of 1168	1324	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
PID 1324 wrote to memory of 1168	1324	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
"C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:1604

C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
Filesize
1.5MB

MD5
a95b331fccf2956d61809a5cd4c8ae80

SHA1
2c174632ebdb5a799763d0d798f73513065ec28c

SHA256
089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7

SHA512
be7a0217dae7eb90974aeffde0c3ca660f07fb9fc8ade2766455bbffee93c6fe5d081a78ea1a4cddbe29da359912f5f2f98a38fa27154cb39d3142bb196d9e22

Download Submit
\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
Filesize
1.5MB

MD5
a95b331fccf2956d61809a5cd4c8ae80

SHA1
2c174632ebdb5a799763d0d798f73513065ec28c

SHA256
089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7

SHA512
be7a0217dae7eb90974aeffde0c3ca660f07fb9fc8ade2766455bbffee93c6fe5d081a78ea1a4cddbe29da359912f5f2f98a38fa27154cb39d3142bb196d9e22

Download Submit
memory/1168-80-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1168-87-0x0000000003500000-0x0000000004500000-memory.dmp

Filesize
16.0MB

Download
memory/1168-86-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1168-82-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1168-88-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1168-78-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1168-89-0x0000000003500000-0x0000000004500000-memory.dmp

Filesize
16.0MB

Download
memory/1168-76-0x00000000004F0800-mapping.dmp

Download
memory/1168-74-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1168-75-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1168-72-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1168-71-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1324-70-0x000000006FB40000-0x000000006FD11000-memory.dmp

Filesize
1.8MB

Download
memory/1324-61-0x0000000074AD0000-0x0000000074BF3000-memory.dmp

Filesize
1.1MB

Download
memory/1324-54-0x00000000011A0000-0x000000000131C000-memory.dmp

Filesize
1.5MB

Download
memory/1324-67-0x0000000070040000-0x0000000070D96000-memory.dmp

Filesize
13.3MB

Download
memory/1324-66-0x0000000070F30000-0x0000000071C4D000-memory.dmp

Filesize
13.1MB

Download
memory/1324-65-0x0000000071C50000-0x0000000072430000-memory.dmp

Filesize
7.9MB

Download
memory/1324-64-0x0000000072E40000-0x00000000741CF000-memory.dmp

Filesize
19.6MB

Download
memory/1324-63-0x0000000075410000-0x000000007544B000-memory.dmp

Filesize
236KB

Download
memory/1324-62-0x0000000074930000-0x0000000074AC4000-memory.dmp

Filesize
1.6MB

Download
memory/1324-68-0x000000006FD20000-0x000000007003B000-memory.dmp

Filesize
3.1MB

Download
memory/1324-81-0x0000000072E40000-0x00000000741CF000-memory.dmp

Filesize
19.6MB

Download
memory/1324-60-0x0000000072430000-0x0000000072E40000-memory.dmp

Filesize
10.1MB

Download
memory/1324-83-0x0000000072430000-0x0000000072E40000-memory.dmp

Filesize
10.1MB

Download
memory/1324-59-0x0000000075450000-0x0000000075495000-memory.dmp

Filesize
276KB

Download
memory/1324-84-0x0000000074930000-0x0000000074AC4000-memory.dmp

Filesize
1.6MB

Download
memory/1324-85-0x0000000071C50000-0x0000000072430000-memory.dmp

Filesize
7.9MB

Download
memory/1324-55-0x0000000072E40000-0x00000000741CF000-memory.dmp

Filesize
19.6MB

Download
memory/1324-57-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/1324-56-0x00000000006A0000-0x00000000006C6000-memory.dmp

Filesize
152KB

Download
memory/1604-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads