Analysis
-
max time kernel
154s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-05-2022 21:24
Static task
static1
Behavioral task
behavioral1
Sample
089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
Resource
win10v2004-20220414-en
General
-
Target
089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
-
Size
1.5MB
-
MD5
a95b331fccf2956d61809a5cd4c8ae80
-
SHA1
2c174632ebdb5a799763d0d798f73513065ec28c
-
SHA256
089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7
-
SHA512
be7a0217dae7eb90974aeffde0c3ca660f07fb9fc8ade2766455bbffee93c6fe5d081a78ea1a4cddbe29da359912f5f2f98a38fa27154cb39d3142bb196d9e22
Malware Config
Extracted
webmonitor
preetha.wm01.to:443
-
config_key
QuvlUX1F0t9VVObPIMdFN2IC4RdIDe8m
-
private_key
32i3qiVRG
-
url_path
/recv5.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3644-144-0x0000000000400000-0x00000000004F2000-memory.dmp family_webmonitor behavioral2/memory/3644-145-0x0000000000400000-0x00000000004F2000-memory.dmp family_webmonitor behavioral2/memory/3644-147-0x0000000000400000-0x00000000004F2000-memory.dmp family_webmonitor -
Executes dropped EXE 1 IoCs
Processes:
089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exepid process 3644 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe -
Processes:
resource yara_rule behavioral2/memory/3644-140-0x0000000000400000-0x00000000004F2000-memory.dmp upx behavioral2/memory/3644-142-0x0000000000400000-0x00000000004F2000-memory.dmp upx behavioral2/memory/3644-143-0x0000000000400000-0x00000000004F2000-memory.dmp upx behavioral2/memory/3644-144-0x0000000000400000-0x00000000004F2000-memory.dmp upx behavioral2/memory/3644-145-0x0000000000400000-0x00000000004F2000-memory.dmp upx behavioral2/memory/3644-147-0x0000000000400000-0x00000000004F2000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exedescription pid process target process PID 3296 set thread context of 3644 3296 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe:Zone.Identifier cmd.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exepid process 3644 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exedescription pid process Token: SeDebugPrivilege 3296 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe Token: SeShutdownPrivilege 3644 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe Token: SeCreatePagefilePrivilege 3644 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exedescription pid process target process PID 3296 wrote to memory of 3116 3296 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe cmd.exe PID 3296 wrote to memory of 3116 3296 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe cmd.exe PID 3296 wrote to memory of 3116 3296 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe cmd.exe PID 3296 wrote to memory of 3644 3296 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe PID 3296 wrote to memory of 3644 3296 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe PID 3296 wrote to memory of 3644 3296 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe PID 3296 wrote to memory of 3644 3296 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe PID 3296 wrote to memory of 3644 3296 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe PID 3296 wrote to memory of 3644 3296 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe PID 3296 wrote to memory of 3644 3296 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe PID 3644 wrote to memory of 520 3644 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe cmd.exe PID 3644 wrote to memory of 520 3644 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe cmd.exe PID 3644 wrote to memory of 520 3644 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe"C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe:Zone.Identifier"2⤵
- NTFS ADS
-
C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exeC:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYhOlXPcMfWM8Qna.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exeFilesize
1.5MB
MD5a95b331fccf2956d61809a5cd4c8ae80
SHA12c174632ebdb5a799763d0d798f73513065ec28c
SHA256089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7
SHA512be7a0217dae7eb90974aeffde0c3ca660f07fb9fc8ade2766455bbffee93c6fe5d081a78ea1a4cddbe29da359912f5f2f98a38fa27154cb39d3142bb196d9e22
-
C:\Users\Admin\AppData\Local\Temp\TYhOlXPcMfWM8Qna.batFilesize
204B
MD57846614ed4d33dab1b2a9cd1f149f2ca
SHA11739665df8b7c6ef26384bde32e04a29fa8c6920
SHA2562a94bf7864496f3d3b504bf9c61bffb1c5450486a3e300b84bf459e43ac54cda
SHA5120e563776b386c9074298ed9f962013753eb58494b0ffc5fa8a4be8cbd33a738223175cae41913cd17a6e682b9d971d14bc32e62a5ecceeeca93ddcbf298a4985
-
memory/520-146-0x0000000000000000-mapping.dmp
-
memory/3116-135-0x0000000000000000-mapping.dmp
-
memory/3296-134-0x0000000005450000-0x0000000005472000-memory.dmpFilesize
136KB
-
memory/3296-133-0x00000000055A0000-0x0000000005632000-memory.dmpFilesize
584KB
-
memory/3296-136-0x00000000062E0000-0x0000000006884000-memory.dmpFilesize
5.6MB
-
memory/3296-137-0x0000000008760000-0x0000000008922000-memory.dmpFilesize
1.8MB
-
memory/3296-138-0x0000000008590000-0x000000000862C000-memory.dmpFilesize
624KB
-
memory/3296-131-0x00000000053F0000-0x0000000005412000-memory.dmpFilesize
136KB
-
memory/3296-132-0x0000000005490000-0x00000000054F6000-memory.dmpFilesize
408KB
-
memory/3296-130-0x00000000005B0000-0x000000000072C000-memory.dmpFilesize
1.5MB
-
memory/3644-142-0x0000000000400000-0x00000000004F2000-memory.dmpFilesize
968KB
-
memory/3644-143-0x0000000000400000-0x00000000004F2000-memory.dmpFilesize
968KB
-
memory/3644-144-0x0000000000400000-0x00000000004F2000-memory.dmpFilesize
968KB
-
memory/3644-145-0x0000000000400000-0x00000000004F2000-memory.dmpFilesize
968KB
-
memory/3644-147-0x0000000000400000-0x00000000004F2000-memory.dmpFilesize
968KB
-
memory/3644-140-0x0000000000400000-0x00000000004F2000-memory.dmpFilesize
968KB
-
memory/3644-139-0x0000000000000000-mapping.dmp