webmonitor | 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7

General

Target

089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
Size

1.5MB
MD5

a95b331fccf2956d61809a5cd4c8ae80
SHA1

2c174632ebdb5a799763d0d798f73513065ec28c
SHA256

089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7
SHA512

be7a0217dae7eb90974aeffde0c3ca660f07fb9fc8ade2766455bbffee93c6fe5d081a78ea1a4cddbe29da359912f5f2f98a38fa27154cb39d3142bb196d9e22

Score

10^/10

webmonitor backdoor infostealer rat upx

Malware Config

Extracted

Family

webmonitor

C2

preetha.wm01.to:443

Attributes

config_key
QuvlUX1F0t9VVObPIMdFN2IC4RdIDe8m
private_key
32i3qiVRG
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 3 IoCs

resource	yara_rule
behavioral2/memory/3644-144-0x0000000000400000-0x00000000004F2000-memory.dmp	family_webmonitor
behavioral2/memory/3644-145-0x0000000000400000-0x00000000004F2000-memory.dmp	family_webmonitor
behavioral2/memory/3644-147-0x0000000000400000-0x00000000004F2000-memory.dmp	family_webmonitor

Executes dropped EXE 1 IoCs

pid	Process
3644	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3644-140-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/3644-142-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/3644-143-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/3644-144-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/3644-145-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/3644-147-0x0000000000400000-0x00000000004F2000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3296 set thread context of 3644	3296	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe:Zone.Identifier	cmd.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3644	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3296	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
Token: SeShutdownPrivilege	3644	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
Token: SeCreatePagefilePrivilege	3644	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 3116	3296	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	82
PID 3296 wrote to memory of 3116	3296	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	82
PID 3296 wrote to memory of 3116	3296	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	82
PID 3296 wrote to memory of 3644	3296	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	85
PID 3296 wrote to memory of 3644	3296	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	85
PID 3296 wrote to memory of 3644	3296	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	85
PID 3296 wrote to memory of 3644	3296	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	85
PID 3296 wrote to memory of 3644	3296	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	85
PID 3296 wrote to memory of 3644	3296	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	85
PID 3296 wrote to memory of 3644	3296	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	85
PID 3644 wrote to memory of 520	3644	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	87
PID 3644 wrote to memory of 520	3644	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	87
PID 3644 wrote to memory of 520	3644	089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe	87

C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
"C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:3116
- C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
  C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYhOlXPcMfWM8Qna.bat" "
    3⤵
    PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7.exe

Filesize
1.5MB

MD5
a95b331fccf2956d61809a5cd4c8ae80

SHA1
2c174632ebdb5a799763d0d798f73513065ec28c

SHA256
089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7

SHA512
be7a0217dae7eb90974aeffde0c3ca660f07fb9fc8ade2766455bbffee93c6fe5d081a78ea1a4cddbe29da359912f5f2f98a38fa27154cb39d3142bb196d9e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\TYhOlXPcMfWM8Qna.bat

Filesize
204B

MD5
7846614ed4d33dab1b2a9cd1f149f2ca

SHA1
1739665df8b7c6ef26384bde32e04a29fa8c6920

SHA256
2a94bf7864496f3d3b504bf9c61bffb1c5450486a3e300b84bf459e43ac54cda

SHA512
0e563776b386c9074298ed9f962013753eb58494b0ffc5fa8a4be8cbd33a738223175cae41913cd17a6e682b9d971d14bc32e62a5ecceeeca93ddcbf298a4985

Download Submit
memory/3296-134-0x0000000005450000-0x0000000005472000-memory.dmp

Filesize
136KB

Download
memory/3296-133-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/3296-136-0x00000000062E0000-0x0000000006884000-memory.dmp

Filesize
5.6MB

Download
memory/3296-137-0x0000000008760000-0x0000000008922000-memory.dmp

Filesize
1.8MB

Download
memory/3296-138-0x0000000008590000-0x000000000862C000-memory.dmp

Filesize
624KB

Download
memory/3296-131-0x00000000053F0000-0x0000000005412000-memory.dmp

Filesize
136KB

Download
memory/3296-132-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/3296-130-0x00000000005B0000-0x000000000072C000-memory.dmp

Filesize
1.5MB

Download
memory/3644-142-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/3644-143-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/3644-144-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/3644-145-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/3644-147-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/3644-140-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download

Analysis

Sharing