Analysis
-
max time kernel
151s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-06-2022 15:39
Static task
static1
Behavioral task
behavioral1
Sample
0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe
Resource
win10v2004-20220414-en
General
-
Target
0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe
-
Size
586KB
-
MD5
b26c6f36a8711168dc8d2882a6cab0c2
-
SHA1
e133a7dad21664672df96f0e6c956effe2ac7350
-
SHA256
0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06
-
SHA512
f865d9cd05796cd4dfb69e1a9748b14c9d3ca49d29f5dee1bc8df367dc9f141ac1208a13a986f18963df2b70ff56aa76e7f2b0c7d9e2199ee472e24a24934910
Malware Config
Extracted
webmonitor
holmes101.wm01.to:443
-
config_key
XKulJBlUogMPPhL5GnUay2DqaaoA6mr7
-
private_key
rwh8ivgQh
-
url_path
/recv4.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor Payload 3 IoCs
resource yara_rule behavioral1/memory/1612-99-0x0000000000400000-0x00000000004E3000-memory.dmp family_webmonitor behavioral1/memory/1612-100-0x0000000000400000-0x00000000004E3000-memory.dmp family_webmonitor behavioral1/memory/1612-102-0x0000000000400000-0x00000000004E3000-memory.dmp family_webmonitor -
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
-
Executes dropped EXE 2 IoCs
pid Process 268 litegen.exe 1612 litegen.exe -
resource yara_rule behavioral1/memory/1612-85-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral1/memory/1612-87-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral1/memory/1612-88-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral1/memory/1612-91-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral1/memory/1612-97-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral1/memory/1612-99-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral1/memory/1612-100-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral1/memory/1612-102-0x0000000000400000-0x00000000004E3000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 1032 cmd.exe -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 1.2.4.8 Destination IP 185.243.215.214 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\lite = "C:\\Users\\Admin\\AppData\\Local\\litegen.exe -boot" litegen.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 268 set thread context of 1612 268 litegen.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 916 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe Token: 33 916 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe Token: SeIncBasePriorityPrivilege 916 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe Token: SeDebugPrivilege 268 litegen.exe Token: 33 268 litegen.exe Token: SeIncBasePriorityPrivilege 268 litegen.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 916 wrote to memory of 2012 916 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe 28 PID 916 wrote to memory of 2012 916 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe 28 PID 916 wrote to memory of 2012 916 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe 28 PID 916 wrote to memory of 2012 916 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe 28 PID 916 wrote to memory of 1032 916 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe 30 PID 916 wrote to memory of 1032 916 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe 30 PID 916 wrote to memory of 1032 916 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe 30 PID 916 wrote to memory of 1032 916 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe 30 PID 1032 wrote to memory of 268 1032 cmd.exe 32 PID 1032 wrote to memory of 268 1032 cmd.exe 32 PID 1032 wrote to memory of 268 1032 cmd.exe 32 PID 1032 wrote to memory of 268 1032 cmd.exe 32 PID 268 wrote to memory of 1612 268 litegen.exe 33 PID 268 wrote to memory of 1612 268 litegen.exe 33 PID 268 wrote to memory of 1612 268 litegen.exe 33 PID 268 wrote to memory of 1612 268 litegen.exe 33 PID 268 wrote to memory of 1612 268 litegen.exe 33 PID 268 wrote to memory of 1612 268 litegen.exe 33 PID 268 wrote to memory of 1612 268 litegen.exe 33 PID 268 wrote to memory of 1612 268 litegen.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe"C:\Users\Admin\AppData\Local\Temp\0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06.exe" "C:\Users\Admin\AppData\Local\litegen.exe"2⤵PID:2012
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\litegen.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\litegen.exe"C:\Users\Admin\AppData\Local\litegen.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Users\Admin\AppData\Local\litegen.exe"C:\Users\Admin\AppData\Local\litegen.exe"4⤵
- Executes dropped EXE
PID:1612
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
586KB
MD5b26c6f36a8711168dc8d2882a6cab0c2
SHA1e133a7dad21664672df96f0e6c956effe2ac7350
SHA2560f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06
SHA512f865d9cd05796cd4dfb69e1a9748b14c9d3ca49d29f5dee1bc8df367dc9f141ac1208a13a986f18963df2b70ff56aa76e7f2b0c7d9e2199ee472e24a24934910
-
Filesize
586KB
MD5b26c6f36a8711168dc8d2882a6cab0c2
SHA1e133a7dad21664672df96f0e6c956effe2ac7350
SHA2560f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06
SHA512f865d9cd05796cd4dfb69e1a9748b14c9d3ca49d29f5dee1bc8df367dc9f141ac1208a13a986f18963df2b70ff56aa76e7f2b0c7d9e2199ee472e24a24934910
-
Filesize
586KB
MD5b26c6f36a8711168dc8d2882a6cab0c2
SHA1e133a7dad21664672df96f0e6c956effe2ac7350
SHA2560f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06
SHA512f865d9cd05796cd4dfb69e1a9748b14c9d3ca49d29f5dee1bc8df367dc9f141ac1208a13a986f18963df2b70ff56aa76e7f2b0c7d9e2199ee472e24a24934910
-
Filesize
586KB
MD5b26c6f36a8711168dc8d2882a6cab0c2
SHA1e133a7dad21664672df96f0e6c956effe2ac7350
SHA2560f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06
SHA512f865d9cd05796cd4dfb69e1a9748b14c9d3ca49d29f5dee1bc8df367dc9f141ac1208a13a986f18963df2b70ff56aa76e7f2b0c7d9e2199ee472e24a24934910