Overview

overview

10

Static

static

17453e7215...80.exe

windows7_x64

1

17453e7215...80.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 02:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17453e72156cb5dbd9567d52d6b83436e4f196f6f3c311c4a9b613aaba1a8b80.exe

  • Size

    840KB

  • MD5

    8a2123d4809ffdc677df37b88d58769c

  • SHA1

    4138f2da78ccf7ed3a07d455fddb367f59568d04

  • SHA256

    17453e72156cb5dbd9567d52d6b83436e4f196f6f3c311c4a9b613aaba1a8b80

  • SHA512

    632870596e6f41adefce8a6589ee75b9df1ab483e619d2a2e555f6878a48007c5a38267c576ef3b056559d5348994427e46690034a59388aeee910f4fa93f671

Score
10/10
webmonitorbackdoorinfostealerratupx

Malware Config

Extracted

Family

webmonitor

C2

mafianclub.wm01.to:443

Attributes
  • config_key

    msK8483mYp1k2OzxD1I3yoSUcNW7v1k5

  • private_key

    WB8PgMeHa

  • url_path

    /recv5.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor Payload 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17453e72156cb5dbd9567d52d6b83436e4f196f6f3c311c4a9b613aaba1a8b80.exe
    "C:\Users\Admin\AppData\Local\Temp\17453e72156cb5dbd9567d52d6b83436e4f196f6f3c311c4a9b613aaba1a8b80.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agdDo5DUyQcJWN5P.bat" "
        3⤵
          PID:4868

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\agdDo5DUyQcJWN5P.bat
      Filesize

      204B

      MD5

      8fb8e22c573b41a296ac5346cf74d368

      SHA1

      f853ba007403cec8c3a28c9d5062abf7a4896a9e

      SHA256

      1b28773c2d377a451e5de353dd24faa9e0a6b67765834d482edd3ece4bdeafce

      SHA512

      f819b075737ab14d85d1772a3f889e2809e50a598d2cae851b2b22e702b9c7594cdf7eec1b4683fe1733d2ee504ae0398beceacf14ddf71ee3fa6728d994dd84

      Download Submit
    • memory/1996-130-0x00000000009B0000-0x0000000000A88000-memory.dmp
      Filesize

      864KB

      Download
    • memory/1996-131-0x00000000054C0000-0x0000000005552000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1996-132-0x0000000005B10000-0x00000000060B4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1996-133-0x00000000055B0000-0x00000000055F4000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1996-134-0x00000000061A0000-0x0000000006206000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3712-136-0x0000000000400000-0x00000000004F6000-memory.dmp
      Filesize

      984KB

      Download
    • memory/3712-137-0x0000000000400000-0x00000000004F6000-memory.dmp
      Filesize

      984KB

      Download
    • memory/3712-138-0x0000000000400000-0x00000000004F6000-memory.dmp
      Filesize

      984KB

      Download
    • memory/3712-139-0x0000000000400000-0x00000000004F6000-memory.dmp
      Filesize

      984KB

      Download
    • memory/3712-140-0x0000000000400000-0x00000000004F6000-memory.dmp
      Filesize

      984KB

      Download
    • memory/3712-141-0x0000000000400000-0x00000000004F6000-memory.dmp
      Filesize

      984KB

      Download
    • memory/3712-143-0x0000000000400000-0x00000000004F6000-memory.dmp
      Filesize

      984KB

      Download
    • memory/3712-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4868-142-0x0000000000000000-mapping.dmp
      Download