Analysis

  • max time kernel
    68s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 04:02

General

  • Target

    be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe

  • Size

    64KB

  • MD5

    b2a52460d7ddcf0d1eb6cb98171309da

  • SHA1

    fe2ae9c1d227e045351d4c8e64089cade6ca2f48

  • SHA256

    be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc

  • SHA512

    d332b3cefa05f13338ebfdf5d2f87de593d82371ad950d815a8b5e4c41f06fb8a8722ab9da77286c7d6da82effc2faa4b7de246943f86f39e91ce3c926deb8cd

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1YqiJ4rfI-Gtvq2s00N_eqstSWsnL_fgd

Extracted

Family

webmonitor

C2

olaviqs.wm01.to:443

Attributes
  • config_key

    7GfpikpHRvmQe3t81PSe02B3qwlPiFPx

  • private_key

    JklcEIRIO

  • url_path

    /recv5.php

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

  • WebMonitor Payload 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
    "C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
      "C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1380
        3⤵
        • Program crash
        PID:1104

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1376-64-0x00000000778F0000-0x0000000077A70000-memory.dmp

    Filesize

    1.5MB

  • memory/1376-59-0x00000000003C0000-0x00000000003C8000-memory.dmp

    Filesize

    32KB

  • memory/1376-61-0x0000000077710000-0x00000000778B9000-memory.dmp

    Filesize

    1.7MB

  • memory/1376-57-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

    Filesize

    8KB

  • memory/1380-66-0x00000000001B0000-0x00000000002B0000-memory.dmp

    Filesize

    1024KB

  • memory/1380-60-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

  • memory/1380-67-0x0000000077710000-0x00000000778B9000-memory.dmp

    Filesize

    1.7MB

  • memory/1380-68-0x00000000778F0000-0x0000000077A70000-memory.dmp

    Filesize

    1.5MB

  • memory/1380-69-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

  • memory/1380-71-0x0000000000400000-0x00000000004F6000-memory.dmp

    Filesize

    984KB

  • memory/1380-74-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

  • memory/1380-75-0x00000000001B0000-0x00000000002B0000-memory.dmp

    Filesize

    1024KB