Analysis
-
max time kernel
116s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 14:34
Static task
static1
Behavioral task
behavioral1
Sample
3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe
Resource
win10v2004-20220414-en
General
-
Target
3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe
-
Size
847KB
-
MD5
e3f248b8468a9d57209794923b560237
-
SHA1
27b209c9b50e891d1d5975cc79ed910a263c9cec
-
SHA256
3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4
-
SHA512
5f3302de21003d249bab7b5c87bf69f2d02126211b58725cacc27114c47ce282c0845654feaf01fc6cef07ddeb4ca0d6dff298f23671b1455c1b50da622d15d2
Malware Config
Extracted
webmonitor
arglobal.wm01.to:443
-
config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
-
private_key
X2HBeL4iM
-
url_path
/recv4.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor Payload 2 IoCs
resource yara_rule behavioral2/memory/4192-145-0x0000000000400000-0x00000000004EA000-memory.dmp family_webmonitor behavioral2/memory/4192-146-0x0000000000400000-0x00000000004EA000-memory.dmp family_webmonitor -
resource yara_rule behavioral2/memory/4192-142-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/4192-143-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/4192-144-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/4192-145-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/4192-146-0x0000000000400000-0x00000000004EA000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RevCode-c575 = "C:\\Users\\Admin\\AppData\\Roaming\\RevCode-c575.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4828 set thread context of 4192 4828 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe 84 -
Program crash 1 IoCs
pid pid_target Process procid_target 4960 4192 WerFault.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4828 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe 4828 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4828 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4828 wrote to memory of 1912 4828 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe 81 PID 4828 wrote to memory of 1912 4828 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe 81 PID 4828 wrote to memory of 1912 4828 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe 81 PID 1912 wrote to memory of 4776 1912 csc.exe 83 PID 1912 wrote to memory of 4776 1912 csc.exe 83 PID 1912 wrote to memory of 4776 1912 csc.exe 83 PID 4828 wrote to memory of 4192 4828 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe 84 PID 4828 wrote to memory of 4192 4828 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe 84 PID 4828 wrote to memory of 4192 4828 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe 84 PID 4828 wrote to memory of 4192 4828 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe 84 PID 4828 wrote to memory of 4192 4828 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe 84 PID 4828 wrote to memory of 4192 4828 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe 84 PID 4828 wrote to memory of 4192 4828 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe"C:\Users\Admin\AppData\Local\Temp\3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\25kxaxiv\25kxaxiv.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35A6.tmp" "c:\Users\Admin\AppData\Local\Temp\25kxaxiv\CSC6D712EEBFCCA468AA0BE39C1F378E62.TMP"3⤵PID:4776
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Adds Run key to start application
PID:4192 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 7563⤵
- Program crash
PID:4960
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4192 -ip 41921⤵PID:4592
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5902333a36c64c6e6294d107216497a29
SHA16399b6d71462b6ba01eaac1ade3d37a95ff9337f
SHA256c9db15ada8924161ab4826f3ec67a821312a998ec60ab9f600a76612a2c94847
SHA512b8b64f2e6f5fd4523cb47d1a0baaadbfa02331c47d7a6b72c94ecf849c6822c222078ff0a6ae73614a1f52a47e668b933155af89f0c8780e28ca7e97051faf20
-
Filesize
39KB
MD587d83587c3fc2195eb53923acd5cb319
SHA104d4f48eb8a73bd93836a2f7aa92388ad29b556c
SHA256ca9881c01f860d160021195a7ae62453b9e4c7e73733fe099ff0435a8d4b22fb
SHA5127b0b5b6f6779c5abe6a8a3b7f8aecec8215803bde3e8aedda383e7b7649f90d3c248a81310a2167fbd6a25831f2189f5773d22336ec6f9be35d5bf6d647dd825
-
Filesize
1KB
MD59468506ca78e728ef73c6f86324b3a36
SHA1e3b16b56ea8cb462e895ea2bb88c3271b6b3833e
SHA2563508556ac2caaa9b8bc1f77379eeb0a876fbf0cac52f5733815fdd0e600160cd
SHA512bb354e9fc8c8e87be7164d1d934959b406ca198d9c24d5da5f9988d1b9b600ad4b85ae811253b1dd70b21724e74d018bdb509d9741176740986744336808e400
-
Filesize
18KB
MD58181e2eb98c9b5c53accad15ad864bc2
SHA1bdc95efd33d7e754f19b95255219b54845eb4733
SHA2562b4634fe340e0bebb8139806d4c1845af849757634244389d79d6953d9603013
SHA51260c5dc9a12d25f11a9c86f8a5ea83e2d59bd81f26b4f5e47fd7ebb37c2cb19d9cf2c419f6dd31099f88fc91205aa7f10d13e8762b096a5278204eeb00ff37f69
-
Filesize
312B
MD531d88526520ca964fc8ceda8b8c54362
SHA12c1aa886a7a3f25dd9150f742ce8b3235b5bce82
SHA2569fc866d16683aa5a1bbdefee6a46ace64606d3f92872cd958a1019007623dae1
SHA5128cbeff97667ad6ce5dc773894aed97002f0cbf22c001f3765cbf1b22c7bd5852fcba8239e4d660aaf223042e069bd85101d90e5210cf6003c1237219d0d49f7d
-
Filesize
1KB
MD587921a1efd7ee53d5e828e3d29089c1a
SHA1f5c69cc3a1242ab89c48b93dbb56972ca3d34a7a
SHA256aed49a469aef82bb3e4cfa02a01a36389a607c4daf52ac3493c604570c83f505
SHA512128b4b3de17026c086d7b0b96f236be495618bc052c0210556839b64382ac8502028183006fad393b2b3e095f261d76d21c5790468e3b0a2e537639dc16538b3