Analysis
-
max time kernel
153s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 08:24
General
-
Target
6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe
-
Size
1.5MB
-
MD5
88c8dff86057cf7f4d3fb28f8b35ab39
-
SHA1
9dfa799ac2d6f228e81520fa5103f3fc1c077bdf
-
SHA256
6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352
-
SHA512
6f74304a2b5b754ccfa55968cd5c1e798c34861cca067e23629da19cd61a68a43c3e918b6f46158a78d3a1c49d6b2260a2ace4d359d199543948b6aadc857c6c
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor payload 3 IoCs
-
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
-
Executes dropped EXE 2 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Unexpected DNS network traffic destination 13 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe"C:\Users\Admin\AppData\Local\Temp\6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f4-setup.exe"C:\Users\Admin\AppData\Local\Temp\f4-setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Patch.exePatch.exe /silent3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"2⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Patch.exeFilesize
78KB
MD5c8ecc6d21f0d96f5adb10ba0fad59327
SHA163f5f489890b0ea90327a551787120bc71559aed
SHA256e652438962d628a62456c778b1693390423223dd12f5c233e361c5c5273ecec0
SHA51227618145d7fabefae7f2fdd56b9b3d0ea6c624a6d6e833bff52bf2d87210b73536052640b39d3419808d02a7c7829b589292087f154ed494145b54ef1fab621a
-
C:\Users\Admin\AppData\Local\Temp\Patch.exeFilesize
78KB
MD5c8ecc6d21f0d96f5adb10ba0fad59327
SHA163f5f489890b0ea90327a551787120bc71559aed
SHA256e652438962d628a62456c778b1693390423223dd12f5c233e361c5c5273ecec0
SHA51227618145d7fabefae7f2fdd56b9b3d0ea6c624a6d6e833bff52bf2d87210b73536052640b39d3419808d02a7c7829b589292087f154ed494145b54ef1fab621a
-
C:\Users\Admin\AppData\Local\Temp\dup2patcher.dllFilesize
72KB
MD5f6a5ee057facebdbe0f7fcc684408bfe
SHA12481e7f2051d4563bdb161acc045c4a12054b9e0
SHA2560716d3af51df49db26fa4856fbf219e23d2ae3ffe25272669c8cb5b527fbb6bf
SHA5128153a568ea1f1f954721af33366ae81c00eb9950070004b5e5e2942073be9d6de012fe8233331c9f792f080442d973dd1713823bb6abb0ba0b55af544f6a10a8
-
C:\Users\Admin\AppData\Local\Temp\f4-setup.exeFilesize
361KB
MD540142677d0bb0ecaad6f45521581a8e3
SHA1b107dea7dc8ec3d53769484173bf59b24a3a526a
SHA2568592243aeb23282bb68e22aee5f3aa19288d289c554e6318ff92b3bb80fb2e24
SHA512fa0a0e0e13f59f6169ad417842b04aa3fa66376a585995d9d1737fb655c46d44e2183209e1266909568c8f80ae9d6e43368d461f3d40be432f683ba2b7048e59
-
C:\Users\Admin\AppData\Local\Temp\f4-setup.exeFilesize
361KB
MD540142677d0bb0ecaad6f45521581a8e3
SHA1b107dea7dc8ec3d53769484173bf59b24a3a526a
SHA2568592243aeb23282bb68e22aee5f3aa19288d289c554e6318ff92b3bb80fb2e24
SHA512fa0a0e0e13f59f6169ad417842b04aa3fa66376a585995d9d1737fb655c46d44e2183209e1266909568c8f80ae9d6e43368d461f3d40be432f683ba2b7048e59
-
memory/984-160-0x00000000007ED000-0x0000000000848000-memory.dmpFilesize
364KB
-
memory/984-156-0x00000000007ED000-0x0000000000848000-memory.dmpFilesize
364KB
-
memory/984-141-0x00000000007D6000-0x00000000007DB000-memory.dmpFilesize
20KB
-
memory/984-142-0x00000000007D6000-0x00000000007DB000-memory.dmpFilesize
20KB
-
memory/984-143-0x00000000007D6000-0x00000000007DB000-memory.dmpFilesize
20KB
-
memory/984-144-0x00000000007D6000-0x00000000007DB000-memory.dmpFilesize
20KB
-
memory/984-145-0x00000000007D6000-0x00000000007DB000-memory.dmpFilesize
20KB
-
memory/984-146-0x00000000007D6000-0x00000000007DB000-memory.dmpFilesize
20KB
-
memory/984-147-0x00000000007D6000-0x00000000007DB000-memory.dmpFilesize
20KB
-
memory/984-153-0x00000000007D6000-0x00000000007DB000-memory.dmpFilesize
20KB
-
memory/984-152-0x00000000007D6000-0x00000000007DB000-memory.dmpFilesize
20KB
-
memory/984-151-0x00000000007D6000-0x00000000007DB000-memory.dmpFilesize
20KB
-
memory/984-150-0x00000000007D6000-0x00000000007DB000-memory.dmpFilesize
20KB
-
memory/984-149-0x00000000007D6000-0x00000000007DB000-memory.dmpFilesize
20KB
-
memory/984-148-0x00000000007D6000-0x00000000007DB000-memory.dmpFilesize
20KB
-
memory/984-171-0x00000000037E0000-0x00000000037E8000-memory.dmpFilesize
32KB
-
memory/984-163-0x00000000007ED000-0x0000000000848000-memory.dmpFilesize
364KB
-
memory/984-134-0x00000000007CB000-0x00000000007CF000-memory.dmpFilesize
16KB
-
memory/984-137-0x00000000007CB000-0x00000000007CF000-memory.dmpFilesize
16KB
-
memory/984-133-0x00000000007CB000-0x00000000007CF000-memory.dmpFilesize
16KB
-
memory/984-132-0x00000000007CB000-0x00000000007CF000-memory.dmpFilesize
16KB
-
memory/984-136-0x00000000007CB000-0x00000000007CF000-memory.dmpFilesize
16KB
-
memory/984-158-0x00000000007ED000-0x0000000000848000-memory.dmpFilesize
364KB
-
memory/984-140-0x00000000007D6000-0x00000000007DB000-memory.dmpFilesize
20KB
-
memory/984-139-0x00000000007D6000-0x00000000007DB000-memory.dmpFilesize
20KB
-
memory/984-164-0x00000000007ED000-0x0000000000848000-memory.dmpFilesize
364KB
-
memory/984-165-0x00000000007ED000-0x0000000000848000-memory.dmpFilesize
364KB
-
memory/984-167-0x00000000037E0000-0x00000000037E8000-memory.dmpFilesize
32KB
-
memory/1768-166-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1768-172-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1768-154-0x0000000000000000-mapping.dmp
-
memory/1936-159-0x0000000000000000-mapping.dmp
-
memory/1936-169-0x0000000073D10000-0x0000000073D3A000-memory.dmpFilesize
168KB
-
memory/2236-183-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/2236-176-0x0000000000000000-mapping.dmp
-
memory/2236-177-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/2236-178-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/2236-179-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/2236-180-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/2236-181-0x0000000000400000-0x00000000005F7000-memory.dmpFilesize
2.0MB
-
memory/2236-182-0x0000000002A90000-0x0000000003A90000-memory.dmpFilesize
16.0MB
-
memory/2236-184-0x0000000002A90000-0x0000000003A90000-memory.dmpFilesize
16.0MB
-
memory/4700-173-0x0000000000400000-0x00000000004D7000-memory.dmpFilesize
860KB
-
memory/4700-174-0x0000000074B80000-0x0000000075131000-memory.dmpFilesize
5.7MB
-
memory/4700-175-0x0000000074B80000-0x0000000075131000-memory.dmpFilesize
5.7MB
-
memory/4700-170-0x0000000000000000-mapping.dmp