webmonitor | 6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352

Analysis

max time kernel
153s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-07-2022 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe
Size

1.5MB
MD5

88c8dff86057cf7f4d3fb28f8b35ab39
SHA1

9dfa799ac2d6f228e81520fa5103f3fc1c077bdf
SHA256

6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352
SHA512

6f74304a2b5b754ccfa55968cd5c1e798c34861cca067e23629da19cd61a68a43c3e918b6f46158a78d3a1c49d6b2260a2ace4d359d199543948b6aadc857c6c

Score

10^/10

webmonitor backdoor infostealer persistence rat suricata upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\wE8sDlaISYYagRJj\\oHn5zT2eKMpS.exe\",explorer.exe"	regasm.exe

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 3 IoCs

resource	yara_rule
behavioral2/memory/2236-180-0x0000000000400000-0x00000000005F7000-memory.dmp	family_webmonitor
behavioral2/memory/2236-181-0x0000000000400000-0x00000000005F7000-memory.dmp	family_webmonitor
behavioral2/memory/2236-183-0x0000000000400000-0x00000000005F7000-memory.dmp	family_webmonitor

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata

Executes dropped EXE 2 IoCs

pid	Process
1768	f4-setup.exe
1936	Patch.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023206-157.dat	upx
behavioral2/files/0x0006000000023206-155.dat	upx
behavioral2/memory/1768-166-0x0000000000400000-0x0000000000537000-memory.dmp	upx
behavioral2/memory/1768-172-0x0000000000400000-0x0000000000537000-memory.dmp	upx
behavioral2/memory/2236-177-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/2236-178-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/2236-179-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/2236-180-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/2236-181-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral2/memory/2236-183-0x0000000000400000-0x00000000005F7000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe

Loads dropped DLL 1 IoCs

pid	Process
1936	Patch.exe

Unexpected DNS network traffic destination 13 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	185.243.215.214
Destination IP	1.2.4.8
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	1.2.4.8
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	1.2.4.8
Destination IP	1.2.4.8
Destination IP	185.243.215.214
Destination IP	114.114.114.114

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 984 set thread context of 4700	984	6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe	83
PID 4700 set thread context of 2236	4700	regasm.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4700	regasm.exe
4700	regasm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
984	6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4700	regasm.exe
Token: SeDebugPrivilege	2236	AppLaunch.exe
Token: SeShutdownPrivilege	2236	AppLaunch.exe
Token: SeCreatePagefilePrivilege	2236	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
984	6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 1768	984	6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe	81
PID 984 wrote to memory of 1768	984	6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe	81
PID 984 wrote to memory of 1768	984	6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe	81
PID 1768 wrote to memory of 1936	1768	f4-setup.exe	82
PID 1768 wrote to memory of 1936	1768	f4-setup.exe	82
PID 1768 wrote to memory of 1936	1768	f4-setup.exe	82
PID 984 wrote to memory of 4700	984	6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe	83
PID 984 wrote to memory of 4700	984	6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe	83
PID 984 wrote to memory of 4700	984	6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe	83
PID 984 wrote to memory of 4700	984	6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe	83
PID 4700 wrote to memory of 2236	4700	regasm.exe	87
PID 4700 wrote to memory of 2236	4700	regasm.exe	87
PID 4700 wrote to memory of 2236	4700	regasm.exe	87
PID 4700 wrote to memory of 2236	4700	regasm.exe	87
PID 4700 wrote to memory of 2236	4700	regasm.exe	87
PID 4700 wrote to memory of 2236	4700	regasm.exe	87
PID 4700 wrote to memory of 2236	4700	regasm.exe	87

C:\Users\Admin\AppData\Local\Temp\6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe
"C:\Users\Admin\AppData\Local\Temp\6763427f4f9545f615c4a9a9c92461a0c03a2205e91840e9f836424745e1b352.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:984
- C:\Users\Admin\AppData\Local\Temp\f4-setup.exe
  "C:\Users\Admin\AppData\Local\Temp\f4-setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\Patch.exe
    Patch.exe /silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1936
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Patch.exe

Filesize
78KB

MD5
c8ecc6d21f0d96f5adb10ba0fad59327

SHA1
63f5f489890b0ea90327a551787120bc71559aed

SHA256
e652438962d628a62456c778b1693390423223dd12f5c233e361c5c5273ecec0

SHA512
27618145d7fabefae7f2fdd56b9b3d0ea6c624a6d6e833bff52bf2d87210b73536052640b39d3419808d02a7c7829b589292087f154ed494145b54ef1fab621a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Patch.exe

Filesize
78KB

MD5
c8ecc6d21f0d96f5adb10ba0fad59327

SHA1
63f5f489890b0ea90327a551787120bc71559aed

SHA256
e652438962d628a62456c778b1693390423223dd12f5c233e361c5c5273ecec0

SHA512
27618145d7fabefae7f2fdd56b9b3d0ea6c624a6d6e833bff52bf2d87210b73536052640b39d3419808d02a7c7829b589292087f154ed494145b54ef1fab621a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll

Filesize
72KB

MD5
f6a5ee057facebdbe0f7fcc684408bfe

SHA1
2481e7f2051d4563bdb161acc045c4a12054b9e0

SHA256
0716d3af51df49db26fa4856fbf219e23d2ae3ffe25272669c8cb5b527fbb6bf

SHA512
8153a568ea1f1f954721af33366ae81c00eb9950070004b5e5e2942073be9d6de012fe8233331c9f792f080442d973dd1713823bb6abb0ba0b55af544f6a10a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4-setup.exe

Filesize
361KB

MD5
40142677d0bb0ecaad6f45521581a8e3

SHA1
b107dea7dc8ec3d53769484173bf59b24a3a526a

SHA256
8592243aeb23282bb68e22aee5f3aa19288d289c554e6318ff92b3bb80fb2e24

SHA512
fa0a0e0e13f59f6169ad417842b04aa3fa66376a585995d9d1737fb655c46d44e2183209e1266909568c8f80ae9d6e43368d461f3d40be432f683ba2b7048e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4-setup.exe

Filesize
361KB

MD5
40142677d0bb0ecaad6f45521581a8e3

SHA1
b107dea7dc8ec3d53769484173bf59b24a3a526a

SHA256
8592243aeb23282bb68e22aee5f3aa19288d289c554e6318ff92b3bb80fb2e24

SHA512
fa0a0e0e13f59f6169ad417842b04aa3fa66376a585995d9d1737fb655c46d44e2183209e1266909568c8f80ae9d6e43368d461f3d40be432f683ba2b7048e59

Download Submit
memory/984-160-0x00000000007ED000-0x0000000000848000-memory.dmp

Filesize
364KB

Download
memory/984-156-0x00000000007ED000-0x0000000000848000-memory.dmp

Filesize
364KB

Download
memory/984-141-0x00000000007D6000-0x00000000007DB000-memory.dmp

Filesize
20KB

Download
memory/984-142-0x00000000007D6000-0x00000000007DB000-memory.dmp

Filesize
20KB

Download
memory/984-143-0x00000000007D6000-0x00000000007DB000-memory.dmp

Filesize
20KB

Download
memory/984-144-0x00000000007D6000-0x00000000007DB000-memory.dmp

Filesize
20KB

Download
memory/984-145-0x00000000007D6000-0x00000000007DB000-memory.dmp

Filesize
20KB

Download
memory/984-146-0x00000000007D6000-0x00000000007DB000-memory.dmp

Filesize
20KB

Download
memory/984-147-0x00000000007D6000-0x00000000007DB000-memory.dmp

Filesize
20KB

Download
memory/984-153-0x00000000007D6000-0x00000000007DB000-memory.dmp

Filesize
20KB

Download
memory/984-152-0x00000000007D6000-0x00000000007DB000-memory.dmp

Filesize
20KB

Download
memory/984-151-0x00000000007D6000-0x00000000007DB000-memory.dmp

Filesize
20KB

Download
memory/984-150-0x00000000007D6000-0x00000000007DB000-memory.dmp

Filesize
20KB

Download
memory/984-149-0x00000000007D6000-0x00000000007DB000-memory.dmp

Filesize
20KB

Download
memory/984-148-0x00000000007D6000-0x00000000007DB000-memory.dmp

Filesize
20KB

Download
memory/984-171-0x00000000037E0000-0x00000000037E8000-memory.dmp

Filesize
32KB

Download
memory/984-163-0x00000000007ED000-0x0000000000848000-memory.dmp

Filesize
364KB

Download
memory/984-134-0x00000000007CB000-0x00000000007CF000-memory.dmp

Filesize
16KB

Download
memory/984-137-0x00000000007CB000-0x00000000007CF000-memory.dmp

Filesize
16KB

Download
memory/984-133-0x00000000007CB000-0x00000000007CF000-memory.dmp

Filesize
16KB

Download
memory/984-132-0x00000000007CB000-0x00000000007CF000-memory.dmp

Filesize
16KB

Download
memory/984-136-0x00000000007CB000-0x00000000007CF000-memory.dmp

Filesize
16KB

Download
memory/984-158-0x00000000007ED000-0x0000000000848000-memory.dmp

Filesize
364KB

Download
memory/984-140-0x00000000007D6000-0x00000000007DB000-memory.dmp

Filesize
20KB

Download
memory/984-139-0x00000000007D6000-0x00000000007DB000-memory.dmp

Filesize
20KB

Download
memory/984-164-0x00000000007ED000-0x0000000000848000-memory.dmp

Filesize
364KB

Download
memory/984-165-0x00000000007ED000-0x0000000000848000-memory.dmp

Filesize
364KB

Download
memory/984-167-0x00000000037E0000-0x00000000037E8000-memory.dmp

Filesize
32KB

Download
memory/1768-166-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1768-172-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1936-169-0x0000000073D10000-0x0000000073D3A000-memory.dmp

Filesize
168KB

Download
memory/2236-183-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2236-177-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2236-178-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2236-179-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2236-180-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2236-181-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2236-182-0x0000000002A90000-0x0000000003A90000-memory.dmp

Filesize
16.0MB

Download
memory/2236-184-0x0000000002A90000-0x0000000003A90000-memory.dmp

Filesize
16.0MB

Download
memory/4700-173-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4700-174-0x0000000074B80000-0x0000000075131000-memory.dmp

Filesize
5.7MB

Download
memory/4700-175-0x0000000074B80000-0x0000000075131000-memory.dmp

Filesize
5.7MB

Download