webmonitor | 2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
Size

668KB
MD5

897f3c7d741c4d5c7fc96f322a6f5a6a
SHA1

9738e0d5982f1a2255d7a72dc580bc85c554569e
SHA256

2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9
SHA512

30c433ff994848289cac9f500b7428b1bc06b119fb3260b0f48e5de0f2f841275ffbfab978d947b23f050acad647dd01925c33ddca9c2fa80cc9d9e50cb0c620

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Malware Config

Extracted

Family

webmonitor

snowhair123.wm01.to:443

Attributes

config_key
kke8E3MMthAVUs3B5qBplqOYCdXuK3lS
private_key
DltfwOvgE
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1680-102-0x0000000000400000-0x00000000004C0000-memory.dmp	family_webmonitor
behavioral1/memory/1680-103-0x0000000000400000-0x00000000004C0000-memory.dmp	family_webmonitor
behavioral1/memory/1680-105-0x0000000000400000-0x00000000004C0000-memory.dmp	family_webmonitor

Executes dropped EXE 3 IoCs

Processes:

RE.exeRE.exeRE.exe

pid process

2016 RE.exe
796 RE.exe
1680 RE.exe

pid	process
2016	RE.exe
796	RE.exe
1680	RE.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1680-94-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1680-101-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1680-99-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1680-102-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1680-103-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/1680-105-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exeRE.exeRE.exe

pid	process
964	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
964	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
2016	RE.exe
796	RE.exe

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 185.243.215.214

description	ioc
Destination IP	185.243.215.214

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RE.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	RE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\AF = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RE.vbs\""	RE.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exeRE.exeRE.exe

description	pid	process	target process
PID 1908 set thread context of 964	1908	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
PID 2016 set thread context of 796	2016	RE.exe	RE.exe
PID 796 set thread context of 1680	796	RE.exe	RE.exe

Drops file in Windows directory 4 IoCs

Processes:

2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exeRE.exeRE.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
File opened for modification	C:\Windows\win.ini	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
File opened for modification	C:\Windows\win.ini	RE.exe
File opened for modification	C:\Windows\win.ini	RE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exeRE.exeRE.exe

pid	process
1908	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
964	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
2016	RE.exe
796	RE.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exeRE.exeRE.exe

description	pid	process	target process
PID 1908 wrote to memory of 964	1908	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
PID 1908 wrote to memory of 964	1908	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
PID 1908 wrote to memory of 964	1908	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
PID 1908 wrote to memory of 964	1908	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
PID 964 wrote to memory of 2016	964	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe	RE.exe
PID 964 wrote to memory of 2016	964	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe	RE.exe
PID 964 wrote to memory of 2016	964	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe	RE.exe
PID 964 wrote to memory of 2016	964	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe	RE.exe
PID 2016 wrote to memory of 796	2016	RE.exe	RE.exe
PID 2016 wrote to memory of 796	2016	RE.exe	RE.exe
PID 2016 wrote to memory of 796	2016	RE.exe	RE.exe
PID 2016 wrote to memory of 796	2016	RE.exe	RE.exe
PID 796 wrote to memory of 1680	796	RE.exe	RE.exe
PID 796 wrote to memory of 1680	796	RE.exe	RE.exe
PID 796 wrote to memory of 1680	796	RE.exe	RE.exe
PID 796 wrote to memory of 1680	796	RE.exe	RE.exe
PID 796 wrote to memory of 1680	796	RE.exe	RE.exe
PID 796 wrote to memory of 1680	796	RE.exe	RE.exe
PID 796 wrote to memory of 1680	796	RE.exe	RE.exe
PID 796 wrote to memory of 1680	796	RE.exe	RE.exe
PID 796 wrote to memory of 1680	796	RE.exe	RE.exe
PID 796 wrote to memory of 1680	796	RE.exe	RE.exe

C:\Users\Admin\AppData\Local\Temp\2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
"C:\Users\Admin\AppData\Local\Temp\2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
"C:\Users\Admin\AppData\Local\Temp\2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\RE.exe
"C:\Users\Admin\AppData\Local\Temp\RE.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\RE.exe
"C:\Users\Admin\AppData\Local\Temp\RE.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\RE.exe
"C:\Users\Admin\AppData\Local\Temp\RE.exe"
5⤵
- Executes dropped EXE
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.exe
Filesize
668KB

MD5
a85d322ed1f218ec54a4ef535e21e252

SHA1
1de64fced9d1c5a395123fc0bf638876647b05a7

SHA256
2ad07d0a5ba265081bf61fe18f9d38b3c22b3b00dbe62541d0c145e613536301

SHA512
0fc41797d5d78425298ba8abe546c11104d87a5e66ac2a178f75cbf1c17c2faefe2bdc9141f600d4ba1927f1bf258b74be4f2b20ac94ea398dc5dc8cf9cff2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.exe
Filesize
668KB

MD5
a85d322ed1f218ec54a4ef535e21e252

SHA1
1de64fced9d1c5a395123fc0bf638876647b05a7

SHA256
2ad07d0a5ba265081bf61fe18f9d38b3c22b3b00dbe62541d0c145e613536301

SHA512
0fc41797d5d78425298ba8abe546c11104d87a5e66ac2a178f75cbf1c17c2faefe2bdc9141f600d4ba1927f1bf258b74be4f2b20ac94ea398dc5dc8cf9cff2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.exe
Filesize
668KB

MD5
a85d322ed1f218ec54a4ef535e21e252

SHA1
1de64fced9d1c5a395123fc0bf638876647b05a7

SHA256
2ad07d0a5ba265081bf61fe18f9d38b3c22b3b00dbe62541d0c145e613536301

SHA512
0fc41797d5d78425298ba8abe546c11104d87a5e66ac2a178f75cbf1c17c2faefe2bdc9141f600d4ba1927f1bf258b74be4f2b20ac94ea398dc5dc8cf9cff2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.exe
Filesize
668KB

MD5
a85d322ed1f218ec54a4ef535e21e252

SHA1
1de64fced9d1c5a395123fc0bf638876647b05a7

SHA256
2ad07d0a5ba265081bf61fe18f9d38b3c22b3b00dbe62541d0c145e613536301

SHA512
0fc41797d5d78425298ba8abe546c11104d87a5e66ac2a178f75cbf1c17c2faefe2bdc9141f600d4ba1927f1bf258b74be4f2b20ac94ea398dc5dc8cf9cff2aa

Download Submit
C:\Windows\win.ini
Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
C:\Windows\win.ini
Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
C:\Windows\win.ini
Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
\Users\Admin\AppData\Local\Temp\RE.exe
Filesize
668KB

MD5
a85d322ed1f218ec54a4ef535e21e252

SHA1
1de64fced9d1c5a395123fc0bf638876647b05a7

SHA256
2ad07d0a5ba265081bf61fe18f9d38b3c22b3b00dbe62541d0c145e613536301

SHA512
0fc41797d5d78425298ba8abe546c11104d87a5e66ac2a178f75cbf1c17c2faefe2bdc9141f600d4ba1927f1bf258b74be4f2b20ac94ea398dc5dc8cf9cff2aa

Download Submit
\Users\Admin\AppData\Local\Temp\RE.exe
Filesize
668KB

MD5
a85d322ed1f218ec54a4ef535e21e252

SHA1
1de64fced9d1c5a395123fc0bf638876647b05a7

SHA256
2ad07d0a5ba265081bf61fe18f9d38b3c22b3b00dbe62541d0c145e613536301

SHA512
0fc41797d5d78425298ba8abe546c11104d87a5e66ac2a178f75cbf1c17c2faefe2bdc9141f600d4ba1927f1bf258b74be4f2b20ac94ea398dc5dc8cf9cff2aa

Download Submit
\Users\Admin\AppData\Local\Temp\RE.exe
Filesize
668KB

MD5
a85d322ed1f218ec54a4ef535e21e252

SHA1
1de64fced9d1c5a395123fc0bf638876647b05a7

SHA256
2ad07d0a5ba265081bf61fe18f9d38b3c22b3b00dbe62541d0c145e613536301

SHA512
0fc41797d5d78425298ba8abe546c11104d87a5e66ac2a178f75cbf1c17c2faefe2bdc9141f600d4ba1927f1bf258b74be4f2b20ac94ea398dc5dc8cf9cff2aa

Download Submit
\Users\Admin\AppData\Local\Temp\RE.exe
Filesize
668KB

MD5
a85d322ed1f218ec54a4ef535e21e252

SHA1
1de64fced9d1c5a395123fc0bf638876647b05a7

SHA256
2ad07d0a5ba265081bf61fe18f9d38b3c22b3b00dbe62541d0c145e613536301

SHA512
0fc41797d5d78425298ba8abe546c11104d87a5e66ac2a178f75cbf1c17c2faefe2bdc9141f600d4ba1927f1bf258b74be4f2b20ac94ea398dc5dc8cf9cff2aa

Download Submit
memory/796-79-0x0000000000000000-mapping.dmp

Download
memory/796-97-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/964-72-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/964-67-0x0000000076EB0000-0x0000000076F86000-memory.dmp

Filesize
856KB

Download
memory/964-57-0x0000000000000000-mapping.dmp

Download
memory/1680-102-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1680-105-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1680-103-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1680-96-0x00000000004BE2C0-mapping.dmp

Download
memory/1680-99-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1680-101-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1680-94-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1908-66-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/1908-56-0x0000000074DB1000-0x0000000074DB3000-memory.dmp

Filesize
8KB

Download
memory/1908-65-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/1908-64-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/1908-63-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/1908-61-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/2016-84-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/2016-91-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/2016-95-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/2016-92-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/2016-100-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/2016-88-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/2016-87-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/2016-86-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/2016-85-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/2016-83-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/2016-70-0x0000000000000000-mapping.dmp

Download