Overview

overview

10

Static

static

55c4eee443...b5.exe

windows7-x64

10

55c4eee443...b5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe

  • Size

    612KB

  • MD5

    6089a3255851bc09825c01e73d2e0b52

  • SHA1

    720694441f23f83b954db816a83909784272d68c

  • SHA256

    55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5

  • SHA512

    9c550c659dee8659fa3e695aab1e392b0e5e4e2a9d424e3c795e27d24b6c294a6800a9516d92445d7061a9a79e24f8056fc2103d4b1abf744e9cae8de9dc0b03

Score
10/10
webmonitorbackdoorinfostealerratupx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes
  • config_key

    ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4

  • private_key

    X2HBeL4iM

  • url_path

    /recv4.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor payload 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Unexpected DNS network traffic destination 43 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe
    "C:\Users\Admin\AppData\Local\Temp\55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jo0jdboe\jo0jdboe.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3192
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC786.tmp" "c:\Users\Admin\AppData\Local\Temp\jo0jdboe\CSCF58DE701E1244499804953C2445928C9.TMP"
        3⤵
          PID:1716
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        2⤵
          PID:3428

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Persistence

      Privilege Escalation

      Defense Evasion

      Scripting

      1
      T1064

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESC786.tmp
        Filesize

        1KB

        MD5

        b3548911813ec6ffc433bce5ec814766

        SHA1

        0ad8dbeff045e4fbedc531c073f9119eda8c1e76

        SHA256

        1cd9784d6849ab56db38070b2ed4e575de7811a4266958b8b0ef46659254a974

        SHA512

        27b091eb6c2c6e503f9a806c146c0c9ae8c9bf4f392d17179d7cbdd40d36cfa60c3946df8af4f467517d4fd2d2629a121f53361414dc555a8ac0fcf6011d18fc

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\jo0jdboe\jo0jdboe.dll
        Filesize

        6KB

        MD5

        407993e6195e5a90a42c1a51d513f244

        SHA1

        6d62a256404e5e9bbe70d6de1e39e788dbc0f6cd

        SHA256

        17626b513e8c3bddf1a054f689270cc8836d55b32acf70038a3f90a316c6db6c

        SHA512

        f1798763511d26f8a931ac14c339dd2c1f603ade55bfc9eda7821b3e41f81c92eedd55f5e8ebb46742c8e762c32cebbf46065b342217155b2e3a00f730c992b1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\jo0jdboe\jo0jdboe.pdb
        Filesize

        15KB

        MD5

        1b24e33a8c7ca98b3ab2498867f781af

        SHA1

        b301f2696bd998da42cce8e119ab95b8d2112a86

        SHA256

        ff1a022901b0dfa400c836770afbc7c93067044da7eb40f5fc0357f4889ccbc6

        SHA512

        173a47b48cf2ee755419abe37fe442f73d7920b94f841fa01b8cc1cd9e51a474f9d8aed76440816f016f1baab770710ee42ec5b6f62443c13af86ab917df0bcb

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\jo0jdboe\CSCF58DE701E1244499804953C2445928C9.TMP
        Filesize

        1KB

        MD5

        d9d9437bbd14abbf439a87bec1132d2a

        SHA1

        ea45c42d6a602716fda66f7f2f596ac46de0613d

        SHA256

        57aef5de77700fe46e4b105b01632e1aaf45cff1ef15a9883069e88da75e8517

        SHA512

        d79c36c7203a057c5c1a63073fa7c858933fd025f4fc6cd2c7a4d1eb09214d3543f11e965aab56d585043e4ab7741bb456d9852810e4cc93b0ffee89389e27e3

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\jo0jdboe\jo0jdboe.0.cs
        Filesize

        2KB

        MD5

        f9a9022ca3a996a6d31fe4ca4f72c454

        SHA1

        c418512b8bfb0be563565f7afdbade30f0c83322

        SHA256

        a374f1776f0337d991055993d52b443d9c4317738e183522e1d51178c2fc49f1

        SHA512

        4284862f17265d1e7c67d9758e86da100be9f08df195bd57c5c27f95eef1d9a2094ffca665db6a452ca72b49c141d9d6a2936a1425dd7f8b2736b3f633f781e7

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\jo0jdboe\jo0jdboe.cmdline
        Filesize

        312B

        MD5

        9f186aec66e9ba3a554e52556006e771

        SHA1

        989d27fba79556de321a63f245ad8032fabbb0c8

        SHA256

        d35e548c1f7220cc3cce27078096428aea2cc2e13585959b34a8ca5e1ff875d1

        SHA512

        274b4628ab041524c7aedc7b8bb5d19caf5d67b71fdb000a2aa83cefdee3198273957b49a38982f22e10023c367ca550ed003def9a07535544ba94882802caa0

        Download Submit
      • memory/1716-139-0x0000000000000000-mapping.dmp
        Download
      • memory/2996-135-0x0000000000FA0000-0x0000000001040000-memory.dmp
        Filesize

        640KB

        Download
      • memory/2996-144-0x0000000005A30000-0x0000000005AC2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2996-145-0x0000000006260000-0x00000000062FC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/3192-136-0x0000000000000000-mapping.dmp
        Download
      • memory/3428-146-0x0000000000000000-mapping.dmp
        Download
      • memory/3428-147-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/3428-148-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/3428-149-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/3428-150-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/3428-151-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download