Analysis
-
max time kernel
188s -
max time network
195s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 07:06
Static task
static1
Behavioral task
behavioral1
Sample
601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe
Resource
win10v2004-20220722-en
General
-
Target
601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe
-
Size
717KB
-
MD5
c00d1cf7fb01a9b33e438cd16b6eb578
-
SHA1
0d8c3833492d4106b7164d6ed9fa019838152832
-
SHA256
601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2
-
SHA512
2f5cac64da4edce25f0cffcc96fb1e500c0ee919ac0b7a466ddeab665ce6db1373a897fee492b36bed3b1a39be8b47af7676b2ef93f3b556b9794b2d78cac92a
Malware Config
Extracted
webmonitor
arglobal.wm01.to:443
-
config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
-
private_key
X2HBeL4iM
-
url_path
/recv4.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor payload 4 IoCs
resource yara_rule behavioral1/memory/940-73-0x00000000004E70C0-mapping.dmp family_webmonitor behavioral1/memory/940-77-0x0000000000400000-0x00000000004E9000-memory.dmp family_webmonitor behavioral1/memory/940-78-0x0000000000400000-0x00000000004E9000-memory.dmp family_webmonitor behavioral1/memory/940-79-0x0000000000400000-0x00000000004E9000-memory.dmp family_webmonitor -
resource yara_rule behavioral1/memory/2012-67-0x00000000007B0000-0x0000000000899000-memory.dmp upx behavioral1/memory/940-69-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral1/memory/940-71-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral1/memory/940-72-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral1/memory/940-74-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral1/memory/940-76-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral1/memory/940-77-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral1/memory/940-78-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral1/memory/940-79-0x0000000000400000-0x00000000004E9000-memory.dmp upx -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NmNzcY.url 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe -
Unexpected DNS network traffic destination 7 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 123.125.81.6 Destination IP 139.175.55.244 Destination IP 180.76.76.76 Destination IP 114.114.114.114 Destination IP 77.88.8.8 Destination IP 1.2.4.8 Destination IP 101.226.4.6 -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2012 set thread context of 940 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 30 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1624 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 27 PID 2012 wrote to memory of 1624 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 27 PID 2012 wrote to memory of 1624 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 27 PID 2012 wrote to memory of 1624 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 27 PID 1624 wrote to memory of 824 1624 csc.exe 29 PID 1624 wrote to memory of 824 1624 csc.exe 29 PID 1624 wrote to memory of 824 1624 csc.exe 29 PID 1624 wrote to memory of 824 1624 csc.exe 29 PID 2012 wrote to memory of 940 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 30 PID 2012 wrote to memory of 940 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 30 PID 2012 wrote to memory of 940 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 30 PID 2012 wrote to memory of 940 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 30 PID 2012 wrote to memory of 940 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 30 PID 2012 wrote to memory of 940 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 30 PID 2012 wrote to memory of 940 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 30 PID 2012 wrote to memory of 940 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe"C:\Users\Admin\AppData\Local\Temp\601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4kxcoa1m\4kxcoa1m.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1057.tmp" "c:\Users\Admin\AppData\Local\Temp\4kxcoa1m\CSC43642E1AD3DF4FFFAA7CD3A437B17641.TMP"3⤵PID:824
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵PID:940
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD560316435de25d783cf63a086aa2e5a2d
SHA1b553ca91afaf4b390ffdd6b41b300d7dcc690439
SHA256a098712f96214f4bd5a0e5b3e4f8d39aca39bf680b10da411ff31fc812d50d7d
SHA512d376edc45ef2c7e2d2dcbce6b94f2dc8eb35aa61ecc59d895051956d15c03c32b35e069e3d59454d8b6a44a4af0e9e12d34cd34bd6c6e7b29dfc5abf6babb0d2
-
Filesize
39KB
MD52818e56350474b910d689eb9223dc663
SHA16b39f71b1f05c122f48a2bcd36d933d8c3f5fc31
SHA256d6608edcabf45c9e4cab50222a3b704c95c47ba5bd6c8abad1f7e85f10e9dc93
SHA5120041f00f25f3a11439e00e0bece5b4788ca7dd0bf5bc79aae2a388e901d908bca4fb8ac8880de5b728ddea24bef2a9fc9ef8c1bae949c303972dd6ce2d25affb
-
Filesize
1KB
MD56f70c560af90472d71785db37c506e0c
SHA1a99b264bd9e1b3de22026bcd21a18391c91f7387
SHA256838ae8d0e706e53d1cc58fad77d894e6bace849eb812ca4f421bc1ddb39cd9b5
SHA51257261d8af2dda301ccffff13aa694904b06db1378df6e2a7416a74e03a9a4c04ff8b53c2cf1486db5e2fae791b007f965eec17709b4e42ab70af17da04afa4f1
-
Filesize
18KB
MD5ddee8a9d0b2713c2db01c69b0bbe7d67
SHA1251ce52d5baf2daf14761bc6db5fa1bf2f8d6c76
SHA25664fd87444ea983ea67fe83c9484ae9be84baba570e78137b884c37d50e758dc1
SHA51245324925f6150a899b7deae8fff660e802e6f876872a869adf7fe52b17f654ba628ca5c2e611eaecd3b12f8659e0c26f57ba25080d691a1e0abb589234244ebf
-
Filesize
312B
MD570a12a146a4fd7b08431da280c9ba55c
SHA144d221ce3406dc2cd72ad8d7edbe81f2509a29d5
SHA256a371a5766b1f327c7ecccbd7508fd075ee6ab229932e4ba9fcd53ef314616c01
SHA512b61e8f71ebe2f9e41c8bce5404f8ddb4b3a56cb2e1b1b30fafd22155f721f7ba754e11613f835c86bc50c9e1e32975bcf403eb60be220210557acaecacf8aa8e
-
Filesize
1KB
MD5a75c56843da455eb0c514ef4e1bdae55
SHA103a04a85aa26876570cc52e4fb33f2d97b76a8fa
SHA25636c2c569eea1aa05194785d5aaeb8a16357840db97e2c79cbc45b162d59f7411
SHA51242e8fdd048423f6862f77f4c849135ab75d39d4c95708f690308b2294e4e57942b5ffa5c7241b2b067f2bde3f3e15cebce793cd425c0a9f8b4f52d7caae3de20