Analysis
-
max time kernel
156s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 07:06
Static task
static1
Behavioral task
behavioral1
Sample
601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe
Resource
win10v2004-20220722-en
General
-
Target
601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe
-
Size
717KB
-
MD5
c00d1cf7fb01a9b33e438cd16b6eb578
-
SHA1
0d8c3833492d4106b7164d6ed9fa019838152832
-
SHA256
601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2
-
SHA512
2f5cac64da4edce25f0cffcc96fb1e500c0ee919ac0b7a466ddeab665ce6db1373a897fee492b36bed3b1a39be8b47af7676b2ef93f3b556b9794b2d78cac92a
Malware Config
Extracted
webmonitor
arglobal.wm01.to:443
-
config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
-
private_key
X2HBeL4iM
-
url_path
/recv4.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor payload 3 IoCs
resource yara_rule behavioral2/memory/1100-147-0x0000000000400000-0x00000000004E9000-memory.dmp family_webmonitor behavioral2/memory/1100-148-0x0000000000400000-0x00000000004E9000-memory.dmp family_webmonitor behavioral2/memory/1100-149-0x0000000000400000-0x00000000004E9000-memory.dmp family_webmonitor -
resource yara_rule behavioral2/memory/1100-144-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral2/memory/1100-145-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral2/memory/1100-146-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral2/memory/1100-147-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral2/memory/1100-148-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral2/memory/1100-149-0x0000000000400000-0x00000000004E9000-memory.dmp upx -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NmNzcY.url 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe -
Unexpected DNS network traffic destination 22 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 Destination IP 123.125.81.6 Destination IP 91.239.100.100 Destination IP 114.114.114.114 Destination IP 101.226.4.6 Destination IP 89.233.43.71 Destination IP 89.233.43.71 Destination IP 180.76.76.76 Destination IP 139.175.55.244 Destination IP 180.76.76.76 Destination IP 91.239.100.100 Destination IP 77.88.8.8 Destination IP 139.175.55.244 Destination IP 123.125.81.6 Destination IP 77.88.8.8 Destination IP 180.76.76.76 Destination IP 1.2.4.8 Destination IP 101.226.4.6 Destination IP 114.114.114.114 Destination IP 1.2.4.8 Destination IP 1.2.4.8 Destination IP 77.88.8.8 -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4952 set thread context of 1100 4952 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 89 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4952 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 4952 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4952 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4952 wrote to memory of 4084 4952 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 82 PID 4952 wrote to memory of 4084 4952 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 82 PID 4952 wrote to memory of 4084 4952 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 82 PID 4084 wrote to memory of 2456 4084 csc.exe 84 PID 4084 wrote to memory of 2456 4084 csc.exe 84 PID 4084 wrote to memory of 2456 4084 csc.exe 84 PID 4952 wrote to memory of 1100 4952 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 89 PID 4952 wrote to memory of 1100 4952 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 89 PID 4952 wrote to memory of 1100 4952 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 89 PID 4952 wrote to memory of 1100 4952 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 89 PID 4952 wrote to memory of 1100 4952 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 89 PID 4952 wrote to memory of 1100 4952 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 89 PID 4952 wrote to memory of 1100 4952 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe"C:\Users\Admin\AppData\Local\Temp\601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\isoqjogc\isoqjogc.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0AB.tmp" "c:\Users\Admin\AppData\Local\Temp\isoqjogc\CSC2A8E1F2696948D09DDCB55E5B5D8A1B.TMP"3⤵PID:2456
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵PID:1100
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5003c45cedc609e382cad71af58049662
SHA161f4bcfb32b2d4139cce443a8485744c97558a93
SHA25641969f1f0185c0b3879c8906b23ae608c05c66b56c52662092a709837ba5043c
SHA512aa800b0533122f5c06d99ea435f0c3ffc721189806d75e590167af0d6ceebfd97e382e6e60df8bb0cd50fd539b9c932d4aa306ebd18bd0da59092afd7f9e538d
-
Filesize
12KB
MD5b332332e7c56fa6cd0dab398c729d1f4
SHA16276778b58d8e5509734bb3690f226c3c8cf6ed2
SHA2565368a438d6c53d6519086eb94bd467cb067ecb3331585dcc740aef451c46a13b
SHA5125ba219c99a30b85b32bdf855ce52595761b5a19340bad56da2e8117bbe94cbd6dbb2c80c4d5c087fbb73b74fe6c77b9ac558419662985e120918732e8dcb601b
-
Filesize
39KB
MD504a6b6a358e3c9a0e90bb51a409e10c2
SHA1d5912217654fc1ef3c0dda70bd55b3f54d0072f1
SHA25626fca31435f8df1099359dd903cc461abb777d4c8e1b948ae8038929d92324e1
SHA51246d1dfaf6a32815318a16cd7dd1a08b5a779f12a8d40cb864b0bddc0cf4308bfe64c2e7d639ea6016d2d8b131d25898f36b6bb697c211042278db892b4890b56
-
Filesize
1KB
MD5b5fa1f6a77f007da810aedd9bfcee2bb
SHA1ead01d9641661ec0ef6efeb2c391bcfc0131f8ae
SHA256134bd0699e44866ce693d0055dc3dc691196ce429c0e9e4f0674ed4f0e19e940
SHA512e42f7053e02e4094d9970eb4c3580170329a39abdf6426daf58dbd67b827cd2c993ed7dc6c9c807d547a7fcfdbc77d66b03a772b975064fc3cd80817cf0d438a
-
Filesize
18KB
MD5ddee8a9d0b2713c2db01c69b0bbe7d67
SHA1251ce52d5baf2daf14761bc6db5fa1bf2f8d6c76
SHA25664fd87444ea983ea67fe83c9484ae9be84baba570e78137b884c37d50e758dc1
SHA51245324925f6150a899b7deae8fff660e802e6f876872a869adf7fe52b17f654ba628ca5c2e611eaecd3b12f8659e0c26f57ba25080d691a1e0abb589234244ebf
-
Filesize
312B
MD5dd35210b0fcf2a730586532ce99f50d8
SHA129020abd40c9610be8fc6aa7b99e927107f49b25
SHA2562848dc58506b0c038962e2dace3fd4fa662eb8fe6d278c8680b6ba56509115b0
SHA512ff69e99adcd905e9f7b770ba9e7a10aa09f00f1b8083fc0ef92f1fff8272b779468c09397787cf775b9ec83a64045ab83d3f667a8232b977c3dcff52550fa7a7