Overview

overview

10

Static

static

601683bffc...c2.exe

windows7-x64

10

601683bffc...c2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 07:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe

  • Size

    717KB

  • MD5

    c00d1cf7fb01a9b33e438cd16b6eb578

  • SHA1

    0d8c3833492d4106b7164d6ed9fa019838152832

  • SHA256

    601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2

  • SHA512

    2f5cac64da4edce25f0cffcc96fb1e500c0ee919ac0b7a466ddeab665ce6db1373a897fee492b36bed3b1a39be8b47af7676b2ef93f3b556b9794b2d78cac92a

Score
10/10
webmonitorbackdoorinfostealerratupx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes
  • config_key

    ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4

  • private_key

    X2HBeL4iM

  • url_path

    /recv4.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor payload 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Unexpected DNS network traffic destination 22 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe
    "C:\Users\Admin\AppData\Local\Temp\601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4952
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\isoqjogc\isoqjogc.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0AB.tmp" "c:\Users\Admin\AppData\Local\Temp\isoqjogc\CSC2A8E1F2696948D09DDCB55E5B5D8A1B.TMP"
        3⤵
          PID:2456
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        2⤵
          PID:1100

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Persistence

      Privilege Escalation

      Defense Evasion

      Scripting

      1
      T1064

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESE0AB.tmp
        Filesize

        1KB

        MD5

        003c45cedc609e382cad71af58049662

        SHA1

        61f4bcfb32b2d4139cce443a8485744c97558a93

        SHA256

        41969f1f0185c0b3879c8906b23ae608c05c66b56c52662092a709837ba5043c

        SHA512

        aa800b0533122f5c06d99ea435f0c3ffc721189806d75e590167af0d6ceebfd97e382e6e60df8bb0cd50fd539b9c932d4aa306ebd18bd0da59092afd7f9e538d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\isoqjogc\isoqjogc.dll
        Filesize

        12KB

        MD5

        b332332e7c56fa6cd0dab398c729d1f4

        SHA1

        6276778b58d8e5509734bb3690f226c3c8cf6ed2

        SHA256

        5368a438d6c53d6519086eb94bd467cb067ecb3331585dcc740aef451c46a13b

        SHA512

        5ba219c99a30b85b32bdf855ce52595761b5a19340bad56da2e8117bbe94cbd6dbb2c80c4d5c087fbb73b74fe6c77b9ac558419662985e120918732e8dcb601b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\isoqjogc\isoqjogc.pdb
        Filesize

        39KB

        MD5

        04a6b6a358e3c9a0e90bb51a409e10c2

        SHA1

        d5912217654fc1ef3c0dda70bd55b3f54d0072f1

        SHA256

        26fca31435f8df1099359dd903cc461abb777d4c8e1b948ae8038929d92324e1

        SHA512

        46d1dfaf6a32815318a16cd7dd1a08b5a779f12a8d40cb864b0bddc0cf4308bfe64c2e7d639ea6016d2d8b131d25898f36b6bb697c211042278db892b4890b56

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\isoqjogc\CSC2A8E1F2696948D09DDCB55E5B5D8A1B.TMP
        Filesize

        1KB

        MD5

        b5fa1f6a77f007da810aedd9bfcee2bb

        SHA1

        ead01d9641661ec0ef6efeb2c391bcfc0131f8ae

        SHA256

        134bd0699e44866ce693d0055dc3dc691196ce429c0e9e4f0674ed4f0e19e940

        SHA512

        e42f7053e02e4094d9970eb4c3580170329a39abdf6426daf58dbd67b827cd2c993ed7dc6c9c807d547a7fcfdbc77d66b03a772b975064fc3cd80817cf0d438a

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\isoqjogc\isoqjogc.0.cs
        Filesize

        18KB

        MD5

        ddee8a9d0b2713c2db01c69b0bbe7d67

        SHA1

        251ce52d5baf2daf14761bc6db5fa1bf2f8d6c76

        SHA256

        64fd87444ea983ea67fe83c9484ae9be84baba570e78137b884c37d50e758dc1

        SHA512

        45324925f6150a899b7deae8fff660e802e6f876872a869adf7fe52b17f654ba628ca5c2e611eaecd3b12f8659e0c26f57ba25080d691a1e0abb589234244ebf

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\isoqjogc\isoqjogc.cmdline
        Filesize

        312B

        MD5

        dd35210b0fcf2a730586532ce99f50d8

        SHA1

        29020abd40c9610be8fc6aa7b99e927107f49b25

        SHA256

        2848dc58506b0c038962e2dace3fd4fa662eb8fe6d278c8680b6ba56509115b0

        SHA512

        ff69e99adcd905e9f7b770ba9e7a10aa09f00f1b8083fc0ef92f1fff8272b779468c09397787cf775b9ec83a64045ab83d3f667a8232b977c3dcff52550fa7a7

        Download Submit
      • memory/1100-144-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/1100-143-0x0000000000000000-mapping.dmp
        Download
      • memory/1100-145-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/1100-146-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/1100-147-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/1100-148-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/1100-149-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/2456-136-0x0000000000000000-mapping.dmp
        Download
      • memory/4084-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4952-141-0x0000000005430000-0x00000000054C2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4952-142-0x0000000005F70000-0x000000000600C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4952-132-0x0000000000A00000-0x0000000000AA2000-memory.dmp
        Filesize

        648KB

        Download