Overview

overview

10

Static

static

3

08f2609e7f...2c.exe

windows7-x64

10

08f2609e7f...2c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08f2609e7f7daf0f78032f773a68b72c.exe

  • Size

    1.4MB

  • MD5

    08f2609e7f7daf0f78032f773a68b72c

  • SHA1

    f00e4c61cce15ee5f43c032d8d595aba65fbdc86

  • SHA256

    0ed8f93b98f9cfff89559df9e0a8d360cab3dde1abfa2992216b4a98c5ca1253

  • SHA512

    8c1ba503d2956ad0c60b11547908b81e601a3bfb2c75ae73c03718bd883ff94451b0697f915049614470d59388d161c02893ad90b48466f77fc154a20215da74

  • SSDEEP

    24576:abOd/OsBgo0q4wMf/5vUQgxZGCc+b8QHsDpXgbkyh1Sl+inzQSjzVrV9ZtXCU8jt:abOsoHMXpUnxZGClb8QGryPSEY79/CUw

Score
10/10
webmonitorbackdoorinfostealerrat

Malware Config

Extracted

Family

webmonitor

C2

niiarmah.wm01.to:443

Attributes
  • config_key

    4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O

  • private_key

    yvkn5wM8E

  • url_path

    /recv5.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor payload 11 IoCs
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Unexpected DNS network traffic destination 5 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08f2609e7f7daf0f78032f773a68b72c.exe
    "C:\Users\Admin\AppData\Local\Temp\08f2609e7f7daf0f78032f773a68b72c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\08f2609e7f7daf0f78032f773a68b72c.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2640
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WTddvQz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCAFD.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2660
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WTddvQz.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WTddvQz.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:768
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2444

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpCAFD.tmp
    Filesize

    1KB

    MD5

    26be12fc6efcef4c92e3dee0b95568bd

    SHA1

    15c1c6c9c1d027d37fc31f4c3c8ff188b42de684

    SHA256

    2156f85d13049d8b72feb432ae7f8d8a5d1fd9cde18d1cb13c74794f9afcf839

    SHA512

    8d4c44ed681e53f517b1ed436ec547e7abb29d752b8d6619a095255b6854e40746bca513d84a8bcdaa3f2ffd39332dc2ea7a22172ec7240c0055d9658e8076bc

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    8c03d4d87ff77cdbf83d209e3f3a330b

    SHA1

    881634543264a00dd13bec59dabae32ac9cff165

    SHA256

    89fa99cb5adca906015a2d52d72db14c71d5e4cd37c32861663df9c34849e064

    SHA512

    b93271c383ca9734cf41d3ade53cde990f5aa7ac9a2e0f08a532de6c0541bd9b4ff55d1fc876879f07e20b5d565fab4512e4455cb667855d740659252eb679aa

    Download Submit
  • memory/768-50-0x000000006F2C0000-0x000000006F86B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/768-44-0x000000006F2C0000-0x000000006F86B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/768-46-0x0000000002820000-0x0000000002860000-memory.dmp
    Filesize

    256KB

    Download
  • memory/860-41-0x0000000074420000-0x0000000074B0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/860-6-0x00000000083F0000-0x000000000851C000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/860-7-0x0000000008620000-0x000000000871A000-memory.dmp
    Filesize

    1000KB

    Download
  • memory/860-5-0x0000000004C60000-0x0000000004CA0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/860-4-0x0000000074420000-0x0000000074B0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/860-1-0x0000000074420000-0x0000000074B0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/860-0-0x0000000000D60000-0x0000000000ECC000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/860-2-0x0000000004C60000-0x0000000004CA0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/860-3-0x0000000000890000-0x00000000008A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2444-27-0x0000000000400000-0x00000000004F3000-memory.dmp
    Filesize

    972KB

    Download
  • memory/2444-48-0x0000000000400000-0x00000000004F3000-memory.dmp
    Filesize

    972KB

    Download
  • memory/2444-53-0x0000000000400000-0x00000000004F3000-memory.dmp
    Filesize

    972KB

    Download
  • memory/2444-57-0x0000000003320000-0x0000000004320000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/2444-40-0x0000000000400000-0x00000000004F3000-memory.dmp
    Filesize

    972KB

    Download
  • memory/2444-56-0x0000000000400000-0x00000000004F3000-memory.dmp
    Filesize

    972KB

    Download
  • memory/2444-54-0x0000000000400000-0x00000000004F3000-memory.dmp
    Filesize

    972KB

    Download
  • memory/2444-45-0x0000000000400000-0x00000000004F3000-memory.dmp
    Filesize

    972KB

    Download
  • memory/2444-55-0x0000000003320000-0x0000000004320000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/2444-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2444-30-0x0000000000400000-0x00000000004F3000-memory.dmp
    Filesize

    972KB

    Download
  • memory/2444-28-0x0000000000400000-0x00000000004F3000-memory.dmp
    Filesize

    972KB

    Download
  • memory/2444-25-0x0000000000400000-0x00000000004F3000-memory.dmp
    Filesize

    972KB

    Download
  • memory/2444-26-0x0000000000400000-0x00000000004F3000-memory.dmp
    Filesize

    972KB

    Download
  • memory/2616-36-0x000000006F2C0000-0x000000006F86B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2616-51-0x000000006F2C0000-0x000000006F86B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2616-42-0x0000000002AA0000-0x0000000002AE0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2616-34-0x0000000002AA0000-0x0000000002AE0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2616-29-0x000000006F2C0000-0x000000006F86B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2640-32-0x000000006F2C0000-0x000000006F86B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2640-49-0x000000006F2C0000-0x000000006F86B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2640-47-0x0000000002E00000-0x0000000002E40000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2640-43-0x0000000002E00000-0x0000000002E40000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2640-39-0x0000000002E00000-0x0000000002E40000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2640-38-0x000000006F2C0000-0x000000006F86B000-memory.dmp
    Filesize

    5.7MB

    Download