Analysis
-
max time kernel
41s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 14:42
Behavioral task
behavioral1
Sample
MONSTERMCProtector.zip
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
MONSTERMCProtector.zip
Resource
win10-20231129-en
Behavioral task
behavioral3
Sample
MONSTERMCProtector.zip
Resource
win10v2004-20231127-en
Behavioral task
behavioral4
Sample
MONSTERMCProtector.zip
Resource
win11-20231129-en
General
-
Target
MONSTERMCProtector.zip
-
Size
2.9MB
-
MD5
e8a8b0cab9eb9a710fd7895ff764cc99
-
SHA1
39bc39ee525a3e4c3d18fd5fb07cb15463fbc701
-
SHA256
98c8e17db7c4e1f5cac1d3f8487e984802bb436a52620667d0c2ff602a6b1789
-
SHA512
d7f14f6c57bb93748fff6f6f028955a20423cc184deb8e3427b79a3262944c7f26a0d4cfe626d16be1fddc53f104ce16610baf4cd72eb7224619248299dd55e2
-
SSDEEP
49152:6btLYS4beqTlCIuvYiV5G+NxFczKZZsy6nqvJD5tlQLmd:6bRYS4CqTxYYiVk+NxFjZsylhDVjd
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\Guna.UI2.dll family_agenttesla C:\Users\Admin\Desktop\Guna.UI2.dll family_agenttesla behavioral3/memory/352-29-0x0000000006E80000-0x0000000007076000-memory.dmp family_agenttesla C:\Users\Admin\Desktop\Guna.UI2.dll family_agenttesla -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
MONSTERMCProtectorGUI.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MONSTERMCProtectorGUI.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
MONSTERMCProtectorGUI.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions MONSTERMCProtectorGUI.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
MONSTERMCProtectorGUI.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools MONSTERMCProtectorGUI.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MONSTERMCProtectorGUI.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MONSTERMCProtectorGUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MONSTERMCProtectorGUI.exe -
Executes dropped EXE 1 IoCs
Processes:
MONSTERMCProtectorGUI.exepid process 352 MONSTERMCProtectorGUI.exe -
Loads dropped DLL 2 IoCs
Processes:
MONSTERMCProtectorGUI.exepid process 352 MONSTERMCProtectorGUI.exe 352 MONSTERMCProtectorGUI.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral3/memory/352-18-0x0000000000A50000-0x000000000105A000-memory.dmp agile_net behavioral3/memory/352-39-0x0000000000A50000-0x000000000105A000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\Desktop\MONSTERMCProtectorGUI.exe themida C:\Users\Admin\Desktop\MONSTERMCProtectorGUI.exe themida behavioral3/memory/352-18-0x0000000000A50000-0x000000000105A000-memory.dmp themida behavioral3/memory/352-39-0x0000000000A50000-0x000000000105A000-memory.dmp themida -
Processes:
MONSTERMCProtectorGUI.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MONSTERMCProtectorGUI.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
MONSTERMCProtectorGUI.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MONSTERMCProtectorGUI.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MONSTERMCProtectorGUI.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
MONSTERMCProtectorGUI.exepid process 352 MONSTERMCProtectorGUI.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
MONSTERMCProtectorGUI.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS MONSTERMCProtectorGUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer MONSTERMCProtectorGUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion MONSTERMCProtectorGUI.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
MONSTERMCProtectorGUI.exepid process 352 MONSTERMCProtectorGUI.exe 352 MONSTERMCProtectorGUI.exe 352 MONSTERMCProtectorGUI.exe 352 MONSTERMCProtectorGUI.exe 352 MONSTERMCProtectorGUI.exe 352 MONSTERMCProtectorGUI.exe 352 MONSTERMCProtectorGUI.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zFM.exeMONSTERMCProtectorGUI.exedescription pid process Token: SeRestorePrivilege 2072 7zFM.exe Token: 35 2072 7zFM.exe Token: SeSecurityPrivilege 2072 7zFM.exe Token: SeDebugPrivilege 352 MONSTERMCProtectorGUI.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid process 2072 7zFM.exe 2072 7zFM.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\MONSTERMCProtector.zip1⤵PID:2136
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2996
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MONSTERMCProtector.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2072
-
C:\Users\Admin\Desktop\MONSTERMCProtectorGUI.exe"C:\Users\Admin\Desktop\MONSTERMCProtectorGUI.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD51915011997fdb9aa95f15e567f4e6070
SHA140a7853f14d6d4919279965f026d57cf9a104998
SHA256952fa59d3d6d8c8c5fad8a1144e5effdf0fa92d58db1fb2a2899faf84c6273ab
SHA5125cca71b42ed9dc154e6d5919e7cd93046168781a55c051818157848efc918b2e4dd92f422eb1c47e0940b645ba750facf83bce240748a8170ac8ce0afc9efa90
-
Filesize
1.9MB
MD51915011997fdb9aa95f15e567f4e6070
SHA140a7853f14d6d4919279965f026d57cf9a104998
SHA256952fa59d3d6d8c8c5fad8a1144e5effdf0fa92d58db1fb2a2899faf84c6273ab
SHA5125cca71b42ed9dc154e6d5919e7cd93046168781a55c051818157848efc918b2e4dd92f422eb1c47e0940b645ba750facf83bce240748a8170ac8ce0afc9efa90
-
Filesize
1.9MB
MD51915011997fdb9aa95f15e567f4e6070
SHA140a7853f14d6d4919279965f026d57cf9a104998
SHA256952fa59d3d6d8c8c5fad8a1144e5effdf0fa92d58db1fb2a2899faf84c6273ab
SHA5125cca71b42ed9dc154e6d5919e7cd93046168781a55c051818157848efc918b2e4dd92f422eb1c47e0940b645ba750facf83bce240748a8170ac8ce0afc9efa90
-
Filesize
1.9MB
MD5c72df757360695c826568dabe81987cd
SHA1faf62ab24546de59d2c1c66798ac29e4ef40e0a9
SHA25671f158807ec5be64dbdddeeaa761c589c6f9dd02806155169af38e8d2d77bb21
SHA512d4592216164e8af8083383304483b4403d0dde827c3b71be547515730d3dd0584b2262629d1361feea01722a70c6dc54dacd3359507508a036a2de4788ace7d6
-
Filesize
1.9MB
MD5c72df757360695c826568dabe81987cd
SHA1faf62ab24546de59d2c1c66798ac29e4ef40e0a9
SHA25671f158807ec5be64dbdddeeaa761c589c6f9dd02806155169af38e8d2d77bb21
SHA512d4592216164e8af8083383304483b4403d0dde827c3b71be547515730d3dd0584b2262629d1361feea01722a70c6dc54dacd3359507508a036a2de4788ace7d6