General
-
Target
MonkeModManagerr.exe
-
Size
358KB
-
Sample
240806-zyfvea1akm
-
MD5
0e2616c389faa1a5e667fef0b4733986
-
SHA1
180ee1ea75f9a12a775759381866c84133bd76f9
-
SHA256
c7924fae4b5ec091080b288ce0cecc32c6af1549fee4011c0db22a635da87484
-
SHA512
82b2dcde2a38fa2f05b8083a79a395dc4c66154c2fbc5c05982dbabf6fa431644bb01fd56832b9d5f742a62775d176bccd835aeb270706c60c706b2b0e290c58
-
SSDEEP
6144:/7pg/668FHvvSlA4QY3mhnzUhHudWwUUK42WwtQE09:/72H8FPvS6zSQ2Wwt5y
Malware Config
Targets
-
-
Target
MonkeModManagerr.exe
-
Size
358KB
-
MD5
0e2616c389faa1a5e667fef0b4733986
-
SHA1
180ee1ea75f9a12a775759381866c84133bd76f9
-
SHA256
c7924fae4b5ec091080b288ce0cecc32c6af1549fee4011c0db22a635da87484
-
SHA512
82b2dcde2a38fa2f05b8083a79a395dc4c66154c2fbc5c05982dbabf6fa431644bb01fd56832b9d5f742a62775d176bccd835aeb270706c60c706b2b0e290c58
-
SSDEEP
6144:/7pg/668FHvvSlA4QY3mhnzUhHudWwUUK42WwtQE09:/72H8FPvS6zSQ2Wwt5y
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1