c7924fae4b5ec091080b288ce0cecc32c6af1549fee4011c0db22a635da87484

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 21:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MonkeModManagerr.exe
Size

358KB
MD5

0e2616c389faa1a5e667fef0b4733986
SHA1

180ee1ea75f9a12a775759381866c84133bd76f9
SHA256

c7924fae4b5ec091080b288ce0cecc32c6af1549fee4011c0db22a635da87484
SHA512

82b2dcde2a38fa2f05b8083a79a395dc4c66154c2fbc5c05982dbabf6fa431644bb01fd56832b9d5f742a62775d176bccd835aeb270706c60c706b2b0e290c58
SSDEEP

6144:/7pg/668FHvvSlA4QY3mhnzUhHudWwUUK42WwtQE09:/72H8FPvS6zSQ2Wwt5y

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1744	powershell.exe
1416	powershell.exe
3064	powershell.exe
1576	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Registry.lnk	MonkeModManager.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Registry.lnk	MonkeModManager.exe

Executes dropped EXE 3 IoCs

pid	Process
2520	MonkeModManager.exe
3044	MonkeModManager (2).exe
2948	Registry

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Registry"	MonkeModManager.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1528	timeout.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	MonkeModManager (2).exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	MonkeModManager (2).exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings	MonkeModManager (2).exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	MonkeModManager (2).exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	MonkeModManager (2).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	MonkeModManager (2).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	MonkeModManager (2).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	MonkeModManager (2).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	MonkeModManager (2).exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	MonkeModManager (2).exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	MonkeModManager (2).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	MonkeModManager (2).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	MonkeModManager (2).exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	MonkeModManager (2).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	MonkeModManager (2).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	MonkeModManager (2).exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	MonkeModManager (2).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	MonkeModManager (2).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	MonkeModManager (2).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	MonkeModManager (2).exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3064	powershell.exe
1576	powershell.exe
1744	powershell.exe
1416	powershell.exe
2520	MonkeModManager.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3044	MonkeModManager (2).exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	MonkeModManager.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	2520	MonkeModManager.exe
Token: SeDebugPrivilege	2948	Registry

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3044	MonkeModManager (2).exe
2520	MonkeModManager.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2520	2056	MonkeModManagerr.exe	30
PID 2056 wrote to memory of 2520	2056	MonkeModManagerr.exe	30
PID 2056 wrote to memory of 2520	2056	MonkeModManagerr.exe	30
PID 2056 wrote to memory of 3044	2056	MonkeModManagerr.exe	31
PID 2056 wrote to memory of 3044	2056	MonkeModManagerr.exe	31
PID 2056 wrote to memory of 3044	2056	MonkeModManagerr.exe	31
PID 2520 wrote to memory of 3064	2520	MonkeModManager.exe	34
PID 2520 wrote to memory of 3064	2520	MonkeModManager.exe	34
PID 2520 wrote to memory of 3064	2520	MonkeModManager.exe	34
PID 2520 wrote to memory of 1576	2520	MonkeModManager.exe	36
PID 2520 wrote to memory of 1576	2520	MonkeModManager.exe	36
PID 2520 wrote to memory of 1576	2520	MonkeModManager.exe	36
PID 2520 wrote to memory of 1744	2520	MonkeModManager.exe	38
PID 2520 wrote to memory of 1744	2520	MonkeModManager.exe	38
PID 2520 wrote to memory of 1744	2520	MonkeModManager.exe	38
PID 2520 wrote to memory of 1416	2520	MonkeModManager.exe	40
PID 2520 wrote to memory of 1416	2520	MonkeModManager.exe	40
PID 2520 wrote to memory of 1416	2520	MonkeModManager.exe	40
PID 2520 wrote to memory of 1532	2520	MonkeModManager.exe	42
PID 2520 wrote to memory of 1532	2520	MonkeModManager.exe	42
PID 2520 wrote to memory of 1532	2520	MonkeModManager.exe	42
PID 2236 wrote to memory of 2948	2236	taskeng.exe	45
PID 2236 wrote to memory of 2948	2236	taskeng.exe	45
PID 2236 wrote to memory of 2948	2236	taskeng.exe	45
PID 2520 wrote to memory of 2224	2520	MonkeModManager.exe	46
PID 2520 wrote to memory of 2224	2520	MonkeModManager.exe	46
PID 2520 wrote to memory of 2224	2520	MonkeModManager.exe	46
PID 2520 wrote to memory of 2300	2520	MonkeModManager.exe	48
PID 2520 wrote to memory of 2300	2520	MonkeModManager.exe	48
PID 2520 wrote to memory of 2300	2520	MonkeModManager.exe	48
PID 2300 wrote to memory of 1528	2300	cmd.exe	50
PID 2300 wrote to memory of 1528	2300	cmd.exe	50
PID 2300 wrote to memory of 1528	2300	cmd.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MonkeModManagerr.exe
"C:\Users\Admin\AppData\Local\Temp\MonkeModManagerr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe
  "C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MonkeModManager.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Registry'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Registry'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Registry" /tr "C:\Users\Admin\AppData\Local\Temp\Registry"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1532
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "Registry"
    3⤵
    PID:2224
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5706.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1528
- C:\Users\Admin\AppData\Local\Temp\MonkeModManager (2).exe
  "C:\Users\Admin\AppData\Local\Temp\MonkeModManager (2).exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3044

C:\Windows\system32\taskeng.exe
taskeng.exe {58CEAF8C-6717-4823-8989-A98FB94A2C4C} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\Registry
  C:\Users\Admin\AppData\Local\Temp\Registry
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MonkeModManager (2).exe

Filesize
217KB

MD5
1d62aa3d19462f3d5575fc54159911b4

SHA1
b37eab86c0075245fcc517a280f0705f6dffb852

SHA256
6acaae0fb470790102a338e23dfe2263f31e529288e4efe51b34bca30371cb36

SHA512
78a9501d7920920577a586396e5d9e2278a7c926448c9a98d7844db9032dbd887df90d2f389fe1754bf5a2071a19dfd5d40315624923e903ef9ef6cbb214b1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe

Filesize
313KB

MD5
0bd1df6f8a2118230f33aae048273c5d

SHA1
7a35e58f544c37a8a2ccce4fc6ada6553920b2cc

SHA256
2c2f3542450e96426407e7902b5b96e342887078c74c429777d6a669be9b2905

SHA512
daf9fd90832ca5ce4ac17a3507eeec08f8ea05ab15c391180cab7ba9c7335e80b7773ceaf80d9e56d73847536d578ab41f06ccc9ad405d5815be2192b7c12dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5706.tmp.bat

Filesize
167B

MD5
705a039fc40350a07e53ac5d4e7991c2

SHA1
e31352010369ad3ff403e90236550e605e9b9054

SHA256
3bd7384f1001b6f253cc2c413d4f35ba25fc4be29cd27dacc33a5036598aae28

SHA512
7fab3b7ac7244b25493aa15d5e26fbe2dabed4c8b3dae2f56154df6fbb8f355b089cc6585ff2bd012bf7578162f6f3bf1bc74059296bb9643abb3709aa580da6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1e90c7bde5d06614c523ef1809d02719

SHA1
ee93d3e71150e4443803061bf050cad7c54b1c0e

SHA256
e6f27d06302ad43c4e94b2dcbb0059be7a977203226357a912343b34b00c9257

SHA512
3a15e1702e6b10c65e0a31b388a013118b0ba41e82da2467e79124d3f20396d10f1cf488d6589eb9db77a58c7eaef57770774e77e3b600b1d3ebffb60d1172b1

Download Submit
memory/1576-32-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/1576-31-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2056-1-0x0000000000040000-0x00000000000A0000-memory.dmp

Filesize
384KB

Download
memory/2056-16-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/2056-0-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

Filesize
4KB

Download
memory/2520-18-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2520-17-0x0000000000240000-0x0000000000276000-memory.dmp

Filesize
216KB

Download
memory/2520-15-0x0000000001270000-0x00000000012C4000-memory.dmp

Filesize
336KB

Download
memory/2948-49-0x0000000000C00000-0x0000000000C54000-memory.dmp

Filesize
336KB

Download
memory/3044-19-0x00000000201A0000-0x00000000201B0000-memory.dmp

Filesize
64KB

Download
memory/3044-14-0x00000000013E0000-0x000000000141C000-memory.dmp

Filesize
240KB

Download
memory/3064-24-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/3064-25-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download