Overview
overview
10Static
static
8ManyCam 8 ...PT.zip
windows7-x64
1ManyCam 8 ...PT.zip
windows10-2004-x64
1MAYANPROPHECY.nfo
windows7-x64
1MAYANPROPHECY.nfo
windows10-2004-x64
1manycam.7....PT.exe
windows7-x64
7manycam.7....PT.exe
windows10-2004-x64
7ManyCam 8 ...PT.exe
windows7-x64
10ManyCam 8 ...PT.exe
windows10-2004-x64
10ManyCam 8 ...up.exe
windows7-x64
7ManyCam 8 ...up.exe
windows10-2004-x64
7ManyCam 8 ...me.txt
windows7-x64
1ManyCam 8 ...me.txt
windows10-2004-x64
1Resubmissions
08-10-2022 15:38
221008-s23p1sehf8 10Analysis
-
max time kernel
102s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-10-2022 15:38
Behavioral task
behavioral1
Sample
ManyCam 8 Multilingual/ManyCam 8 Multilingual/ManyCam 8 Multilingual/Crack_Patch/Patch-MPT.zip
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ManyCam 8 Multilingual/ManyCam 8 Multilingual/ManyCam 8 Multilingual/Crack_Patch/Patch-MPT.zip
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
MAYANPROPHECY.nfo
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
MAYANPROPHECY.nfo
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
manycam.7.6.0.38-MPT.exe
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
manycam.7.6.0.38-MPT.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
ManyCam 8 Multilingual/ManyCam 8 Multilingual/ManyCam 8 Multilingual/Crack_Patch/manycam 8-MPT.exe
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
ManyCam 8 Multilingual/ManyCam 8 Multilingual/ManyCam 8 Multilingual/Crack_Patch/manycam 8-MPT.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
ManyCam 8 Multilingual/ManyCam 8 Multilingual/ManyCam 8 Multilingual/ManyCamSetup.exe
Resource
win7-20220901-en
Behavioral task
behavioral10
Sample
ManyCam 8 Multilingual/ManyCam 8 Multilingual/ManyCam 8 Multilingual/ManyCamSetup.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
ManyCam 8 Multilingual/ManyCam 8 Multilingual/ManyCam 8 Multilingual/Readme.txt
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
ManyCam 8 Multilingual/ManyCam 8 Multilingual/ManyCam 8 Multilingual/Readme.txt
Resource
win10v2004-20220812-en
General
-
Target
ManyCam 8 Multilingual/ManyCam 8 Multilingual/ManyCam 8 Multilingual/Crack_Patch/manycam 8-MPT.exe
-
Size
557KB
-
MD5
948df9371c1dd0928496cafb9da6d9b4
-
SHA1
5725d22fc6dc187c39aad31febabb41771ce4b83
-
SHA256
f9ab094a0d2b47684d8bbc5a430c111ab3aa18e7aa3d2a70f7157829808322e4
-
SHA512
fb8aebde61d299463122bff606ad578d07a952b106979bc824cc3e9fdff806338e1db8c82aabdd3c27c3baf517acec7dfb64e2f6eef03dca46cf0668b061ef8a
-
SSDEEP
12288:96Wq4aaE6KwyF5L0Y2D1PqLXLvjZhsbooEuo9wgng3wnePR/:rthEVaPqLXLvjZWFEPwbXPR/
Malware Config
Extracted
asyncrat
0.5.6E
Default
dilescemo.servegame.com:2222
ywmtlgzamxo
-
delay
1
-
install
true
-
install_file
windows.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\File2.exe asyncrat C:\Users\Admin\AppData\Local\Temp\File2.exe asyncrat behavioral8/memory/4880-140-0x0000000000620000-0x0000000000632000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\windows.exe asyncrat C:\Users\Admin\AppData\Roaming\windows.exe asyncrat -
Executes dropped EXE 3 IoCs
Processes:
File1.exeFile2.exewindows.exepid process 4772 File1.exe 4880 File2.exe 3988 windows.exe -
Processes:
resource yara_rule behavioral8/memory/3208-132-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral8/memory/3208-141-0x0000000000400000-0x00000000004C4000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
manycam 8-MPT.exeFile2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation manycam 8-MPT.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation File2.exe -
Loads dropped DLL 2 IoCs
Processes:
File1.exepid process 4772 File1.exe 4772 File1.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral8/memory/3208-132-0x0000000000400000-0x00000000004C4000-memory.dmp autoit_exe behavioral8/memory/3208-141-0x0000000000400000-0x00000000004C4000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3640 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
File2.exepid process 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe 4880 File2.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEFile2.exewindows.exedescription pid process Token: 33 4076 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4076 AUDIODG.EXE Token: SeDebugPrivilege 4880 File2.exe Token: SeDebugPrivilege 3988 windows.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
manycam 8-MPT.exepid process 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
manycam 8-MPT.exepid process 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe 3208 manycam 8-MPT.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
manycam 8-MPT.exeFile2.execmd.execmd.exedescription pid process target process PID 3208 wrote to memory of 4772 3208 manycam 8-MPT.exe File1.exe PID 3208 wrote to memory of 4772 3208 manycam 8-MPT.exe File1.exe PID 3208 wrote to memory of 4772 3208 manycam 8-MPT.exe File1.exe PID 3208 wrote to memory of 4880 3208 manycam 8-MPT.exe File2.exe PID 3208 wrote to memory of 4880 3208 manycam 8-MPT.exe File2.exe PID 4880 wrote to memory of 1748 4880 File2.exe cmd.exe PID 4880 wrote to memory of 1748 4880 File2.exe cmd.exe PID 4880 wrote to memory of 1920 4880 File2.exe cmd.exe PID 4880 wrote to memory of 1920 4880 File2.exe cmd.exe PID 1748 wrote to memory of 3824 1748 cmd.exe schtasks.exe PID 1748 wrote to memory of 3824 1748 cmd.exe schtasks.exe PID 1920 wrote to memory of 3640 1920 cmd.exe timeout.exe PID 1920 wrote to memory of 3640 1920 cmd.exe timeout.exe PID 1920 wrote to memory of 3988 1920 cmd.exe windows.exe PID 1920 wrote to memory of 3988 1920 cmd.exe windows.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ManyCam 8 Multilingual\ManyCam 8 Multilingual\ManyCam 8 Multilingual\Crack_Patch\manycam 8-MPT.exe"C:\Users\Admin\AppData\Local\Temp\ManyCam 8 Multilingual\ManyCam 8 Multilingual\ManyCam 8 Multilingual\Crack_Patch\manycam 8-MPT.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\File1.exe"C:\Users\Admin\AppData\Local\Temp\File1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\File2.exe"C:\Users\Admin\AppData\Local\Temp\File2.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn File2 /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn File2 /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDBCE.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\windows.exe"C:\Users\Admin\AppData\Roaming\windows.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f4 0x2ec1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\File1.exeFilesize
229KB
MD599bc00543dd33142549458775fc146a8
SHA1757f6569d16699fdb1f1597d6bac245fe2f88d27
SHA2563bacbaf79d434a128d3a32792ab8f87aaa4854dacb89f475d4dec0f3addbd33c
SHA512d77214c376d719217cdf830e4bc41251181750f330e9aa0b9d4ddb2e61959068780e8a2aa1c216f5217954436561bb643112bbf7a3dd269c07257ce8e7d0d8e2
-
C:\Users\Admin\AppData\Local\Temp\File1.exeFilesize
229KB
MD599bc00543dd33142549458775fc146a8
SHA1757f6569d16699fdb1f1597d6bac245fe2f88d27
SHA2563bacbaf79d434a128d3a32792ab8f87aaa4854dacb89f475d4dec0f3addbd33c
SHA512d77214c376d719217cdf830e4bc41251181750f330e9aa0b9d4ddb2e61959068780e8a2aa1c216f5217954436561bb643112bbf7a3dd269c07257ce8e7d0d8e2
-
C:\Users\Admin\AppData\Local\Temp\File2.exeFilesize
47KB
MD55a4203bfe138541a159e87919e6b9850
SHA115945294b819105a008b763c16414d245fb130ce
SHA256ebbb96e7bee4784af56950ca01fcfa65777a5297294bc91c67c2446aae1a2d5a
SHA51253dcd6c8b6dafe2a193574413520f4f02af97ff119e99c448a111b0be544b2cd3af1b23bf954e043ed6cf3eb55f19310d9499b17863f0457a71afd7ac00e8c7f
-
C:\Users\Admin\AppData\Local\Temp\File2.exeFilesize
47KB
MD55a4203bfe138541a159e87919e6b9850
SHA115945294b819105a008b763c16414d245fb130ce
SHA256ebbb96e7bee4784af56950ca01fcfa65777a5297294bc91c67c2446aae1a2d5a
SHA51253dcd6c8b6dafe2a193574413520f4f02af97ff119e99c448a111b0be544b2cd3af1b23bf954e043ed6cf3eb55f19310d9499b17863f0457a71afd7ac00e8c7f
-
C:\Users\Admin\AppData\Local\Temp\bassmod.dllFilesize
33KB
MD5e4ec57e8508c5c4040383ebe6d367928
SHA1b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06
SHA2568ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f
SHA51277d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822
-
C:\Users\Admin\AppData\Local\Temp\dup2patcher.dllFilesize
195KB
MD50f6a9bbbff53c8c215d1f0ce566b0f5e
SHA128906d516edf25fb58b6cc755725fde4504ab5b8
SHA256380c0e3953de8cd1ce3793930821b85e02e40cfb13be3e1b57a44782f877dbdf
SHA512a3007152c7927bb57d0887df82966f02fce739f7ce168f7f61676795a0d133519a007f0d2d9e41a645670eafce4b66a1682417e7e4b73973d28187e85c84e255
-
C:\Users\Admin\AppData\Local\Temp\tmpDBCE.tmp.batFilesize
151B
MD5df8de135d61f0f1c6fea1e749f9e7bdd
SHA130ab33eee1cf2ea51240f48f56ce61aefe47f33f
SHA2569e1b1f466adf20a2f297ad1139bf0c60d9a43c2b4fc3024468a409020074cd6b
SHA512bdeb65b1ca9b49ff896fac1a2eda7956225a96521aeb43c259d0e816e1e79ad5faa35e3b1ed4025762b52456656afa3c840ca86c8c146a63bd0255886bc19ed1
-
C:\Users\Admin\AppData\Roaming\windows.exeFilesize
47KB
MD55a4203bfe138541a159e87919e6b9850
SHA115945294b819105a008b763c16414d245fb130ce
SHA256ebbb96e7bee4784af56950ca01fcfa65777a5297294bc91c67c2446aae1a2d5a
SHA51253dcd6c8b6dafe2a193574413520f4f02af97ff119e99c448a111b0be544b2cd3af1b23bf954e043ed6cf3eb55f19310d9499b17863f0457a71afd7ac00e8c7f
-
C:\Users\Admin\AppData\Roaming\windows.exeFilesize
47KB
MD55a4203bfe138541a159e87919e6b9850
SHA115945294b819105a008b763c16414d245fb130ce
SHA256ebbb96e7bee4784af56950ca01fcfa65777a5297294bc91c67c2446aae1a2d5a
SHA51253dcd6c8b6dafe2a193574413520f4f02af97ff119e99c448a111b0be544b2cd3af1b23bf954e043ed6cf3eb55f19310d9499b17863f0457a71afd7ac00e8c7f
-
memory/1748-147-0x0000000000000000-mapping.dmp
-
memory/1920-148-0x0000000000000000-mapping.dmp
-
memory/3208-132-0x0000000000400000-0x00000000004C4000-memory.dmpFilesize
784KB
-
memory/3208-141-0x0000000000400000-0x00000000004C4000-memory.dmpFilesize
784KB
-
memory/3640-151-0x0000000000000000-mapping.dmp
-
memory/3824-149-0x0000000000000000-mapping.dmp
-
memory/3988-156-0x00007FFC17A80000-0x00007FFC18541000-memory.dmpFilesize
10.8MB
-
memory/3988-158-0x00007FFC17A80000-0x00007FFC18541000-memory.dmpFilesize
10.8MB
-
memory/3988-153-0x0000000000000000-mapping.dmp
-
memory/4772-145-0x0000000074150000-0x00000000741E0000-memory.dmpFilesize
576KB
-
memory/4772-159-0x0000000074150000-0x00000000741E0000-memory.dmpFilesize
576KB
-
memory/4772-146-0x0000000000590000-0x0000000000593000-memory.dmpFilesize
12KB
-
memory/4772-143-0x0000000010000000-0x0000000010013000-memory.dmpFilesize
76KB
-
memory/4772-157-0x0000000010000000-0x0000000010013000-memory.dmpFilesize
76KB
-
memory/4772-133-0x0000000000000000-mapping.dmp
-
memory/4880-136-0x0000000000000000-mapping.dmp
-
memory/4880-140-0x0000000000620000-0x0000000000632000-memory.dmpFilesize
72KB
-
memory/4880-152-0x00007FFC17DD0000-0x00007FFC18891000-memory.dmpFilesize
10.8MB
-
memory/4880-144-0x00007FFC17DD0000-0x00007FFC18891000-memory.dmpFilesize
10.8MB