Overview

overview

10

Static

static

8

ManyCam 8 ...PT.zip

windows7-x64

1

ManyCam 8 ...PT.zip

windows10-2004-x64

1

MAYANPROPHECY.nfo

windows7-x64

1

MAYANPROPHECY.nfo

windows10-2004-x64

1

manycam.7....PT.exe

windows7-x64

7

manycam.7....PT.exe

windows10-2004-x64

7

ManyCam 8 ...PT.exe

windows7-x64

10

ManyCam 8 ...PT.exe

windows10-2004-x64

10

ManyCam 8 ...up.exe

windows7-x64

7

ManyCam 8 ...up.exe

windows10-2004-x64

7

ManyCam 8 ...me.txt

windows7-x64

1

ManyCam 8 ...me.txt

windows10-2004-x64

1

Resubmissions

08-10-2022 15:38

221008-s23p1sehf8 10

Analysis

  • max time kernel
    102s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-10-2022 15:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ManyCam 8 Multilingual/ManyCam 8 Multilingual/ManyCam 8 Multilingual/Crack_Patch/manycam 8-MPT.exe

  • Size

    557KB

  • MD5

    948df9371c1dd0928496cafb9da6d9b4

  • SHA1

    5725d22fc6dc187c39aad31febabb41771ce4b83

  • SHA256

    f9ab094a0d2b47684d8bbc5a430c111ab3aa18e7aa3d2a70f7157829808322e4

  • SHA512

    fb8aebde61d299463122bff606ad578d07a952b106979bc824cc3e9fdff806338e1db8c82aabdd3c27c3baf517acec7dfb64e2f6eef03dca46cf0668b061ef8a

  • SSDEEP

    12288:96Wq4aaE6KwyF5L0Y2D1PqLXLvjZhsbooEuo9wgng3wnePR/:rthEVaPqLXLvjZWFEPwbXPR/

Score
10/10
asyncratdefaultratupx

Malware Config

Extracted

Family

asyncrat

Version

0.5.6E

Botnet

Default

C2

dilescemo.servegame.com:2222

Mutex

ywmtlgzamxo

Attributes
  • delay

    1

  • install

    true

  • install_file

    windows.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 5 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ManyCam 8 Multilingual\ManyCam 8 Multilingual\ManyCam 8 Multilingual\Crack_Patch\manycam 8-MPT.exe
    "C:\Users\Admin\AppData\Local\Temp\ManyCam 8 Multilingual\ManyCam 8 Multilingual\ManyCam 8 Multilingual\Crack_Patch\manycam 8-MPT.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Users\Admin\AppData\Local\Temp\File1.exe
      "C:\Users\Admin\AppData\Local\Temp\File1.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:4772
    • C:\Users\Admin\AppData\Local\Temp\File2.exe
      "C:\Users\Admin\AppData\Local\Temp\File2.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn File2 /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn File2 /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:3824
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDBCE.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1920
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:3640
        • C:\Users\Admin\AppData\Roaming\windows.exe
          "C:\Users\Admin\AppData\Roaming\windows.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3988
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x2f4 0x2ec
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\File1.exe
    Filesize

    229KB

    MD5

    99bc00543dd33142549458775fc146a8

    SHA1

    757f6569d16699fdb1f1597d6bac245fe2f88d27

    SHA256

    3bacbaf79d434a128d3a32792ab8f87aaa4854dacb89f475d4dec0f3addbd33c

    SHA512

    d77214c376d719217cdf830e4bc41251181750f330e9aa0b9d4ddb2e61959068780e8a2aa1c216f5217954436561bb643112bbf7a3dd269c07257ce8e7d0d8e2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\File1.exe
    Filesize

    229KB

    MD5

    99bc00543dd33142549458775fc146a8

    SHA1

    757f6569d16699fdb1f1597d6bac245fe2f88d27

    SHA256

    3bacbaf79d434a128d3a32792ab8f87aaa4854dacb89f475d4dec0f3addbd33c

    SHA512

    d77214c376d719217cdf830e4bc41251181750f330e9aa0b9d4ddb2e61959068780e8a2aa1c216f5217954436561bb643112bbf7a3dd269c07257ce8e7d0d8e2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\File2.exe
    Filesize

    47KB

    MD5

    5a4203bfe138541a159e87919e6b9850

    SHA1

    15945294b819105a008b763c16414d245fb130ce

    SHA256

    ebbb96e7bee4784af56950ca01fcfa65777a5297294bc91c67c2446aae1a2d5a

    SHA512

    53dcd6c8b6dafe2a193574413520f4f02af97ff119e99c448a111b0be544b2cd3af1b23bf954e043ed6cf3eb55f19310d9499b17863f0457a71afd7ac00e8c7f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\File2.exe
    Filesize

    47KB

    MD5

    5a4203bfe138541a159e87919e6b9850

    SHA1

    15945294b819105a008b763c16414d245fb130ce

    SHA256

    ebbb96e7bee4784af56950ca01fcfa65777a5297294bc91c67c2446aae1a2d5a

    SHA512

    53dcd6c8b6dafe2a193574413520f4f02af97ff119e99c448a111b0be544b2cd3af1b23bf954e043ed6cf3eb55f19310d9499b17863f0457a71afd7ac00e8c7f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bassmod.dll
    Filesize

    33KB

    MD5

    e4ec57e8508c5c4040383ebe6d367928

    SHA1

    b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

    SHA256

    8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

    SHA512

    77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll
    Filesize

    195KB

    MD5

    0f6a9bbbff53c8c215d1f0ce566b0f5e

    SHA1

    28906d516edf25fb58b6cc755725fde4504ab5b8

    SHA256

    380c0e3953de8cd1ce3793930821b85e02e40cfb13be3e1b57a44782f877dbdf

    SHA512

    a3007152c7927bb57d0887df82966f02fce739f7ce168f7f61676795a0d133519a007f0d2d9e41a645670eafce4b66a1682417e7e4b73973d28187e85c84e255

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpDBCE.tmp.bat
    Filesize

    151B

    MD5

    df8de135d61f0f1c6fea1e749f9e7bdd

    SHA1

    30ab33eee1cf2ea51240f48f56ce61aefe47f33f

    SHA256

    9e1b1f466adf20a2f297ad1139bf0c60d9a43c2b4fc3024468a409020074cd6b

    SHA512

    bdeb65b1ca9b49ff896fac1a2eda7956225a96521aeb43c259d0e816e1e79ad5faa35e3b1ed4025762b52456656afa3c840ca86c8c146a63bd0255886bc19ed1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\windows.exe
    Filesize

    47KB

    MD5

    5a4203bfe138541a159e87919e6b9850

    SHA1

    15945294b819105a008b763c16414d245fb130ce

    SHA256

    ebbb96e7bee4784af56950ca01fcfa65777a5297294bc91c67c2446aae1a2d5a

    SHA512

    53dcd6c8b6dafe2a193574413520f4f02af97ff119e99c448a111b0be544b2cd3af1b23bf954e043ed6cf3eb55f19310d9499b17863f0457a71afd7ac00e8c7f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\windows.exe
    Filesize

    47KB

    MD5

    5a4203bfe138541a159e87919e6b9850

    SHA1

    15945294b819105a008b763c16414d245fb130ce

    SHA256

    ebbb96e7bee4784af56950ca01fcfa65777a5297294bc91c67c2446aae1a2d5a

    SHA512

    53dcd6c8b6dafe2a193574413520f4f02af97ff119e99c448a111b0be544b2cd3af1b23bf954e043ed6cf3eb55f19310d9499b17863f0457a71afd7ac00e8c7f

    Download Submit
  • memory/1748-147-0x0000000000000000-mapping.dmp
    Download
  • memory/1920-148-0x0000000000000000-mapping.dmp
    Download
  • memory/3208-132-0x0000000000400000-0x00000000004C4000-memory.dmp
    Filesize

    784KB

    Download
  • memory/3208-141-0x0000000000400000-0x00000000004C4000-memory.dmp
    Filesize

    784KB

    Download
  • memory/3640-151-0x0000000000000000-mapping.dmp
    Download
  • memory/3824-149-0x0000000000000000-mapping.dmp
    Download
  • memory/3988-156-0x00007FFC17A80000-0x00007FFC18541000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3988-158-0x00007FFC17A80000-0x00007FFC18541000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3988-153-0x0000000000000000-mapping.dmp
    Download
  • memory/4772-145-0x0000000074150000-0x00000000741E0000-memory.dmp
    Filesize

    576KB

    Download
  • memory/4772-159-0x0000000074150000-0x00000000741E0000-memory.dmp
    Filesize

    576KB

    Download
  • memory/4772-146-0x0000000000590000-0x0000000000593000-memory.dmp
    Filesize

    12KB

    Download
  • memory/4772-143-0x0000000010000000-0x0000000010013000-memory.dmp
    Filesize

    76KB

    Download
  • memory/4772-157-0x0000000010000000-0x0000000010013000-memory.dmp
    Filesize

    76KB

    Download
  • memory/4772-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4880-136-0x0000000000000000-mapping.dmp
    Download
  • memory/4880-140-0x0000000000620000-0x0000000000632000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4880-152-0x00007FFC17DD0000-0x00007FFC18891000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4880-144-0x00007FFC17DD0000-0x00007FFC18891000-memory.dmp
    Filesize

    10.8MB

    Download