3e4ee717f514363d3ee070a8dfaa4dcdd61c88cd44863227a00b495252895c22

Analysis

max time kernel
103s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Maono Link v2.1.2.exe
Size

26.1MB
MD5

8ecb41ddd315f2d1f6a845c20c076a51
SHA1

39d4d4662f1ade143377b75ea3ee5e8d4441b133
SHA256

490b1df82449341cd6927aed5af14addf139ad41bf4ccbf834adb648c57c4168
SHA512

06948201ec44f33d0ad26dbf863071d83b2e9da9dda17ede9d308367cb23f31421b6b68894312577587ea4eed6199042ab6c0f3940dddbaa5c91b7a6f6de32ee
SSDEEP

393216:vLQ+27nj50xmTbxb7unLEd+v0CzqH28HSua/Ly3fOkSpS0tjFZKNjU9vVEotV+wb:TYj5PT1OnwdD72GSd/w0pSru9EotHNl

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Maono Link v2.1.2.exe

Loads dropped DLL 2 IoCs

pid	Process
1788	Maono Link v2.1.2.exe
1788	Maono Link v2.1.2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 62 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_uk.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\imageformats\qwbmp.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\Qt5Widgets.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\imageformats\qgif.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\platforms\qwindows.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_es.qm	Maono Link v2.1.2.exe
File opened for modification	C:\Program Files (x86)\Maono\Maono Link\Maono Link.url	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\libEGL.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\bearer\qgenericbearer.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\imageformats\qsvg.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_ca.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_fi.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_ja.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_ru.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\ktTool.exe	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\opengl32sw.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\mediaservice\dsengine.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_en.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_bg.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\Qt5Multimedia.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\imageformats\qicns.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\imageformats\qjpeg.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_de.qm	Maono Link v2.1.2.exe
File opened for modification	C:\Program Files (x86)\Maono\Maono Linkconfig.ini	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\D3Dcompiler_47.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\Qt5Svg.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\iconengines\qsvgicon.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\Qt5Core.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\playlistformats\qtmultimedia_m3u.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_he.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_pl.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\Qt5Gui.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\ucrtbased.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\vccorlib140.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\audio\qtaudio_windows.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_lv.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\Maono Link.exe	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\Qt5Network.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\imageformats\qwebp.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_cs.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\uninst.exe	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\vcruntime140.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\imageformats\qtiff.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\mediaservice\qtmedia_audioengine.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\styles\qwindowsvistastyle.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_sk.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\msvcp140.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\imageformats\qico.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\mediaservice\wmfengine.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_it.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\Maono_link.nsi	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\Qt5Charts.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_ar.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_fr.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_gd.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_ko.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\libGLESV2.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\audio\qtaudio_wasapi.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\imageformats\qtga.dll	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_da.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_hu.qm	Maono Link v2.1.2.exe
File created	C:\Program Files (x86)\Maono\Maono Link\translations\qt_zh_TW.qm	Maono Link v2.1.2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4988	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	taskkill.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 4988	1788	Maono Link v2.1.2.exe	94
PID 1788 wrote to memory of 4988	1788	Maono Link v2.1.2.exe	94
PID 1788 wrote to memory of 4988	1788	Maono Link v2.1.2.exe	94

C:\Users\Admin\AppData\Local\Temp\Maono Link v2.1.2.exe
"C:\Users\Admin\AppData\Local\Temp\Maono Link v2.1.2.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "Maono Link".exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Maono\Maono Link\Maono Link.exe

Filesize
14.3MB

MD5
24af6533f3959a234c492ba89b88b567

SHA1
87cdcefb60e6aab54ebcd7602797d0d47dda1871

SHA256
7dd3cdabde2708cb052dea37a248a345e607c47a5f53653aec74a6df9c5f327f

SHA512
84787ceca43ee85a144b68487c114d26b782cb5905252ef63df5fa107e1423d57da38c0404966b098db92431e7da0bc502451fa598bd4e5c55fecc817a4e491e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC847.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC847.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC847.tmp\ioSpecial.ini

Filesize
700B

MD5
a9eb2b7ca2962eb41c54f262c009e47b

SHA1
6636975238fd00437c95b2baf74a19f78cf89aad

SHA256
26d3b3cbbc442b16a9d1973deb136dc69b06073cfb9bc75ae41d2d318cceb9c9

SHA512
8fd61476633e6ac6c8c0fa0b5213376e1f8b4833adedc1c7c2b3e7515a83a91977b59e7a7cbfb05210b41dfa622043e5fa2a63fbe0269745bee701285e110dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC847.tmp\ioSpecial.ini

Filesize
665B

MD5
4b176744f6cc7737c53526a0fa0b8a19

SHA1
09a245c791dede634d9f65b243d927d09c5830ef

SHA256
f433414afa06897e0391bf9655a360fc84cdd5bb9ba99f2157980c48738f7d87

SHA512
2e3e484071df1b16e460251e8b33ec22644477157f4ace8e3bf10fd411888ed83441a233cd671636e1f02f023c98792f94a20b507e44e142e8bdc48d4cf5cd73

Download Submit