9fd10bf47b3cc8064550344ccc5bd40f94072ccca78254b7e464ec6f8bcf03ca

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07-09-2023 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SkySky/ManicTimeVico.exe
Size

623KB
MD5

d9746c8d55bed7b372ccef704f96ddda
SHA1

61c6b8ba9108fc7617264bb7d58e163457946e5b
SHA256

afbfea15784c32277edf9d4c985d210c5c46baef46db1c6bed2d2a964d2b70fd
SHA512

e00d687bd7cee039c6eddddab2b89e26136f842bda19630de53220f3459a73a4bd2ba0c76267b977e265d7cdf98d21cd94d327fa143477a427ccd0a5fd57910e
SSDEEP

12288:N7djaB7OoRTQTR7djaB7OoRTQTDiiiiiiiiiiiiii:rGBJRTQTHGBJRTQTDiiiiiiiiiiiiii

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1772-8-0x0000000001DD0000-0x0000000001E09000-memory.dmp	upx
behavioral1/memory/1772-11-0x0000000001DD0000-0x0000000001E09000-memory.dmp	upx
behavioral1/memory/1772-13-0x0000000001DD0000-0x0000000001E09000-memory.dmp	upx
behavioral1/memory/1584-21-0x0000000001C00000-0x0000000001C39000-memory.dmp	upx
behavioral1/memory/1584-25-0x0000000001C00000-0x0000000001C39000-memory.dmp	upx
behavioral1/memory/1772-40-0x0000000001DD0000-0x0000000001E09000-memory.dmp	upx
behavioral1/memory/1772-56-0x0000000001DD0000-0x0000000001E09000-memory.dmp	upx
behavioral1/memory/1772-55-0x0000000001DD0000-0x0000000001E09000-memory.dmp	upx
behavioral1/memory/1772-54-0x0000000001DD0000-0x0000000001E09000-memory.dmp	upx
behavioral1/memory/1772-57-0x0000000001DD0000-0x0000000001E09000-memory.dmp	upx

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ManisORRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\QQMusic.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManisORRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\QQMusic.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManisORRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\QQMusic.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ManisORRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\QQMusic.exe"	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe
1772	ManicTimeVico.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	2548	rundll32.exe
Token: SeRestorePrivilege	2548	rundll32.exe
Token: SeRestorePrivilege	2548	rundll32.exe
Token: SeRestorePrivilege	2548	rundll32.exe
Token: SeRestorePrivilege	2548	rundll32.exe
Token: SeRestorePrivilege	2548	rundll32.exe
Token: SeRestorePrivilege	2548	rundll32.exe
Token: SeRestorePrivilege	2516	rundll32.exe
Token: SeRestorePrivilege	2516	rundll32.exe
Token: SeRestorePrivilege	2516	rundll32.exe
Token: SeRestorePrivilege	2516	rundll32.exe
Token: SeRestorePrivilege	2516	rundll32.exe
Token: SeRestorePrivilege	2516	rundll32.exe
Token: SeRestorePrivilege	2516	rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1584	1772	ManicTimeVico.exe	28
PID 1772 wrote to memory of 1584	1772	ManicTimeVico.exe	28
PID 1772 wrote to memory of 1584	1772	ManicTimeVico.exe	28
PID 1772 wrote to memory of 1584	1772	ManicTimeVico.exe	28
PID 1772 wrote to memory of 2548	1772	ManicTimeVico.exe	29
PID 1772 wrote to memory of 2548	1772	ManicTimeVico.exe	29
PID 1772 wrote to memory of 2548	1772	ManicTimeVico.exe	29
PID 1772 wrote to memory of 2548	1772	ManicTimeVico.exe	29
PID 1772 wrote to memory of 2548	1772	ManicTimeVico.exe	29
PID 1772 wrote to memory of 2548	1772	ManicTimeVico.exe	29
PID 1772 wrote to memory of 2548	1772	ManicTimeVico.exe	29
PID 1772 wrote to memory of 2516	1772	ManicTimeVico.exe	30
PID 1772 wrote to memory of 2516	1772	ManicTimeVico.exe	30
PID 1772 wrote to memory of 2516	1772	ManicTimeVico.exe	30
PID 1772 wrote to memory of 2516	1772	ManicTimeVico.exe	30
PID 1772 wrote to memory of 2516	1772	ManicTimeVico.exe	30
PID 1772 wrote to memory of 2516	1772	ManicTimeVico.exe	30
PID 1772 wrote to memory of 2516	1772	ManicTimeVico.exe	30

C:\Users\Admin\AppData\Local\Temp\SkySky\ManicTimeVico.exe
"C:\Users\Admin\AppData\Local\Temp\SkySky\ManicTimeVico.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\SkySky\ManicTimeVico.exe
  "C:\Users\Admin\AppData\Local\Temp\SkySky\ManicTimeVico.exe"
  2⤵
  PID:1584
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" advpack.dll,LaunchINFSectionEx C:\Users\Admin\AppData\Roaming\apple\Runinf.inf ,DefaultInstall,,32
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" advpack.dll,LaunchINFSectionEx C:\Users\Admin\AppData\Roaming\apple\Runinf.inf ,DefaultInstall,,32
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\apple\Runinf.inf

Filesize
826B

MD5
62bb69ff89b339b279b69d1a13e9294e

SHA1
6a4daa541fea6807fd50bb2cc47e4e75be40a593

SHA256
cd1ed1c4d9194b87b10e0869af03bcecf01c084a1ba3b933bbb7468db89c0bad

SHA512
a45fd7b3b7d387e31285a20cc8c6aaa2a4630b08d9cedcd663e13659d56049d75017fdeca171c997d5e02857c945f56917776d4fd80a0c8f7966942116d5b8e6

Download Submit
C:\Users\Admin\AppData\Roaming\apple\Runlnk.lnk

Filesize
918B

MD5
75e1faaad7962900effbb8f1553edac0

SHA1
efe98c3167ee337c1724173d6c43ddd91f097c27

SHA256
8b905fc3a4d85b3c9a1a5dbf0244caebc4a9e9b01056f83ab166852ab88b9d9a

SHA512
31a50f7e929ea97f8d2992b5fc78356d7e0c0772f764468c348b482bf605c1f40e904fa256746e94e565665804686692a569cc9d98d63a1c23cfbc42da12f633

Download Submit
memory/1584-15-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/1584-59-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1584-25-0x0000000001C00000-0x0000000001C39000-memory.dmp

Filesize
228KB

Download
memory/1584-21-0x0000000001C00000-0x0000000001C39000-memory.dmp

Filesize
228KB

Download
memory/1584-19-0x00000000003F0000-0x00000000003FD000-memory.dmp

Filesize
52KB

Download
memory/1584-18-0x00000000003F0000-0x00000000003FD000-memory.dmp

Filesize
52KB

Download
memory/1584-16-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1584-17-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1584-14-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/1772-8-0x0000000001DD0000-0x0000000001E09000-memory.dmp

Filesize
228KB

Download
memory/1772-40-0x0000000001DD0000-0x0000000001E09000-memory.dmp

Filesize
228KB

Download
memory/1772-11-0x0000000001DD0000-0x0000000001E09000-memory.dmp

Filesize
228KB

Download
memory/1772-0-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1772-5-0x0000000000270000-0x000000000027D000-memory.dmp

Filesize
52KB

Download
memory/1772-6-0x0000000000270000-0x000000000027D000-memory.dmp

Filesize
52KB

Download
memory/1772-3-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1772-4-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1772-2-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/1772-13-0x0000000001DD0000-0x0000000001E09000-memory.dmp

Filesize
228KB

Download
memory/1772-56-0x0000000001DD0000-0x0000000001E09000-memory.dmp

Filesize
228KB

Download
memory/1772-55-0x0000000001DD0000-0x0000000001E09000-memory.dmp

Filesize
228KB

Download
memory/1772-54-0x0000000001DD0000-0x0000000001E09000-memory.dmp

Filesize
228KB

Download
memory/1772-57-0x0000000001DD0000-0x0000000001E09000-memory.dmp

Filesize
228KB

Download
memory/1772-58-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1772-1-0x0000000000240000-0x000000000025F000-memory.dmp

Filesize
124KB

Download
memory/1772-71-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1772-83-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download