a9b3e1a86a6317650881c9c631410482521c130de594bcbf91ef1f5f24d038a9

Analysis

max time kernel
143s
max time network
143s
platform
windows7_x64
resource
win7
submitted
19-06-2020 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MANQUEDB_829028353025266.vbs
Size

36.2MB
MD5

35f91ef6a9f5cbba47555ed092cda0fc
SHA1

b2df8023f4821752020a73a6095e4790abd9d86f
SHA256

a9b3e1a86a6317650881c9c631410482521c130de594bcbf91ef1f5f24d038a9
SHA512

6039715f0b0a92dd6babf65c4fe50c1cb82531f9d60154ca3fe8cd371c31bffca0fbbc064b23de712fca9556e0e5e7ba917fd519cc27607e2d692820c7b9e940

Score

9^/10

cryptone packer

Malware Config

Signatures

CryptOne packer 9 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe	cryptone
\Users\Admin\AppData\Local\Temp\PicturesViewer.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe	cryptone
\Users\Admin\AppData\Roaming\Microsoft\Qpdrllsweeo\bqzfi.exe	cryptone
\Users\Admin\AppData\Roaming\Microsoft\Qpdrllsweeo\bqzfi.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Qpdrllsweeo\bqzfi.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Qpdrllsweeo\bqzfi.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Qpdrllsweeo\bqzfi.exe	cryptone

Blacklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

4 1156 WScript.exe
6 1156 WScript.exe
Executes dropped EXE 4 IoCs

Processes:

PicturesViewer.exePicturesViewer.exebqzfi.exebqzfi.exe

pid process

1128 PicturesViewer.exe
1924 PicturesViewer.exe
1632 bqzfi.exe
1208 bqzfi.exe
Loads dropped DLL 3 IoCs

Processes:

PicturesViewer.exe

pid process

1128 PicturesViewer.exe
1128 PicturesViewer.exe
1128 PicturesViewer.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1552 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

PicturesViewer.exePicturesViewer.exebqzfi.exe

pid process

1128 PicturesViewer.exe
1924 PicturesViewer.exe
1924 PicturesViewer.exe
1632 bqzfi.exe

flow	pid	process
4	1156	WScript.exe
6	1156	WScript.exe

pid	process
1128	PicturesViewer.exe
1924	PicturesViewer.exe
1632	bqzfi.exe
1208	bqzfi.exe

pid	process
1128	PicturesViewer.exe
1128	PicturesViewer.exe
1128	PicturesViewer.exe

pid	process
1552	schtasks.exe

pid	process
1128	PicturesViewer.exe
1924	PicturesViewer.exe
1924	PicturesViewer.exe
1632	bqzfi.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exePicturesViewer.exebqzfi.exe

description	pid	process	target process
PID 1156 wrote to memory of 1128	1156	WScript.exe	PicturesViewer.exe
PID 1156 wrote to memory of 1128	1156	WScript.exe	PicturesViewer.exe
PID 1156 wrote to memory of 1128	1156	WScript.exe	PicturesViewer.exe
PID 1156 wrote to memory of 1128	1156	WScript.exe	PicturesViewer.exe
PID 1128 wrote to memory of 1924	1128	PicturesViewer.exe	PicturesViewer.exe
PID 1128 wrote to memory of 1924	1128	PicturesViewer.exe	PicturesViewer.exe
PID 1128 wrote to memory of 1924	1128	PicturesViewer.exe	PicturesViewer.exe
PID 1128 wrote to memory of 1924	1128	PicturesViewer.exe	PicturesViewer.exe
PID 1128 wrote to memory of 1632	1128	PicturesViewer.exe	bqzfi.exe
PID 1128 wrote to memory of 1632	1128	PicturesViewer.exe	bqzfi.exe
PID 1128 wrote to memory of 1632	1128	PicturesViewer.exe	bqzfi.exe
PID 1128 wrote to memory of 1632	1128	PicturesViewer.exe	bqzfi.exe
PID 1128 wrote to memory of 1552	1128	PicturesViewer.exe	schtasks.exe
PID 1128 wrote to memory of 1552	1128	PicturesViewer.exe	schtasks.exe
PID 1128 wrote to memory of 1552	1128	PicturesViewer.exe	schtasks.exe
PID 1128 wrote to memory of 1552	1128	PicturesViewer.exe	schtasks.exe
PID 1632 wrote to memory of 1208	1632	bqzfi.exe	bqzfi.exe
PID 1632 wrote to memory of 1208	1632	bqzfi.exe	bqzfi.exe
PID 1632 wrote to memory of 1208	1632	bqzfi.exe	bqzfi.exe
PID 1632 wrote to memory of 1208	1632	bqzfi.exe	bqzfi.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MANQUEDB_829028353025266.vbs"
1⤵
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Users\Admin\AppData\Roaming\Microsoft\Qpdrllsweeo\bqzfi.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Qpdrllsweeo\bqzfi.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Roaming\Microsoft\Qpdrllsweeo\bqzfi.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Qpdrllsweeo\bqzfi.exe /C
4⤵
- Executes dropped EXE
PID:1208

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn tdsqfutba /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I tdsqfutba" /SC ONCE /Z /ST 15:59 /ET 16:11
3⤵
- Creates scheduled task(s)
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
MD5
f346358b73c7a357e741b655bfa769fb

SHA1
9a67ccb069178df68ddf040ecb8a721e70b73d0e

SHA256
92fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33

SHA512
fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
MD5
f346358b73c7a357e741b655bfa769fb

SHA1
9a67ccb069178df68ddf040ecb8a721e70b73d0e

SHA256
92fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33

SHA512
fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
MD5
f346358b73c7a357e741b655bfa769fb

SHA1
9a67ccb069178df68ddf040ecb8a721e70b73d0e

SHA256
92fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33

SHA512
fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Qpdrllsweeo\bqzfi.exe
MD5
f346358b73c7a357e741b655bfa769fb

SHA1
9a67ccb069178df68ddf040ecb8a721e70b73d0e

SHA256
92fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33

SHA512
fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Qpdrllsweeo\bqzfi.exe
MD5
f346358b73c7a357e741b655bfa769fb

SHA1
9a67ccb069178df68ddf040ecb8a721e70b73d0e

SHA256
92fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33

SHA512
fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Qpdrllsweeo\bqzfi.exe
MD5
f346358b73c7a357e741b655bfa769fb

SHA1
9a67ccb069178df68ddf040ecb8a721e70b73d0e

SHA256
92fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33

SHA512
fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6

Download Submit
\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
MD5
f346358b73c7a357e741b655bfa769fb

SHA1
9a67ccb069178df68ddf040ecb8a721e70b73d0e

SHA256
92fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33

SHA512
fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Qpdrllsweeo\bqzfi.exe
MD5
f346358b73c7a357e741b655bfa769fb

SHA1
9a67ccb069178df68ddf040ecb8a721e70b73d0e

SHA256
92fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33

SHA512
fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Qpdrllsweeo\bqzfi.exe
MD5
f346358b73c7a357e741b655bfa769fb

SHA1
9a67ccb069178df68ddf040ecb8a721e70b73d0e

SHA256
92fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33

SHA512
fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6

Download Submit
memory/1128-0-0x0000000000000000-mapping.dmp

Download
memory/1156-2-0x0000000003070000-0x0000000003074000-memory.dmp

Filesize
16KB

Download
memory/1208-14-0x0000000000000000-mapping.dmp

Download
memory/1552-12-0x0000000000000000-mapping.dmp

Download
memory/1632-10-0x0000000000000000-mapping.dmp

Download
memory/1924-7-0x0000000002450000-0x0000000002461000-memory.dmp

Filesize
68KB

Download
memory/1924-5-0x0000000000000000-mapping.dmp

Download