Analysis
-
max time kernel
145s -
max time network
131s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-06-2020 15:55
Static task
static1
Behavioral task
behavioral1
Sample
MANQUEDB_829028353025266.vbs
Resource
win7
General
-
Target
MANQUEDB_829028353025266.vbs
-
Size
36.2MB
-
MD5
35f91ef6a9f5cbba47555ed092cda0fc
-
SHA1
b2df8023f4821752020a73a6095e4790abd9d86f
-
SHA256
a9b3e1a86a6317650881c9c631410482521c130de594bcbf91ef1f5f24d038a9
-
SHA512
6039715f0b0a92dd6babf65c4fe50c1cb82531f9d60154ca3fe8cd371c31bffca0fbbc064b23de712fca9556e0e5e7ba917fd519cc27607e2d692820c7b9e940
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe cryptone C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe cryptone C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe cryptone C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exe cryptone C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exe cryptone C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exe cryptone -
Blacklisted process makes network request 2 IoCs
Processes:
WScript.exeflow pid process 5 2116 WScript.exe 7 2116 WScript.exe -
Executes dropped EXE 4 IoCs
Processes:
PicturesViewer.exePicturesViewer.exeerjmedbu.exeerjmedbu.exepid process 2960 PicturesViewer.exe 2916 PicturesViewer.exe 924 erjmedbu.exe 3744 erjmedbu.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
PicturesViewer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc PicturesViewer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service PicturesViewer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 PicturesViewer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc PicturesViewer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service PicturesViewer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 PicturesViewer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
PicturesViewer.exePicturesViewer.exeerjmedbu.exepid process 2960 PicturesViewer.exe 2960 PicturesViewer.exe 2916 PicturesViewer.exe 2916 PicturesViewer.exe 2916 PicturesViewer.exe 2916 PicturesViewer.exe 924 erjmedbu.exe 924 erjmedbu.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.exePicturesViewer.exeerjmedbu.exedescription pid process target process PID 2116 wrote to memory of 2960 2116 WScript.exe PicturesViewer.exe PID 2116 wrote to memory of 2960 2116 WScript.exe PicturesViewer.exe PID 2116 wrote to memory of 2960 2116 WScript.exe PicturesViewer.exe PID 2960 wrote to memory of 2916 2960 PicturesViewer.exe PicturesViewer.exe PID 2960 wrote to memory of 2916 2960 PicturesViewer.exe PicturesViewer.exe PID 2960 wrote to memory of 2916 2960 PicturesViewer.exe PicturesViewer.exe PID 2960 wrote to memory of 924 2960 PicturesViewer.exe erjmedbu.exe PID 2960 wrote to memory of 924 2960 PicturesViewer.exe erjmedbu.exe PID 2960 wrote to memory of 924 2960 PicturesViewer.exe erjmedbu.exe PID 2960 wrote to memory of 1992 2960 PicturesViewer.exe schtasks.exe PID 2960 wrote to memory of 1992 2960 PicturesViewer.exe schtasks.exe PID 2960 wrote to memory of 1992 2960 PicturesViewer.exe schtasks.exe PID 924 wrote to memory of 3744 924 erjmedbu.exe erjmedbu.exe PID 924 wrote to memory of 3744 924 erjmedbu.exe erjmedbu.exe PID 924 wrote to memory of 3744 924 erjmedbu.exe erjmedbu.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MANQUEDB_829028353025266.vbs"1⤵
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exeC:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exeC:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2916 -
C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exeC:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exe /C4⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn tnsgnjv /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I tnsgnjv" /SC ONCE /Z /ST 17:59 /ET 18:113⤵
- Creates scheduled task(s)
PID:1992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exeMD5
f346358b73c7a357e741b655bfa769fb
SHA19a67ccb069178df68ddf040ecb8a721e70b73d0e
SHA25692fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33
SHA512fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6
-
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exeMD5
f346358b73c7a357e741b655bfa769fb
SHA19a67ccb069178df68ddf040ecb8a721e70b73d0e
SHA25692fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33
SHA512fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6
-
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exeMD5
f346358b73c7a357e741b655bfa769fb
SHA19a67ccb069178df68ddf040ecb8a721e70b73d0e
SHA25692fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33
SHA512fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exeMD5
f346358b73c7a357e741b655bfa769fb
SHA19a67ccb069178df68ddf040ecb8a721e70b73d0e
SHA25692fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33
SHA512fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exeMD5
f346358b73c7a357e741b655bfa769fb
SHA19a67ccb069178df68ddf040ecb8a721e70b73d0e
SHA25692fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33
SHA512fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exeMD5
f346358b73c7a357e741b655bfa769fb
SHA19a67ccb069178df68ddf040ecb8a721e70b73d0e
SHA25692fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33
SHA512fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6
-
memory/924-6-0x0000000000000000-mapping.dmp
-
memory/1992-9-0x0000000000000000-mapping.dmp
-
memory/2916-3-0x0000000000000000-mapping.dmp
-
memory/2916-5-0x0000000002870000-0x0000000002871000-memory.dmpFilesize
4KB
-
memory/2960-0-0x0000000000000000-mapping.dmp
-
memory/3744-10-0x0000000000000000-mapping.dmp