a9b3e1a86a6317650881c9c631410482521c130de594bcbf91ef1f5f24d038a9

General

Target

MANQUEDB_829028353025266.vbs
Size

36.2MB
MD5

35f91ef6a9f5cbba47555ed092cda0fc
SHA1

b2df8023f4821752020a73a6095e4790abd9d86f
SHA256

a9b3e1a86a6317650881c9c631410482521c130de594bcbf91ef1f5f24d038a9
SHA512

6039715f0b0a92dd6babf65c4fe50c1cb82531f9d60154ca3fe8cd371c31bffca0fbbc064b23de712fca9556e0e5e7ba917fd519cc27607e2d692820c7b9e940

Score

9^/10

cryptone packer

Malware Config

Signatures

CryptOne packer 6 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exe	cryptone

Blacklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

5 2116 WScript.exe
7 2116 WScript.exe
Executes dropped EXE 4 IoCs

Processes:

PicturesViewer.exePicturesViewer.exeerjmedbu.exeerjmedbu.exe

pid process

2960 PicturesViewer.exe
2916 PicturesViewer.exe
924 erjmedbu.exe
3744 erjmedbu.exe

flow	pid	process
5	2116	WScript.exe
7	2116	WScript.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

PicturesViewer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	PicturesViewer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	PicturesViewer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	PicturesViewer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1992 schtasks.exe

pid	process
1992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

PicturesViewer.exePicturesViewer.exeerjmedbu.exe

pid	process
2960	PicturesViewer.exe
2960	PicturesViewer.exe
2916	PicturesViewer.exe
2916	PicturesViewer.exe
2916	PicturesViewer.exe
2916	PicturesViewer.exe
924	erjmedbu.exe
924	erjmedbu.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.exePicturesViewer.exeerjmedbu.exe

description	pid	process	target process
PID 2116 wrote to memory of 2960	2116	WScript.exe	PicturesViewer.exe
PID 2116 wrote to memory of 2960	2116	WScript.exe	PicturesViewer.exe
PID 2116 wrote to memory of 2960	2116	WScript.exe	PicturesViewer.exe
PID 2960 wrote to memory of 2916	2960	PicturesViewer.exe	PicturesViewer.exe
PID 2960 wrote to memory of 2916	2960	PicturesViewer.exe	PicturesViewer.exe
PID 2960 wrote to memory of 2916	2960	PicturesViewer.exe	PicturesViewer.exe
PID 2960 wrote to memory of 924	2960	PicturesViewer.exe	erjmedbu.exe
PID 2960 wrote to memory of 924	2960	PicturesViewer.exe	erjmedbu.exe
PID 2960 wrote to memory of 924	2960	PicturesViewer.exe	erjmedbu.exe
PID 2960 wrote to memory of 1992	2960	PicturesViewer.exe	schtasks.exe
PID 2960 wrote to memory of 1992	2960	PicturesViewer.exe	schtasks.exe
PID 2960 wrote to memory of 1992	2960	PicturesViewer.exe	schtasks.exe
PID 924 wrote to memory of 3744	924	erjmedbu.exe	erjmedbu.exe
PID 924 wrote to memory of 3744	924	erjmedbu.exe	erjmedbu.exe
PID 924 wrote to memory of 3744	924	erjmedbu.exe	erjmedbu.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MANQUEDB_829028353025266.vbs"
1⤵
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2916

C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exe /C
4⤵
- Executes dropped EXE
PID:3744

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn tnsgnjv /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I tnsgnjv" /SC ONCE /Z /ST 17:59 /ET 18:11
3⤵
- Creates scheduled task(s)
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
MD5
f346358b73c7a357e741b655bfa769fb

SHA1
9a67ccb069178df68ddf040ecb8a721e70b73d0e

SHA256
92fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33

SHA512
fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
MD5
f346358b73c7a357e741b655bfa769fb

SHA1
9a67ccb069178df68ddf040ecb8a721e70b73d0e

SHA256
92fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33

SHA512
fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
MD5
f346358b73c7a357e741b655bfa769fb

SHA1
9a67ccb069178df68ddf040ecb8a721e70b73d0e

SHA256
92fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33

SHA512
fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exe
MD5
f346358b73c7a357e741b655bfa769fb

SHA1
9a67ccb069178df68ddf040ecb8a721e70b73d0e

SHA256
92fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33

SHA512
fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exe
MD5
f346358b73c7a357e741b655bfa769fb

SHA1
9a67ccb069178df68ddf040ecb8a721e70b73d0e

SHA256
92fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33

SHA512
fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Oceieoyibux\erjmedbu.exe
MD5
f346358b73c7a357e741b655bfa769fb

SHA1
9a67ccb069178df68ddf040ecb8a721e70b73d0e

SHA256
92fd44834fad0d40c3e60302481e10c3bf1331400870f767415e65a715464c33

SHA512
fb984be3c8adb88eb394a8ffd7f9f99c945287d5bfa6b2ad93d4b73043f22a3b631212ac8677732261502f3979714da130faddfc7375c29992f5d56ef33c44f6

Download Submit
memory/924-6-0x0000000000000000-mapping.dmp

Download
memory/1992-9-0x0000000000000000-mapping.dmp

Download
memory/2916-3-0x0000000000000000-mapping.dmp

Download
memory/2916-5-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2960-0-0x0000000000000000-mapping.dmp

Download
memory/3744-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads