Analysis
-
max time kernel
94s -
max time network
106s -
platform
windows7_x64 -
resource
win7 -
submitted
26-08-2020 00:07
Static task
static1
Behavioral task
behavioral1
Sample
haywood.ps1
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
haywood.ps1
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
haywood.ps1
-
Size
1.4MB
-
MD5
d87fcd8d2bf450b0056a151e9a116f72
-
SHA1
48cb6bdbe092e5a90c778114b2dda43ce3221c9f
-
SHA256
3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80
-
SHA512
61a636aca3d224dcd2ed29ca000cf0ecf88f51ffd7cb5182ea4599c9e889cb74b78824d93c7383457bd6d591506202527d44c6a15c93a9ab9cfc8230faddd04b
Score
10/10
Malware Config
Signatures
-
Chimera
Ransomware which infects local and network files, often distributed via Dropbox links.
-
Blacklisted process makes network request 1 IoCs
flow pid Process 4 1948 powershell.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\YOUR_FILES_ARE_ENCRYPTED.HTML powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1768 powershell.exe 1768 powershell.exe 1948 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeBackupPrivilege 1444 vssvc.exe Token: SeRestorePrivilege 1444 vssvc.exe Token: SeAuditPrivilege 1444 vssvc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1768 wrote to memory of 1912 1768 powershell.exe 25 PID 1768 wrote to memory of 1912 1768 powershell.exe 25 PID 1768 wrote to memory of 1912 1768 powershell.exe 25 PID 1912 wrote to memory of 1916 1912 csc.exe 26 PID 1912 wrote to memory of 1916 1912 csc.exe 26 PID 1912 wrote to memory of 1916 1912 csc.exe 26 PID 1768 wrote to memory of 1948 1768 powershell.exe 27 PID 1768 wrote to memory of 1948 1768 powershell.exe 27 PID 1768 wrote to memory of 1948 1768 powershell.exe 27 PID 1768 wrote to memory of 1948 1768 powershell.exe 27 PID 1948 wrote to memory of 1644 1948 powershell.exe 29 PID 1948 wrote to memory of 1644 1948 powershell.exe 29 PID 1948 wrote to memory of 1644 1948 powershell.exe 29 PID 1948 wrote to memory of 1644 1948 powershell.exe 29 PID 1644 wrote to memory of 1596 1644 csc.exe 30 PID 1644 wrote to memory of 1596 1644 csc.exe 30 PID 1644 wrote to memory of 1596 1644 csc.exe 30 PID 1644 wrote to memory of 1596 1644 csc.exe 30
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\haywood.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ffhe4glx\ffhe4glx.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES206B.tmp" "c:\Users\Admin\AppData\Local\Temp\ffhe4glx\CSC39887E46EA414858859E17EBB57BEB.TMP"3⤵PID:1916
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\haywood.ps1"2⤵
- Blacklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sqxtdbbp\sqxtdbbp.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A12.tmp" "c:\Users\Admin\AppData\Local\Temp\sqxtdbbp\CSC83BDB1C516BC433EBBF43137ABFF4B8D.TMP"4⤵PID:1596
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1444