Overview

overview

10

Static

static

10

6ff88bf229...80.ps1

windows7_x64

10

6ff88bf229...80.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    4294211s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    17-03-2022 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ff88bf2296b946843af01f573fcef8ddcb4f2784a331cd97badf518e8f9e680.ps1

  • Size

    4KB

  • MD5

    2c0275283e4fbadda153bfc1749c3ef3

  • SHA1

    bde10a92bff89b8ea0c3c72a81241774cbbe1541

  • SHA256

    6ff88bf2296b946843af01f573fcef8ddcb4f2784a331cd97badf518e8f9e680

  • SHA512

    ed4e27a46e6c54f214374e791bf346449280258462dc6fc3bfe22bf077bc22c71058721be5b75e27baaca156c341517dbc9d72e299245fdaf6cc119f3f652677

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://help-microsoft.dnslive.net:1166

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\6ff88bf2296b946843af01f573fcef8ddcb4f2784a331cd97badf518e8f9e680.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted C:\Users\Public\Untitled.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted C:\Users\Public\like.ps1
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\ProgramData\Twitter\log\system\SecurityHealth.exe
        "C:\ProgramData\Twitter\log\system\SecurityHealth.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1344
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\Twitter\log\system\SecurityHealth.exe
          4⤵
          • Creates scheduled task(s)
          PID:1356
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {0BEDED0F-3372-463F-82D3-0A40EA9E42FC} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\ProgramData\Twitter\log\system\SecurityHealth.exe
      C:\ProgramData\Twitter\log\system\SecurityHealth.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1076
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\Twitter\log\system\SecurityHealth.exe
        3⤵
        • Creates scheduled task(s)
        PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Twitter\log\system\SecurityHealth.exe
    MD5

    e8e4ea0f80c9ff49df07e9c1b119ba2a

    SHA1

    612deab27c7c0fd1bf21a2afe807da2fdf4c42e0

    SHA256

    062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904

    SHA512

    bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e

    Download Submit
  • C:\ProgramData\Twitter\log\system\SecurityHealth.exe
    MD5

    e8e4ea0f80c9ff49df07e9c1b119ba2a

    SHA1

    612deab27c7c0fd1bf21a2afe807da2fdf4c42e0

    SHA256

    062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904

    SHA512

    bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e

    Download Submit
  • C:\ProgramData\Twitter\log\system\SecurityHealth.exe
    MD5

    e8e4ea0f80c9ff49df07e9c1b119ba2a

    SHA1

    612deab27c7c0fd1bf21a2afe807da2fdf4c42e0

    SHA256

    062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904

    SHA512

    bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e

    Download Submit
  • C:\ProgramData\Twitter\log\system\SecurityHealth.exe.manifest
    MD5

    4fe2c92cbf50391693d4dac365d46553

    SHA1

    029fd15fea25c2419e4ec1f7f1015ea87faaa92e

    SHA256

    f56223f8841a2e832dae953f3801f5462070ed0c0f0526407ce77325c90e2c26

    SHA512

    041426e3aeab004dd57e8cb9758ce249714fd5a1e45a5db374d76796a4b29c09faf0224921b7742634cb872be96b61b693041cbb17643cb4f64f0edb35514466

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    65de4ef765e941c3a2cd0db4105dd614

    SHA1

    2e7efe7ca88f4a94d0f977e85e301b98e999e615

    SHA256

    1e40ba273ba851ee694eeed3b0cf4c1eccd77e3b72feadd1a0c732108f08bc1d

    SHA512

    7819313df8a687de5c53982294dbb4637016ca35b4c95303a22b3e2d176195195f60cb434d99edb47f760a2ffcc0e83e539351c6247b1b8385b23917d6b28298

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    05b2f4a71009d9e2b18130b09c3e274f

    SHA1

    f11d148fc96edcbaae12b40a6a4daf4c8666ef8a

    SHA256

    baae95f3f3c0deebc7174b8909b9cbcd790cebb2720390111f4e53aa952624f0

    SHA512

    15431e7ab74718644bb090a3c2aa837e2c01b2d22bd218cb8a1e6bf9391d6181d879836588f5047c94f58d7cb2dfc36e7639770be3da65c95199753e7aa9ab00

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    1f21021395075552a216c2e645072bbc

    SHA1

    5a56a4d37d33fad81f243995c31447e4c4a5cfbe

    SHA256

    908d57636237dd1cb16686961b4e9f50b24df9cc3897ad1786c56225f56b4adc

    SHA512

    ba7ec96d39b5be07bbd805c303d699f84accf2128a1d301d2782400415f21d74b5c37c850f0927fcebdb1c43d9420d38a0f856c77eaebd71749d76db92fdcd53

    Download Submit
  • C:\Users\Public\like.ps1
    MD5

    041841f16c9cf05496948b5564ae662c

    SHA1

    54a21f53c32cb71104ed9b4333e0183de0ec16d5

    SHA256

    2af975634c3b24ee2c60d3821f309369c1036599c26777aa20e722058d7cd36b

    SHA512

    108c58bf4740766f304c197a214a793a06769c27a5390df81cdbf4fbdef94d4104c2cf832f00f9f07989c0a8a58fd46f4f85cac2172ff665ea2b0b9b5a75be25

    Download Submit
  • \ProgramData\Twitter\log\system\SecurityHealth.exe
    MD5

    e8e4ea0f80c9ff49df07e9c1b119ba2a

    SHA1

    612deab27c7c0fd1bf21a2afe807da2fdf4c42e0

    SHA256

    062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904

    SHA512

    bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e

    Download Submit
  • memory/1076-89-0x0000000000300000-0x0000000000301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1344-81-0x0000000000200000-0x0000000000201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1664-68-0x00000000027A2000-0x00000000027A4000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1664-66-0x00000000027A0000-0x00000000027A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1664-64-0x000007FEF29B0000-0x000007FEF350D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1664-69-0x00000000027A4000-0x00000000027A7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1664-70-0x00000000027AB000-0x00000000027CA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1664-65-0x000007FEF4E20000-0x000007FEF57BD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/1664-67-0x000007FEF4E20000-0x000007FEF57BD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/1888-54-0x000007FEFB561000-0x000007FEFB563000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1888-60-0x00000000026B2000-0x00000000026B4000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1888-59-0x000007FEF4E20000-0x000007FEF57BD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/1888-56-0x000007FEF4E20000-0x000007FEF57BD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/1888-58-0x00000000026B0000-0x00000000026B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1888-55-0x000007FEF29B0000-0x000007FEF350D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1888-61-0x00000000026B4000-0x00000000026B7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1888-57-0x00000000026BB000-0x00000000026DA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1912-73-0x000007FEF29B0000-0x000007FEF350D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1912-85-0x000007FEF4E20000-0x000007FEF57BD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/1912-84-0x00000000027CB000-0x00000000027EA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1912-83-0x00000000027C4000-0x00000000027C7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1912-78-0x000007FEF4E20000-0x000007FEF57BD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/1912-82-0x00000000027C0000-0x00000000027C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1912-74-0x000000001B740000-0x000000001BA3F000-memory.dmp
    Filesize

    3.0MB

    Download