Overview

overview

10

Static

static

10

6ff88bf229...80.ps1

windows7_x64

10

6ff88bf229...80.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    17-03-2022 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ff88bf2296b946843af01f573fcef8ddcb4f2784a331cd97badf518e8f9e680.ps1

  • Size

    4KB

  • MD5

    2c0275283e4fbadda153bfc1749c3ef3

  • SHA1

    bde10a92bff89b8ea0c3c72a81241774cbbe1541

  • SHA256

    6ff88bf2296b946843af01f573fcef8ddcb4f2784a331cd97badf518e8f9e680

  • SHA512

    ed4e27a46e6c54f214374e791bf346449280258462dc6fc3bfe22bf077bc22c71058721be5b75e27baaca156c341517dbc9d72e299245fdaf6cc119f3f652677

Score
10/10
vjw0rmpersistencetrojanworm

Malware Config

Extracted

Family

vjw0rm

C2

http://help-microsoft.dnslive.net:1166

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\6ff88bf2296b946843af01f573fcef8ddcb4f2784a331cd97badf518e8f9e680.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted C:\Users\Public\Untitled.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted C:\Users\Public\like.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\ProgramData\Twitter\log\system\SecurityHealth.exe
        "C:\ProgramData\Twitter\log\system\SecurityHealth.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:1200
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\Twitter\log\system\SecurityHealth.exe
          4⤵
          • Creates scheduled task(s)
          PID:4812
  • C:\ProgramData\Twitter\log\system\SecurityHealth.exe
    C:\ProgramData\Twitter\log\system\SecurityHealth.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\Twitter\log\system\SecurityHealth.exe
      2⤵
      • Creates scheduled task(s)
      PID:3576

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Twitter\log\system\SecurityHealth.exe
    MD5

    e8e4ea0f80c9ff49df07e9c1b119ba2a

    SHA1

    612deab27c7c0fd1bf21a2afe807da2fdf4c42e0

    SHA256

    062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904

    SHA512

    bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e

    Download Submit
  • C:\ProgramData\Twitter\log\system\SecurityHealth.exe
    MD5

    e8e4ea0f80c9ff49df07e9c1b119ba2a

    SHA1

    612deab27c7c0fd1bf21a2afe807da2fdf4c42e0

    SHA256

    062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904

    SHA512

    bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e

    Download Submit
  • C:\ProgramData\Twitter\log\system\SecurityHealth.exe
    MD5

    e8e4ea0f80c9ff49df07e9c1b119ba2a

    SHA1

    612deab27c7c0fd1bf21a2afe807da2fdf4c42e0

    SHA256

    062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904

    SHA512

    bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e

    Download Submit
  • C:\ProgramData\Twitter\log\system\SecurityHealth.exe.manifest
    MD5

    4fe2c92cbf50391693d4dac365d46553

    SHA1

    029fd15fea25c2419e4ec1f7f1015ea87faaa92e

    SHA256

    f56223f8841a2e832dae953f3801f5462070ed0c0f0526407ce77325c90e2c26

    SHA512

    041426e3aeab004dd57e8cb9758ce249714fd5a1e45a5db374d76796a4b29c09faf0224921b7742634cb872be96b61b693041cbb17643cb4f64f0edb35514466

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    bd5940f08d0be56e65e5f2aaf47c538e

    SHA1

    d7e31b87866e5e383ab5499da64aba50f03e8443

    SHA256

    2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

    SHA512

    c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    3003448ee73abf14d5c8011a37c40600

    SHA1

    b88e9cdbae2e27a25f0858fc0b6d79533fb160d8

    SHA256

    ae448d99735879ecee1dc3088c8f7553ebff461b96172d8f3cb5ff2fa2a12d4a

    SHA512

    0fe52614eec6d75a265ae380aaa1eb153bc35a1baae4d118637798575169d9dba5ad751efab5d7f5dbe9764bfb96e9ae76577a3487429a3383b5b08d5402fe3a

    Download Submit
  • C:\Users\Public\like.ps1
    MD5

    041841f16c9cf05496948b5564ae662c

    SHA1

    54a21f53c32cb71104ed9b4333e0183de0ec16d5

    SHA256

    2af975634c3b24ee2c60d3821f309369c1036599c26777aa20e722058d7cd36b

    SHA512

    108c58bf4740766f304c197a214a793a06769c27a5390df81cdbf4fbdef94d4104c2cf832f00f9f07989c0a8a58fd46f4f85cac2172ff665ea2b0b9b5a75be25

    Download Submit
  • memory/1272-130-0x0000022B3ADD0000-0x0000022B3ADF2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1272-134-0x0000022B534F6000-0x0000022B534F8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1272-133-0x0000022B534F3000-0x0000022B534F5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1272-132-0x0000022B534F0000-0x0000022B534F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1272-131-0x00007FFE89630000-0x00007FFE8A0F1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3852-136-0x00007FFE89630000-0x00007FFE8A0F1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3852-135-0x000001F4F1020000-0x000001F4F1022000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4780-143-0x00007FFE89630000-0x00007FFE8A0F1000-memory.dmp
    Filesize

    10.8MB

    Download