Analysis
-
max time kernel
4294210s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
17-03-2022 01:48
Static task
static1
Behavioral task
behavioral1
Sample
0ad3fdd56e17e277a5b3e63f3340977ba5810d030dce4578c523614a914f5dfd.ps1
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
0ad3fdd56e17e277a5b3e63f3340977ba5810d030dce4578c523614a914f5dfd.ps1
Resource
win10v2004-en-20220113
General
-
Target
0ad3fdd56e17e277a5b3e63f3340977ba5810d030dce4578c523614a914f5dfd.ps1
-
Size
1KB
-
MD5
55f6fc77fe92a071e6f034cf14cd4995
-
SHA1
83be4e551c97e5d11f40f6a09fb83cb387cb9c35
-
SHA256
0ad3fdd56e17e277a5b3e63f3340977ba5810d030dce4578c523614a914f5dfd
-
SHA512
491106978efad966814ec0f9d6c14d7c11d989aa2470810881d77bc6bf5bc84bb05de0772aa44cdb7924546e25813a55d71be2c488c220434f5a8ec28198f75d
Malware Config
Extracted
vjw0rm
http://help-microsoft.dnslive.net:1166
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 4 1616 powershell.exe 5 1616 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
SecurityHealth.exeSecurityHealth.exepid process 288 SecurityHealth.exe 2000 SecurityHealth.exe -
Loads dropped DLL 1 IoCs
Processes:
powershell.exepid process 1960 powershell.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
SecurityHealth.exeSecurityHealth.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run SecurityHealth.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\2DFKGSARR8 = "\"C:\\ProgramData\\Twitter\\log\\system\\SecurityHealth.exe\"" SecurityHealth.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run SecurityHealth.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\2DFKGSARR8 = "\"C:\\ProgramData\\Twitter\\log\\system\\SecurityHealth.exe\"" SecurityHealth.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 1616 powershell.exe 1960 powershell.exe 1960 powershell.exe 1960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1616 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
powershell.exepowershell.exeSecurityHealth.exetaskeng.exeSecurityHealth.exedescription pid process target process PID 1616 wrote to memory of 1960 1616 powershell.exe powershell.exe PID 1616 wrote to memory of 1960 1616 powershell.exe powershell.exe PID 1616 wrote to memory of 1960 1616 powershell.exe powershell.exe PID 1960 wrote to memory of 288 1960 powershell.exe SecurityHealth.exe PID 1960 wrote to memory of 288 1960 powershell.exe SecurityHealth.exe PID 1960 wrote to memory of 288 1960 powershell.exe SecurityHealth.exe PID 1960 wrote to memory of 288 1960 powershell.exe SecurityHealth.exe PID 288 wrote to memory of 972 288 SecurityHealth.exe schtasks.exe PID 288 wrote to memory of 972 288 SecurityHealth.exe schtasks.exe PID 288 wrote to memory of 972 288 SecurityHealth.exe schtasks.exe PID 1328 wrote to memory of 2000 1328 taskeng.exe SecurityHealth.exe PID 1328 wrote to memory of 2000 1328 taskeng.exe SecurityHealth.exe PID 1328 wrote to memory of 2000 1328 taskeng.exe SecurityHealth.exe PID 1328 wrote to memory of 2000 1328 taskeng.exe SecurityHealth.exe PID 2000 wrote to memory of 1752 2000 SecurityHealth.exe schtasks.exe PID 2000 wrote to memory of 1752 2000 SecurityHealth.exe schtasks.exe PID 2000 wrote to memory of 1752 2000 SecurityHealth.exe schtasks.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0ad3fdd56e17e277a5b3e63f3340977ba5810d030dce4578c523614a914f5dfd.ps11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted C:\Users\Public\like.ps12⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\ProgramData\Twitter\log\system\SecurityHealth.exe"C:\ProgramData\Twitter\log\system\SecurityHealth.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\Twitter\log\system\SecurityHealth.exe4⤵
- Creates scheduled task(s)
PID:972
-
C:\Windows\system32\taskeng.exetaskeng.exe {554A54C7-E457-438D-8016-67D95DF8CA88} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\ProgramData\Twitter\log\system\SecurityHealth.exeC:\ProgramData\Twitter\log\system\SecurityHealth.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\Twitter\log\system\SecurityHealth.exe3⤵
- Creates scheduled task(s)
PID:1752
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Twitter\log\system\SecurityHealth.exeMD5
e8e4ea0f80c9ff49df07e9c1b119ba2a
SHA1612deab27c7c0fd1bf21a2afe807da2fdf4c42e0
SHA256062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904
SHA512bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e
-
C:\ProgramData\Twitter\log\system\SecurityHealth.exeMD5
e8e4ea0f80c9ff49df07e9c1b119ba2a
SHA1612deab27c7c0fd1bf21a2afe807da2fdf4c42e0
SHA256062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904
SHA512bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e
-
C:\ProgramData\Twitter\log\system\SecurityHealth.exeMD5
e8e4ea0f80c9ff49df07e9c1b119ba2a
SHA1612deab27c7c0fd1bf21a2afe807da2fdf4c42e0
SHA256062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904
SHA512bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e
-
C:\ProgramData\Twitter\log\system\SecurityHealth.exe.manifestMD5
4fe2c92cbf50391693d4dac365d46553
SHA1029fd15fea25c2419e4ec1f7f1015ea87faaa92e
SHA256f56223f8841a2e832dae953f3801f5462070ed0c0f0526407ce77325c90e2c26
SHA512041426e3aeab004dd57e8cb9758ce249714fd5a1e45a5db374d76796a4b29c09faf0224921b7742634cb872be96b61b693041cbb17643cb4f64f0edb35514466
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
567f448ad431e264eed7da4ca0974360
SHA1d4f366dfd8475cd5efcee67c5b6e276c53aac967
SHA25612ebae4b6d3bbd82ef568a4bad927c53b56b14c2ca3d2429e2f8cbd753bc2635
SHA5123bf87fc8c0690df2e99ad5c668dbef306ad3dcc15babd1aec0ba7b3a2a9c937dfbc9c2f06c74d5e111d3ee37beb2a5198b067e8a429a1e982fbcfd1cf3415f93
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
5243ee8e0c4d46fc13ba48a5c0660fa5
SHA1b34d199512db8b0497e99aa40a75cbc9352878ac
SHA2568e1602cee9eb58953bc9e2f5e89503aed9af9a2ed69ff2008df1ed5bcab8d869
SHA51293cac4d39abb9729eefc7da272732c11f2d29960ad3c5b8dc1114499b39308758c2ce357714df1bc4b8da9ba3bd5c41533e1b5d63c9eec05c4fe1e63c4ba2477
-
C:\Users\Public\like.ps1MD5
041841f16c9cf05496948b5564ae662c
SHA154a21f53c32cb71104ed9b4333e0183de0ec16d5
SHA2562af975634c3b24ee2c60d3821f309369c1036599c26777aa20e722058d7cd36b
SHA512108c58bf4740766f304c197a214a793a06769c27a5390df81cdbf4fbdef94d4104c2cf832f00f9f07989c0a8a58fd46f4f85cac2172ff665ea2b0b9b5a75be25
-
\ProgramData\Twitter\log\system\SecurityHealth.exeMD5
e8e4ea0f80c9ff49df07e9c1b119ba2a
SHA1612deab27c7c0fd1bf21a2afe807da2fdf4c42e0
SHA256062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904
SHA512bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e
-
memory/288-77-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/1616-60-0x000000000258B000-0x00000000025AA000-memory.dmpFilesize
124KB
-
memory/1616-57-0x0000000002580000-0x0000000002582000-memory.dmpFilesize
8KB
-
memory/1616-55-0x000007FEF2D70000-0x000007FEF38CD000-memory.dmpFilesize
11.4MB
-
memory/1616-56-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmpFilesize
9.6MB
-
memory/1616-58-0x000000001B730000-0x000000001BA2F000-memory.dmpFilesize
3.0MB
-
memory/1616-59-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmpFilesize
9.6MB
-
memory/1616-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmpFilesize
8KB
-
memory/1616-62-0x0000000002584000-0x0000000002587000-memory.dmpFilesize
12KB
-
memory/1616-61-0x0000000002582000-0x0000000002584000-memory.dmpFilesize
8KB
-
memory/1960-72-0x00000000028AB000-0x00000000028CA000-memory.dmpFilesize
124KB
-
memory/1960-70-0x00000000028A4000-0x00000000028A7000-memory.dmpFilesize
12KB
-
memory/1960-68-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmpFilesize
9.6MB
-
memory/1960-69-0x00000000028A2000-0x00000000028A4000-memory.dmpFilesize
8KB
-
memory/1960-65-0x000007FEF2D70000-0x000007FEF38CD000-memory.dmpFilesize
11.4MB
-
memory/1960-67-0x00000000028A0000-0x00000000028A2000-memory.dmpFilesize
8KB
-
memory/1960-66-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmpFilesize
9.6MB
-
memory/2000-82-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB