vjw0rm | 0ad3fdd56e17e277a5b3e63f3340977ba5810d030dce4578c523614a914f5dfd

General

Target

0ad3fdd56e17e277a5b3e63f3340977ba5810d030dce4578c523614a914f5dfd.ps1
Size

1KB
MD5

55f6fc77fe92a071e6f034cf14cd4995
SHA1

83be4e551c97e5d11f40f6a09fb83cb387cb9c35
SHA256

0ad3fdd56e17e277a5b3e63f3340977ba5810d030dce4578c523614a914f5dfd
SHA512

491106978efad966814ec0f9d6c14d7c11d989aa2470810881d77bc6bf5bc84bb05de0772aa44cdb7924546e25813a55d71be2c488c220434f5a8ec28198f75d

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

C2

http://help-microsoft.dnslive.net:1166

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

9 3768 powershell.exe
15 3768 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

SecurityHealth.exeSecurityHealth.exe

pid process

1784 SecurityHealth.exe
3428 SecurityHealth.exe

flow	pid	process
9	3768	powershell.exe
15	3768	powershell.exe

pid	process
1784	SecurityHealth.exe
3428	SecurityHealth.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecurityHealth.exeSecurityHealth.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	SecurityHealth.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	SecurityHealth.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecurityHealth.exeSecurityHealth.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2DFKGSARR8 = "\"C:\\ProgramData\\Twitter\\log\\system\\SecurityHealth.exe\""	SecurityHealth.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	SecurityHealth.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2DFKGSARR8 = "\"C:\\ProgramData\\Twitter\\log\\system\\SecurityHealth.exe\""	SecurityHealth.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	SecurityHealth.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1124 schtasks.exe
2332 schtasks.exe

pid	process
1124	schtasks.exe
2332	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SecurityHealth.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	SecurityHealth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	SecurityHealth.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	SecurityHealth.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3768 powershell.exe
3768 powershell.exe
3528 powershell.exe
3528 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3768 powershell.exe
Token: SeDebugPrivilege 3528 powershell.exe

pid	process
3768	powershell.exe
3768	powershell.exe
3528	powershell.exe
3528	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

powershell.exepowershell.exeSecurityHealth.exeSecurityHealth.exe

description	pid	process	target process
PID 3768 wrote to memory of 3528	3768	powershell.exe	powershell.exe
PID 3768 wrote to memory of 3528	3768	powershell.exe	powershell.exe
PID 3528 wrote to memory of 1784	3528	powershell.exe	SecurityHealth.exe
PID 3528 wrote to memory of 1784	3528	powershell.exe	SecurityHealth.exe
PID 3528 wrote to memory of 1784	3528	powershell.exe	SecurityHealth.exe
PID 1784 wrote to memory of 1124	1784	SecurityHealth.exe	schtasks.exe
PID 1784 wrote to memory of 1124	1784	SecurityHealth.exe	schtasks.exe
PID 3428 wrote to memory of 2332	3428	SecurityHealth.exe	schtasks.exe
PID 3428 wrote to memory of 2332	3428	SecurityHealth.exe	schtasks.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0ad3fdd56e17e277a5b3e63f3340977ba5810d030dce4578c523614a914f5dfd.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted C:\Users\Public\like.ps1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528

C:\ProgramData\Twitter\log\system\SecurityHealth.exe
"C:\ProgramData\Twitter\log\system\SecurityHealth.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\Twitter\log\system\SecurityHealth.exe
4⤵
- Creates scheduled task(s)
PID:1124

C:\ProgramData\Twitter\log\system\SecurityHealth.exe
C:\ProgramData\Twitter\log\system\SecurityHealth.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\Twitter\log\system\SecurityHealth.exe
2⤵
- Creates scheduled task(s)
PID:2332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Twitter\log\system\SecurityHealth.exe
MD5
e8e4ea0f80c9ff49df07e9c1b119ba2a

SHA1
612deab27c7c0fd1bf21a2afe807da2fdf4c42e0

SHA256
062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904

SHA512
bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e

Download Submit
C:\ProgramData\Twitter\log\system\SecurityHealth.exe
MD5
e8e4ea0f80c9ff49df07e9c1b119ba2a

SHA1
612deab27c7c0fd1bf21a2afe807da2fdf4c42e0

SHA256
062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904

SHA512
bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e

Download Submit
C:\ProgramData\Twitter\log\system\SecurityHealth.exe
MD5
e8e4ea0f80c9ff49df07e9c1b119ba2a

SHA1
612deab27c7c0fd1bf21a2afe807da2fdf4c42e0

SHA256
062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904

SHA512
bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e

Download Submit
C:\ProgramData\Twitter\log\system\SecurityHealth.exe.manifest
MD5
4fe2c92cbf50391693d4dac365d46553

SHA1
029fd15fea25c2419e4ec1f7f1015ea87faaa92e

SHA256
f56223f8841a2e832dae953f3801f5462070ed0c0f0526407ce77325c90e2c26

SHA512
041426e3aeab004dd57e8cb9758ce249714fd5a1e45a5db374d76796a4b29c09faf0224921b7742634cb872be96b61b693041cbb17643cb4f64f0edb35514466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3003448ee73abf14d5c8011a37c40600

SHA1
b88e9cdbae2e27a25f0858fc0b6d79533fb160d8

SHA256
ae448d99735879ecee1dc3088c8f7553ebff461b96172d8f3cb5ff2fa2a12d4a

SHA512
0fe52614eec6d75a265ae380aaa1eb153bc35a1baae4d118637798575169d9dba5ad751efab5d7f5dbe9764bfb96e9ae76577a3487429a3383b5b08d5402fe3a

Download Submit
C:\Users\Public\like.ps1
MD5
041841f16c9cf05496948b5564ae662c

SHA1
54a21f53c32cb71104ed9b4333e0183de0ec16d5

SHA256
2af975634c3b24ee2c60d3821f309369c1036599c26777aa20e722058d7cd36b

SHA512
108c58bf4740766f304c197a214a793a06769c27a5390df81cdbf4fbdef94d4104c2cf832f00f9f07989c0a8a58fd46f4f85cac2172ff665ea2b0b9b5a75be25

Download Submit
memory/3528-138-0x00007FFC86940000-0x00007FFC87401000-memory.dmp

Filesize
10.8MB

Download
memory/3768-130-0x0000019530AB0000-0x0000019530AD2000-memory.dmp

Filesize
136KB

Download
memory/3768-131-0x00007FFC86940000-0x00007FFC87401000-memory.dmp

Filesize
10.8MB

Download
memory/3768-132-0x0000019530B90000-0x0000019530B92000-memory.dmp

Filesize
8KB

Download
memory/3768-133-0x0000019530B93000-0x0000019530B95000-memory.dmp

Filesize
8KB

Download
memory/3768-134-0x0000019530B96000-0x0000019530B98000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads