Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17-03-2022 01:48
Static task
static1
Behavioral task
behavioral1
Sample
0ad3fdd56e17e277a5b3e63f3340977ba5810d030dce4578c523614a914f5dfd.ps1
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
0ad3fdd56e17e277a5b3e63f3340977ba5810d030dce4578c523614a914f5dfd.ps1
Resource
win10v2004-en-20220113
General
-
Target
0ad3fdd56e17e277a5b3e63f3340977ba5810d030dce4578c523614a914f5dfd.ps1
-
Size
1KB
-
MD5
55f6fc77fe92a071e6f034cf14cd4995
-
SHA1
83be4e551c97e5d11f40f6a09fb83cb387cb9c35
-
SHA256
0ad3fdd56e17e277a5b3e63f3340977ba5810d030dce4578c523614a914f5dfd
-
SHA512
491106978efad966814ec0f9d6c14d7c11d989aa2470810881d77bc6bf5bc84bb05de0772aa44cdb7924546e25813a55d71be2c488c220434f5a8ec28198f75d
Malware Config
Extracted
vjw0rm
http://help-microsoft.dnslive.net:1166
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 9 3768 powershell.exe 15 3768 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
SecurityHealth.exeSecurityHealth.exepid process 1784 SecurityHealth.exe 3428 SecurityHealth.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecurityHealth.exeSecurityHealth.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation SecurityHealth.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation SecurityHealth.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
SecurityHealth.exeSecurityHealth.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2DFKGSARR8 = "\"C:\\ProgramData\\Twitter\\log\\system\\SecurityHealth.exe\"" SecurityHealth.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run SecurityHealth.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2DFKGSARR8 = "\"C:\\ProgramData\\Twitter\\log\\system\\SecurityHealth.exe\"" SecurityHealth.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run SecurityHealth.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1124 schtasks.exe 2332 schtasks.exe -
Processes:
SecurityHealth.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD SecurityHealth.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f SecurityHealth.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f SecurityHealth.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 3768 powershell.exe 3768 powershell.exe 3528 powershell.exe 3528 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3768 powershell.exe Token: SeDebugPrivilege 3528 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
powershell.exepowershell.exeSecurityHealth.exeSecurityHealth.exedescription pid process target process PID 3768 wrote to memory of 3528 3768 powershell.exe powershell.exe PID 3768 wrote to memory of 3528 3768 powershell.exe powershell.exe PID 3528 wrote to memory of 1784 3528 powershell.exe SecurityHealth.exe PID 3528 wrote to memory of 1784 3528 powershell.exe SecurityHealth.exe PID 3528 wrote to memory of 1784 3528 powershell.exe SecurityHealth.exe PID 1784 wrote to memory of 1124 1784 SecurityHealth.exe schtasks.exe PID 1784 wrote to memory of 1124 1784 SecurityHealth.exe schtasks.exe PID 3428 wrote to memory of 2332 3428 SecurityHealth.exe schtasks.exe PID 3428 wrote to memory of 2332 3428 SecurityHealth.exe schtasks.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0ad3fdd56e17e277a5b3e63f3340977ba5810d030dce4578c523614a914f5dfd.ps11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted C:\Users\Public\like.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Twitter\log\system\SecurityHealth.exe"C:\ProgramData\Twitter\log\system\SecurityHealth.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\Twitter\log\system\SecurityHealth.exe4⤵
- Creates scheduled task(s)
-
C:\ProgramData\Twitter\log\system\SecurityHealth.exeC:\ProgramData\Twitter\log\system\SecurityHealth.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\Twitter\log\system\SecurityHealth.exe2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Twitter\log\system\SecurityHealth.exeMD5
e8e4ea0f80c9ff49df07e9c1b119ba2a
SHA1612deab27c7c0fd1bf21a2afe807da2fdf4c42e0
SHA256062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904
SHA512bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e
-
C:\ProgramData\Twitter\log\system\SecurityHealth.exeMD5
e8e4ea0f80c9ff49df07e9c1b119ba2a
SHA1612deab27c7c0fd1bf21a2afe807da2fdf4c42e0
SHA256062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904
SHA512bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e
-
C:\ProgramData\Twitter\log\system\SecurityHealth.exeMD5
e8e4ea0f80c9ff49df07e9c1b119ba2a
SHA1612deab27c7c0fd1bf21a2afe807da2fdf4c42e0
SHA256062e98994d7579f0ec3c0f2932ee604c16fc98be0c771cb1498409e595ff1904
SHA512bf7cc10726af050986b7b8dca68c99228c75acf68798af958cb48bdb9d77af8d424330cbfbae72f385cf4ae1f4f54035f820d23934034b88af915f6f7683b23e
-
C:\ProgramData\Twitter\log\system\SecurityHealth.exe.manifestMD5
4fe2c92cbf50391693d4dac365d46553
SHA1029fd15fea25c2419e4ec1f7f1015ea87faaa92e
SHA256f56223f8841a2e832dae953f3801f5462070ed0c0f0526407ce77325c90e2c26
SHA512041426e3aeab004dd57e8cb9758ce249714fd5a1e45a5db374d76796a4b29c09faf0224921b7742634cb872be96b61b693041cbb17643cb4f64f0edb35514466
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
3003448ee73abf14d5c8011a37c40600
SHA1b88e9cdbae2e27a25f0858fc0b6d79533fb160d8
SHA256ae448d99735879ecee1dc3088c8f7553ebff461b96172d8f3cb5ff2fa2a12d4a
SHA5120fe52614eec6d75a265ae380aaa1eb153bc35a1baae4d118637798575169d9dba5ad751efab5d7f5dbe9764bfb96e9ae76577a3487429a3383b5b08d5402fe3a
-
C:\Users\Public\like.ps1MD5
041841f16c9cf05496948b5564ae662c
SHA154a21f53c32cb71104ed9b4333e0183de0ec16d5
SHA2562af975634c3b24ee2c60d3821f309369c1036599c26777aa20e722058d7cd36b
SHA512108c58bf4740766f304c197a214a793a06769c27a5390df81cdbf4fbdef94d4104c2cf832f00f9f07989c0a8a58fd46f4f85cac2172ff665ea2b0b9b5a75be25
-
memory/3528-138-0x00007FFC86940000-0x00007FFC87401000-memory.dmpFilesize
10.8MB
-
memory/3768-130-0x0000019530AB0000-0x0000019530AD2000-memory.dmpFilesize
136KB
-
memory/3768-131-0x00007FFC86940000-0x00007FFC87401000-memory.dmpFilesize
10.8MB
-
memory/3768-132-0x0000019530B90000-0x0000019530B92000-memory.dmpFilesize
8KB
-
memory/3768-133-0x0000019530B93000-0x0000019530B95000-memory.dmpFilesize
8KB
-
memory/3768-134-0x0000019530B96000-0x0000019530B98000-memory.dmpFilesize
8KB