vjw0rm | 42cadce684f1b747fa31f2c109c2a729ca5d1baf4aed93f3c3f87fb8f7053deb

Analysis

Target

ORDER-21729.doc.js
Size

148KB
MD5

be1345c7e8039f7d3782a06a03361767
SHA1

21d422062fa6de71e94b529e67566477333df43f
SHA256

42cadce684f1b747fa31f2c109c2a729ca5d1baf4aed93f3c3f87fb8f7053deb
SHA512

54a486c8e832cedbadee557fd64f54493bf4ee7c5be2fe4f08a9c1a29f6663d1b91bddbf3038e306bf5060578617b7c6dd502f66e2444d7dc79e2da812a96da8

Score

10^/10

vjw0rm trojan worm

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

6 1932 wscript.exe

flow	pid	process
6	1932	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER-21729.doc.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER-21729.doc.js	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1932-59-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download