vjw0rm | 4dd51675717f0f703ecbfa8e39c69a3038d2a3a42927a1cb5ab0271d3bfebbb4

Analysis

max time kernel
149s
max time network
152s
platform
windows10_x64
resource
win10-en-20211104
submitted
06-12-2021 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KBH-209294916.js
Size

317KB
MD5

7af00552a9b9ae64342d289f60c43627
SHA1

dae12e7429417f66e4419bfc6cb1b0f1e820c7c9
SHA256

4dd51675717f0f703ecbfa8e39c69a3038d2a3a42927a1cb5ab0271d3bfebbb4
SHA512

dbde91eaf3dff80b491e96336d90992f8ce3251e4ce3dd4f510135fedd7ef3b8810daaa4171eb64805780500e2ff5a44b1501ae0467eeba2b5d29254059e3f07

Score

10^/10

vjw0rm xloader pzi0 loader persistence rat suricata trojan worm

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pzi0

http://www.buffstaff.com/pzi0/

Decoy

laylmodest.com

woruke.club

metaverseslots.net

syscogent.net

aluxxenterprise.com

lm-solar.com

lightempirestore.com

witcheboutique.com

hometech-bosch.xyz

expert-netcad.com

poteconomist.com

mycousinsfriend.biz

shineveranda.com

collegedictionary.cloud

zqlidexx.com

businessesopportunity.com

2utalahs4.com

participatetn.info

dare2ownit.com

varser.com

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/408-326-0x000000000041D480-mapping.dmp	xloader
behavioral2/memory/408-328-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1312-336-0x00000000001A0000-0x00000000001C9000-memory.dmp	xloader

Blocklisted process makes network request 19 IoCs

Processes:

wscript.exe

flow	pid	process
10	3920	wscript.exe
25	3920	wscript.exe
31	3920	wscript.exe
32	3920	wscript.exe
33	3920	wscript.exe
34	3920	wscript.exe
35	3920	wscript.exe
36	3920	wscript.exe
39	3920	wscript.exe
40	3920	wscript.exe
45	3920	wscript.exe
48	3920	wscript.exe
53	3920	wscript.exe
56	3920	wscript.exe
61	3920	wscript.exe
64	3920	wscript.exe
68	3920	wscript.exe
72	3920	wscript.exe
75	3920	wscript.exe

Executes dropped EXE 3 IoCs

Processes:

business1.exebusiness1.exebusiness1.exe

pid process

4196 business1.exe
1444 business1.exe
408 business1.exe

pid	process
4196	business1.exe
1444	business1.exe
408	business1.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pYpNUJIEMR.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pYpNUJIEMR.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\pYpNUJIEMR.js\""	wscript.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

business1.exebusiness1.exenetsh.exe

description	pid	process	target process
PID 4196 set thread context of 408	4196	business1.exe	business1.exe
PID 408 set thread context of 2416	408	business1.exe	Explorer.EXE
PID 1312 set thread context of 2416	1312	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

powershell.exepowershell.exebusiness1.exebusiness1.exenetsh.exe

pid	process
632	powershell.exe
632	powershell.exe
632	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
4196	business1.exe
4196	business1.exe
4196	business1.exe
4196	business1.exe
4196	business1.exe
4196	business1.exe
408	business1.exe
408	business1.exe
408	business1.exe
408	business1.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe
1312	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2416 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

business1.exenetsh.exe

pid process

408 business1.exe
408 business1.exe
408 business1.exe
1312 netsh.exe
1312 netsh.exe

pid	process
2416	Explorer.EXE

pid	process
408	business1.exe
408	business1.exe
408	business1.exe
1312	netsh.exe
1312	netsh.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

business1.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4196	business1.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeIncreaseQuotaPrivilege	632	powershell.exe
Token: SeSecurityPrivilege	632	powershell.exe
Token: SeTakeOwnershipPrivilege	632	powershell.exe
Token: SeLoadDriverPrivilege	632	powershell.exe
Token: SeSystemProfilePrivilege	632	powershell.exe
Token: SeSystemtimePrivilege	632	powershell.exe
Token: SeProfSingleProcessPrivilege	632	powershell.exe
Token: SeIncBasePriorityPrivilege	632	powershell.exe
Token: SeCreatePagefilePrivilege	632	powershell.exe
Token: SeBackupPrivilege	632	powershell.exe
Token: SeRestorePrivilege	632	powershell.exe
Token: SeShutdownPrivilege	632	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeSystemEnvironmentPrivilege	632	powershell.exe
Token: SeRemoteShutdownPrivilege	632	powershell.exe
Token: SeUndockPrivilege	632	powershell.exe
Token: SeManageVolumePrivilege	632	powershell.exe
Token: 33	632	powershell.exe
Token: 34	632	powershell.exe
Token: 35	632	powershell.exe
Token: 36	632	powershell.exe
Token: SeIncreaseQuotaPrivilege	632	powershell.exe
Token: SeSecurityPrivilege	632	powershell.exe
Token: SeTakeOwnershipPrivilege	632	powershell.exe
Token: SeLoadDriverPrivilege	632	powershell.exe
Token: SeSystemProfilePrivilege	632	powershell.exe
Token: SeSystemtimePrivilege	632	powershell.exe
Token: SeProfSingleProcessPrivilege	632	powershell.exe
Token: SeIncBasePriorityPrivilege	632	powershell.exe
Token: SeCreatePagefilePrivilege	632	powershell.exe
Token: SeBackupPrivilege	632	powershell.exe
Token: SeRestorePrivilege	632	powershell.exe
Token: SeShutdownPrivilege	632	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeSystemEnvironmentPrivilege	632	powershell.exe
Token: SeRemoteShutdownPrivilege	632	powershell.exe
Token: SeUndockPrivilege	632	powershell.exe
Token: SeManageVolumePrivilege	632	powershell.exe
Token: 33	632	powershell.exe
Token: 34	632	powershell.exe
Token: 35	632	powershell.exe
Token: 36	632	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeIncreaseQuotaPrivilege	3496	powershell.exe
Token: SeSecurityPrivilege	3496	powershell.exe
Token: SeTakeOwnershipPrivilege	3496	powershell.exe
Token: SeLoadDriverPrivilege	3496	powershell.exe
Token: SeSystemProfilePrivilege	3496	powershell.exe
Token: SeSystemtimePrivilege	3496	powershell.exe
Token: SeProfSingleProcessPrivilege	3496	powershell.exe
Token: SeIncBasePriorityPrivilege	3496	powershell.exe
Token: SeCreatePagefilePrivilege	3496	powershell.exe
Token: SeBackupPrivilege	3496	powershell.exe
Token: SeRestorePrivilege	3496	powershell.exe
Token: SeShutdownPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeSystemEnvironmentPrivilege	3496	powershell.exe
Token: SeRemoteShutdownPrivilege	3496	powershell.exe
Token: SeUndockPrivilege	3496	powershell.exe
Token: SeManageVolumePrivilege	3496	powershell.exe
Token: 33	3496	powershell.exe
Token: 34	3496	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

wscript.exebusiness1.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 2020 wrote to memory of 3920	2020	wscript.exe	wscript.exe
PID 2020 wrote to memory of 3920	2020	wscript.exe	wscript.exe
PID 2020 wrote to memory of 4196	2020	wscript.exe	business1.exe
PID 2020 wrote to memory of 4196	2020	wscript.exe	business1.exe
PID 2020 wrote to memory of 4196	2020	wscript.exe	business1.exe
PID 4196 wrote to memory of 632	4196	business1.exe	powershell.exe
PID 4196 wrote to memory of 632	4196	business1.exe	powershell.exe
PID 4196 wrote to memory of 632	4196	business1.exe	powershell.exe
PID 4196 wrote to memory of 3496	4196	business1.exe	powershell.exe
PID 4196 wrote to memory of 3496	4196	business1.exe	powershell.exe
PID 4196 wrote to memory of 3496	4196	business1.exe	powershell.exe
PID 4196 wrote to memory of 1444	4196	business1.exe	business1.exe
PID 4196 wrote to memory of 1444	4196	business1.exe	business1.exe
PID 4196 wrote to memory of 1444	4196	business1.exe	business1.exe
PID 4196 wrote to memory of 408	4196	business1.exe	business1.exe
PID 4196 wrote to memory of 408	4196	business1.exe	business1.exe
PID 4196 wrote to memory of 408	4196	business1.exe	business1.exe
PID 4196 wrote to memory of 408	4196	business1.exe	business1.exe
PID 4196 wrote to memory of 408	4196	business1.exe	business1.exe
PID 4196 wrote to memory of 408	4196	business1.exe	business1.exe
PID 2416 wrote to memory of 1312	2416	Explorer.EXE	netsh.exe
PID 2416 wrote to memory of 1312	2416	Explorer.EXE	netsh.exe
PID 2416 wrote to memory of 1312	2416	Explorer.EXE	netsh.exe
PID 1312 wrote to memory of 1228	1312	netsh.exe	cmd.exe
PID 1312 wrote to memory of 1228	1312	netsh.exe	cmd.exe
PID 1312 wrote to memory of 1228	1312	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\KBH-209294916.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pYpNUJIEMR.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:3920
- - C:\Users\Admin\AppData\Local\Temp\business1.exe
    "C:\Users\Admin\AppData\Local\Temp\business1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:632
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3496
  - - C:\Users\Admin\AppData\Local\Temp\business1.exe
      C:\Users\Admin\AppData\Local\Temp\business1.exe
      4⤵
      Executes dropped EXE
      PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\business1.exe
      C:\Users\Admin\AppData\Local\Temp\business1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:408
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\business1.exe"
    3⤵
    PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
a4022a7d2b113226b000be0705680813

SHA1
599e22d03201704127a045ca53ffb78f9ea3b6c3

SHA256
2557a14e476d55330043af2858dbf1377e24dba3fa9aedc369d5feefefb7f9a7

SHA512
40ef88632a4ad38a7d21c640a7f0c8cd7c76b8451f55dd758c15baa5a90f4f0938de409426570c4405362fd2d90fadd96d23d190e09692b5fbe2c87ebc8d3c60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
087f71eb3a7a2c772ebf112babfdade8

SHA1
8adcd795c7b9bf46bf7d3a7b8e4cda611f8c0f4f

SHA256
62a00b06b7ab1b5ac4b28314a66fc4c18a9188fa96c16283b6ecdff003ad3dc6

SHA512
9a89cd483bc3af9af3ecb053bef104cbfaaf7caed9a624d0b757cc2aee5c3797698b7b168bb2d663d1fdcf016e78d655457a5708d446d4df26a4d43d59f83b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\business1.exe

MD5
02210ee8684c318e39358bdb0e4f4956

SHA1
6e8f72016e4977b587ddb5369bfbb9b79dc09104

SHA256
ff6941f913740a953c2878ab6bf852e5dfe92f5464f3ca41e86fbe6b6b3a1ef7

SHA512
31de499132a35378320037c0c1a7598b3379919ce5cc42a73fe3e8afe84265f7733c94f5342d35041558092983840670c1a637ce0daceca5bedf91de0514bf96

Download Submit
C:\Users\Admin\AppData\Local\Temp\business1.exe

MD5
02210ee8684c318e39358bdb0e4f4956

SHA1
6e8f72016e4977b587ddb5369bfbb9b79dc09104

SHA256
ff6941f913740a953c2878ab6bf852e5dfe92f5464f3ca41e86fbe6b6b3a1ef7

SHA512
31de499132a35378320037c0c1a7598b3379919ce5cc42a73fe3e8afe84265f7733c94f5342d35041558092983840670c1a637ce0daceca5bedf91de0514bf96

Download Submit
C:\Users\Admin\AppData\Local\Temp\business1.exe

MD5
02210ee8684c318e39358bdb0e4f4956

SHA1
6e8f72016e4977b587ddb5369bfbb9b79dc09104

SHA256
ff6941f913740a953c2878ab6bf852e5dfe92f5464f3ca41e86fbe6b6b3a1ef7

SHA512
31de499132a35378320037c0c1a7598b3379919ce5cc42a73fe3e8afe84265f7733c94f5342d35041558092983840670c1a637ce0daceca5bedf91de0514bf96

Download Submit
C:\Users\Admin\AppData\Local\Temp\business1.exe

MD5
02210ee8684c318e39358bdb0e4f4956

SHA1
6e8f72016e4977b587ddb5369bfbb9b79dc09104

SHA256
ff6941f913740a953c2878ab6bf852e5dfe92f5464f3ca41e86fbe6b6b3a1ef7

SHA512
31de499132a35378320037c0c1a7598b3379919ce5cc42a73fe3e8afe84265f7733c94f5342d35041558092983840670c1a637ce0daceca5bedf91de0514bf96

Download Submit
C:\Users\Admin\AppData\Roaming\pYpNUJIEMR.js

MD5
56394f31c4ebe4c2569a078dc11f8b59

SHA1
72746e1bf2ab9def45d0bb3ecb09fbe42a132271

SHA256
1e5307933ab0b9a516b099fd4ffbcd0a80cb057076fd932fe3d70b257191226a

SHA512
b06d914c1c658d67414be6332c8855e462c3b4e59dfeb3b8cac6dca882795448f6ea664cfa9e83c30b0a7354a959c521c892dd4e4aad390b001f304abb716ca1

Download Submit
memory/408-331-0x0000000001330000-0x0000000001341000-memory.dmp

Filesize
68KB

Download
memory/408-329-0x0000000001450000-0x0000000001770000-memory.dmp

Filesize
3.1MB

Download
memory/408-328-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/408-326-0x000000000041D480-mapping.dmp

Download
memory/632-132-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/632-143-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/632-128-0x0000000000000000-mapping.dmp

Download
memory/632-133-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/632-134-0x0000000007B20000-0x0000000007B21000-memory.dmp

Filesize
4KB

Download
memory/632-135-0x0000000008150000-0x0000000008151000-memory.dmp

Filesize
4KB

Download
memory/632-136-0x0000000008430000-0x0000000008431000-memory.dmp

Filesize
4KB

Download
memory/632-137-0x00000000084A0000-0x00000000084A1000-memory.dmp

Filesize
4KB

Download
memory/632-138-0x0000000008510000-0x0000000008511000-memory.dmp

Filesize
4KB

Download
memory/632-139-0x0000000008860000-0x0000000008861000-memory.dmp

Filesize
4KB

Download
memory/632-141-0x00000000074E2000-0x00000000074E3000-memory.dmp

Filesize
4KB

Download
memory/632-140-0x0000000008890000-0x0000000008891000-memory.dmp

Filesize
4KB

Download
memory/632-142-0x0000000008B00000-0x0000000008B01000-memory.dmp

Filesize
4KB

Download
memory/632-129-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/632-147-0x0000000009BA0000-0x0000000009BA1000-memory.dmp

Filesize
4KB

Download
memory/632-148-0x0000000008E20000-0x0000000008E21000-memory.dmp

Filesize
4KB

Download
memory/632-149-0x00000000098C0000-0x00000000098C1000-memory.dmp

Filesize
4KB

Download
memory/632-157-0x000000000ACC0000-0x000000000ACC1000-memory.dmp

Filesize
4KB

Download
memory/632-174-0x00000000074E3000-0x00000000074E4000-memory.dmp

Filesize
4KB

Download
memory/632-130-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/1228-334-0x0000000000000000-mapping.dmp

Download
memory/1312-338-0x0000000000B60000-0x0000000000BF0000-memory.dmp

Filesize
576KB

Download
memory/1312-337-0x0000000003030000-0x0000000003350000-memory.dmp

Filesize
3.1MB

Download
memory/1312-335-0x0000000001010000-0x000000000102E000-memory.dmp

Filesize
120KB

Download
memory/1312-336-0x00000000001A0000-0x00000000001C9000-memory.dmp

Filesize
164KB

Download
memory/1312-333-0x0000000000000000-mapping.dmp

Download
memory/2416-332-0x0000000004F80000-0x000000000509F000-memory.dmp

Filesize
1.1MB

Download
memory/2416-339-0x0000000002440000-0x0000000002522000-memory.dmp

Filesize
904KB

Download
memory/3496-224-0x0000000000000000-mapping.dmp

Download
memory/3496-255-0x0000000004CC3000-0x0000000004CC4000-memory.dmp

Filesize
4KB

Download
memory/3496-239-0x0000000004CC2000-0x0000000004CC3000-memory.dmp

Filesize
4KB

Download
memory/3496-238-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3920-118-0x0000000000000000-mapping.dmp

Download
memory/4196-123-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/4196-120-0x0000000000000000-mapping.dmp

Download
memory/4196-125-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/4196-126-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/4196-127-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/4196-131-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download