vjw0rm | 6a2f6da502485750acde45ad22d36d186c335b2f61592c5eae168e9f971ffc70

Analysis

max time kernel
4294205s
max time network
153s
platform
windows7_x64
resource
win7-20220223-en
submitted
10-03-2022 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
Size

10.5MB
MD5

e1fad5d61bb637beb30aec6d3180ece2
SHA1

88966028db1eb2a41cec54875486638937a28208
SHA256

6a2f6da502485750acde45ad22d36d186c335b2f61592c5eae168e9f971ffc70
SHA512

5c87ab2570983aff67fe5d99dc157e9ebb040ea96a8344da0f1cdf6fdf9701ee014e43c69255773e95ae09d7c45ece9b119928b45c8fb400351ecccf996a56cb

Score

10^/10

vjw0rm persistence trojan upx worm

Malware Config

Extracted

Family

vjw0rm

http://tahoo.linkpc.net:777

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Executes dropped EXE 5 IoCs

Processes:

Setup.execonhost.exefiles.datconhost.exe

pid process

876 Setup.exe
1608 conhost.exe
1404
1280 files.dat
1096 conhost.exe

pid	process
876	Setup.exe
1608	conhost.exe
1404
1280	files.dat
1096	conhost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Setup.exe	upx
C:\Users\Admin\AppData\Roaming\Setup.exe	upx
C:\Users\Admin\AppData\Roaming\Setup.exe	upx

Drops startup file 4 IoCs

Processes:

6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.execonhost.execonhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe.manifest	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	conhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	conhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	conhost.exe

Loads dropped DLL 2 IoCs

Processes:

6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe

pid process

1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe

pid	process
1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

conhost.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\FDOV3N4ZZM = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\""	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\FDOV3N4ZZM = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\""	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1536 schtasks.exe
668 schtasks.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

files.dat

pid process

1280 files.dat
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe

pid process

1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe

pid process

1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
1568 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe

pid	process
1536	schtasks.exe
668	schtasks.exe

pid	process
1280	files.dat

pid	process
1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe

pid	process
1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exeSetup.execmd.execonhost.exetaskeng.execonhost.exe

description	pid	process	target process
PID 1568 wrote to memory of 876	1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	Setup.exe
PID 1568 wrote to memory of 876	1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	Setup.exe
PID 1568 wrote to memory of 876	1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	Setup.exe
PID 1568 wrote to memory of 876	1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	Setup.exe
PID 1568 wrote to memory of 876	1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	Setup.exe
PID 1568 wrote to memory of 876	1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	Setup.exe
PID 1568 wrote to memory of 876	1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	Setup.exe
PID 1568 wrote to memory of 1608	1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	conhost.exe
PID 1568 wrote to memory of 1608	1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	conhost.exe
PID 1568 wrote to memory of 1608	1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	conhost.exe
PID 1568 wrote to memory of 1608	1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	conhost.exe
PID 1568 wrote to memory of 1608	1568	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	conhost.exe
PID 876 wrote to memory of 1448	876	Setup.exe	cmd.exe
PID 876 wrote to memory of 1448	876	Setup.exe	cmd.exe
PID 876 wrote to memory of 1448	876	Setup.exe	cmd.exe
PID 876 wrote to memory of 1448	876	Setup.exe	cmd.exe
PID 1448 wrote to memory of 1280	1448	cmd.exe	files.dat
PID 1448 wrote to memory of 1280	1448	cmd.exe	files.dat
PID 1448 wrote to memory of 1280	1448	cmd.exe	files.dat
PID 1448 wrote to memory of 1280	1448	cmd.exe	files.dat
PID 1608 wrote to memory of 1536	1608	conhost.exe	schtasks.exe
PID 1608 wrote to memory of 1536	1608	conhost.exe	schtasks.exe
PID 1608 wrote to memory of 1536	1608	conhost.exe	schtasks.exe
PID 1896 wrote to memory of 1096	1896	taskeng.exe	conhost.exe
PID 1896 wrote to memory of 1096	1896	taskeng.exe	conhost.exe
PID 1896 wrote to memory of 1096	1896	taskeng.exe	conhost.exe
PID 1896 wrote to memory of 1096	1896	taskeng.exe	conhost.exe
PID 1096 wrote to memory of 668	1096	conhost.exe	schtasks.exe
PID 1096 wrote to memory of 668	1096	conhost.exe	schtasks.exe
PID 1096 wrote to memory of 668	1096	conhost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
"C:\Users\Admin\AppData\Local\Temp\6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Roaming\Setup.exe
C:\Users\Admin\AppData\Roaming\Setup.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
3⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Roaming\files\files.dat
files.dat -y -pkmsauto
4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1280

C:\Users\Admin\AppData\Roaming\conhost.exe
C:\Users\Admin\AppData\Roaming\conhost.exe
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\conhost.exe
3⤵
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1072

C:\Windows\system32\taskeng.exe
taskeng.exe {8DA0E5D4-1AEE-4AE9-9D55-C5007A3412BA} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Roaming\conhost.exe
C:\Users\Admin\AppData\Roaming\conhost.exe
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\conhost.exe
3⤵
- Creates scheduled task(s)
PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
637481df32351129e60560d5a5c100b5

SHA1
a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae

SHA256
1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052

SHA512
604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
cdcb2cb7f97e872d35848e152c62967c

SHA1
39d11d82ba260c04161f953bd3480f1c1bb4498e

SHA256
c515618b3378a3846c56afdc9e1a1da1bf47e04331c366cc668bbdd18dc82c7b

SHA512
7ec27fb2b151a43ab8d00f7a5a045e24470cc741c0aaaba8c2bbac1602d7619251503b13e3d0774c856edb9387d2b963c48e2e5f315c1f1960380af06fe09366

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
MD5
fdbd7b1910d980cf7273796a0119d252

SHA1
47029af064a51454662909465ce38ee5cdcc62c7

SHA256
3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

SHA512
ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

Download Submit
C:\Users\Admin\AppData\Roaming\Setup.exe
MD5
e4a514f71bc9e329c641beb89343bcac

SHA1
99dbb79944b2582e1d903acf3499572b8e9a6b86

SHA256
f674489ace458373c9c28b60a3afd76f1c4176986d6fb3b51bf0832011c8af4d

SHA512
89bebe806976e043d9464074be46c3f8ad7deba3cb20c51eda328f40e9daa84731b9fb83130248c9f69aec50e575a53068233bce77ffc68c1d49736d4dd17c65

Download Submit
C:\Users\Admin\AppData\Roaming\Setup.exe
MD5
e4a514f71bc9e329c641beb89343bcac

SHA1
99dbb79944b2582e1d903acf3499572b8e9a6b86

SHA256
f674489ace458373c9c28b60a3afd76f1c4176986d6fb3b51bf0832011c8af4d

SHA512
89bebe806976e043d9464074be46c3f8ad7deba3cb20c51eda328f40e9daa84731b9fb83130248c9f69aec50e575a53068233bce77ffc68c1d49736d4dd17c65

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe
MD5
fdbd7b1910d980cf7273796a0119d252

SHA1
47029af064a51454662909465ce38ee5cdcc62c7

SHA256
3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

SHA512
ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe
MD5
fdbd7b1910d980cf7273796a0119d252

SHA1
47029af064a51454662909465ce38ee5cdcc62c7

SHA256
3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

SHA512
ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe
MD5
fdbd7b1910d980cf7273796a0119d252

SHA1
47029af064a51454662909465ce38ee5cdcc62c7

SHA256
3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

SHA512
ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe.manifest
MD5
faa0a1da99c41ae839f47795e88ca4cf

SHA1
d7b59374b1dd7ae8ff41e0f475716603fda5c803

SHA256
9265c14584cbe0be261acb481af9e204bdfda799b45dab3aa04fe30cd348a663

SHA512
6f8c5684e3f6ba63974384cc4d4adb0b8d5ecea2d132e1a2f9ab3030c789508e0faa165d1650708a46c52760b8a603f42ed8d366245430b2a54faf9fd1fd17b2

Download Submit
C:\Users\Admin\AppData\Roaming\files\files.dat
MD5
55d21b2c272a5d6b9f54fa9ed82bf9eb

SHA1
32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

SHA256
7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

SHA512
1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

Download Submit
C:\Users\Admin\AppData\Roaming\files\files.dat
MD5
55d21b2c272a5d6b9f54fa9ed82bf9eb

SHA1
32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

SHA256
7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

SHA512
1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

Download Submit
\Users\Admin\AppData\Roaming\Setup.exe
MD5
e4a514f71bc9e329c641beb89343bcac

SHA1
99dbb79944b2582e1d903acf3499572b8e9a6b86

SHA256
f674489ace458373c9c28b60a3afd76f1c4176986d6fb3b51bf0832011c8af4d

SHA512
89bebe806976e043d9464074be46c3f8ad7deba3cb20c51eda328f40e9daa84731b9fb83130248c9f69aec50e575a53068233bce77ffc68c1d49736d4dd17c65

Download Submit
\Users\Admin\AppData\Roaming\conhost.exe
MD5
fdbd7b1910d980cf7273796a0119d252

SHA1
47029af064a51454662909465ce38ee5cdcc62c7

SHA256
3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

SHA512
ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

Download Submit
\Users\Admin\AppData\Roaming\conhost.exe
MD5
fdbd7b1910d980cf7273796a0119d252

SHA1
47029af064a51454662909465ce38ee5cdcc62c7

SHA256
3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

SHA512
ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

Download Submit
memory/1096-70-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1568-54-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download
memory/1608-64-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download