vjw0rm | b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
01-07-2023 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windowsexe.exe
Size

541KB
MD5

c159fc653a86ef3eab80e5d06b9cfa2c
SHA1

f95b35bcd8528dafda2b8fd53bed2bab150676e3
SHA256

b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b
SHA512

78ee8d1c957f21e6023f4c9096f63c9bc697620cfc7584bb937b4cffb792f312c8fd0cb586c0aa4f43ddf8e622042f2c85852f10018e0c5799d6dd02903ab9f2
SSDEEP

12288:lBXSh9d55EWf6bkHXgtQZDsfDfWXWBt9ExkUp8ZbcoahOOufKlgc+ABeaESJAzEM:7QZQz8Du4

Score

10^/10

vjw0rm wshrat persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000122de-55.dat	family_wshrat
behavioral1/files/0x000a0000000122e1-59.dat	family_wshrat
behavioral1/files/0x00090000000122e5-61.dat	family_wshrat
behavioral1/files/0x00090000000122e5-60.dat	family_wshrat

Blocklisted process makes network request 50 IoCs

flow	pid	Process
2	556	wscript.exe
3	556	wscript.exe
5	1728	wscript.exe
6	1728	wscript.exe
11	1728	wscript.exe
12	1728	wscript.exe
15	636	WScript.exe
16	1728	wscript.exe
17	1728	wscript.exe
18	636	WScript.exe
20	1728	wscript.exe
22	1728	wscript.exe
23	636	WScript.exe
25	1728	wscript.exe
28	1728	wscript.exe
30	636	WScript.exe
31	1728	wscript.exe
32	1728	wscript.exe
33	636	WScript.exe
35	1728	wscript.exe
36	1728	wscript.exe
37	1728	wscript.exe
39	636	WScript.exe
42	1728	wscript.exe
43	1728	wscript.exe
44	636	WScript.exe
46	1728	wscript.exe
47	1728	wscript.exe
48	636	WScript.exe
50	1728	wscript.exe
51	1728	wscript.exe
54	636	WScript.exe
56	1728	wscript.exe
57	1728	wscript.exe
58	636	WScript.exe
60	1728	wscript.exe
61	1728	wscript.exe
62	636	WScript.exe
64	1728	wscript.exe
65	1728	wscript.exe
66	636	WScript.exe
70	1728	wscript.exe
71	1728	wscript.exe
72	636	WScript.exe
74	1728	wscript.exe
75	1728	wscript.exe
76	636	WScript.exe
78	1728	wscript.exe
79	1728	wscript.exe
81	636	WScript.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.js	WScript.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lRDdN = "wscript.exe //B \"C:\\Users\\Admin\\lRDdN.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run\lRDdN = "wscript.exe //B \"C:\\Users\\Admin\\lRDdN.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lRDdN = "wscript.exe //B \"C:\\Users\\Admin\\lRDdN.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run\lRDdN = "wscript.exe //B \"C:\\Users\\Admin\\lRDdN.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run\BXBCC2V24Z = "\"C:\\Users\\Admin\\AppData\\Roaming\\windows.js\""	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	wscript.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 556	852	windowsexe.exe	28
PID 852 wrote to memory of 556	852	windowsexe.exe	28
PID 852 wrote to memory of 556	852	windowsexe.exe	28
PID 852 wrote to memory of 556	852	windowsexe.exe	28
PID 556 wrote to memory of 1728	556	wscript.exe	29
PID 556 wrote to memory of 1728	556	wscript.exe	29
PID 556 wrote to memory of 1728	556	wscript.exe	29
PID 556 wrote to memory of 1728	556	wscript.exe	29
PID 1728 wrote to memory of 636	1728	wscript.exe	30
PID 1728 wrote to memory of 636	1728	wscript.exe	30
PID 1728 wrote to memory of 636	1728	wscript.exe	30
PID 1728 wrote to memory of 636	1728	wscript.exe	30

C:\Users\Admin\AppData\Local\Temp\windowsexe.exe
"C:\Users\Admin\AppData\Local\Temp\windowsexe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\lRDdN.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\lRDdN.vbs"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\windows.js"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQLKSAYN\json[1].json

Filesize
323B

MD5
149c2823b7eadbfb0a82388a2ab9494f

SHA1
415fe979ce5fd0064d2557a48745a3ed1a3fbf9c

SHA256
06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869

SHA512
f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs

Filesize
185KB

MD5
43fca5129026c9b6b49ce26c27759df2

SHA1
46a4acdd5faae42e04ba753f69e6e777324ae8e9

SHA256
a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

SHA512
c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs

Filesize
185KB

MD5
43fca5129026c9b6b49ce26c27759df2

SHA1
46a4acdd5faae42e04ba753f69e6e777324ae8e9

SHA256
a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

SHA512
c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.js

Filesize
3KB

MD5
14d1d9d3dc5e8d0eac04d5b78645a2ea

SHA1
aa14b5a613919e41c4d97fef48ff1a24ff06fd2b

SHA256
92d5609974d3d52dc028185e819111679f0ff052c1e3b951e2eee9b18e361f36

SHA512
e13cc2ca8b4dc4564a2176e4bc06d2a3271a957918cb84589402462ea2fe33782eb92ab1575187ab07ac3e270e8301607bff6b7ccb1dd688666be940716f092c

Download Submit
C:\Users\Admin\AppData\Roaming\lRDdN.vbs

Filesize
185KB

MD5
43fca5129026c9b6b49ce26c27759df2

SHA1
46a4acdd5faae42e04ba753f69e6e777324ae8e9

SHA256
a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

SHA512
c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

Download Submit
C:\Users\Admin\lRDdN.vbs

Filesize
185KB

MD5
43fca5129026c9b6b49ce26c27759df2

SHA1
46a4acdd5faae42e04ba753f69e6e777324ae8e9

SHA256
a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

SHA512
c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

Download Submit
C:\Users\Admin\windows.js

Filesize
3KB

MD5
14d1d9d3dc5e8d0eac04d5b78645a2ea

SHA1
aa14b5a613919e41c4d97fef48ff1a24ff06fd2b

SHA256
92d5609974d3d52dc028185e819111679f0ff052c1e3b951e2eee9b18e361f36

SHA512
e13cc2ca8b4dc4564a2176e4bc06d2a3271a957918cb84589402462ea2fe33782eb92ab1575187ab07ac3e270e8301607bff6b7ccb1dd688666be940716f092c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads