vjw0rm | c0a7609a761fa19573c36edd731cf45e9bd16b7a831d8918c919b9955bcb380d

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

252f829dcb9c1525934fe45286bd2957.exe
Size

3.9MB
MD5

252f829dcb9c1525934fe45286bd2957
SHA1

f1bb827c11144a2619842ee443b501d4a43e4dec
SHA256

c0a7609a761fa19573c36edd731cf45e9bd16b7a831d8918c919b9955bcb380d
SHA512

2ca1f8685ec095dd072bb53d6107b928fc5c7f79fd400cc96cf4ded5ab4411a68e464419d097fc6b450f773ea87eb42ce1cf21c020c0c067ff37de65cdc5b48f
SSDEEP

98304:qb8Hted1N2mcuVkch0CoSvmQAlXF6GN/Asr3/OWtvvo:qQNO/rkczoSeffL/z3/OCo

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 5 IoCs

flow	pid	Process
5	2688	WScript.exe
6	2688	WScript.exe
7	2688	WScript.exe
9	2688	WScript.exe
10	2688	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.js	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	setup.exe

Loads dropped DLL 12 IoCs

pid	Process
1204	252f829dcb9c1525934fe45286bd2957.exe
1204	252f829dcb9c1525934fe45286bd2957.exe
1204	252f829dcb9c1525934fe45286bd2957.exe
1204	252f829dcb9c1525934fe45286bd2957.exe
2844	setup.exe
2844	setup.exe
2844	setup.exe
2844	setup.exe
2844	setup.exe
2844	setup.exe
2844	setup.exe
2844	setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\WEHHRB8F7I = "\"C:\\Users\\Admin\\AppData\\Roaming\\info.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 20 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000012224-8.dat	nsis_installer_1
behavioral1/files/0x0009000000012224-8.dat	nsis_installer_2
behavioral1/files/0x0009000000012224-17.dat	nsis_installer_1
behavioral1/files/0x0009000000012224-17.dat	nsis_installer_2
behavioral1/files/0x0009000000012224-20.dat	nsis_installer_1
behavioral1/files/0x0009000000012224-20.dat	nsis_installer_2
behavioral1/files/0x0009000000012224-23.dat	nsis_installer_1
behavioral1/files/0x0009000000012224-23.dat	nsis_installer_2
behavioral1/files/0x0009000000012224-22.dat	nsis_installer_1
behavioral1/files/0x0009000000012224-22.dat	nsis_installer_2
behavioral1/files/0x0009000000012224-21.dat	nsis_installer_1
behavioral1/files/0x0009000000012224-21.dat	nsis_installer_2
behavioral1/files/0x0009000000012224-19.dat	nsis_installer_1
behavioral1/files/0x0009000000012224-19.dat	nsis_installer_2
behavioral1/files/0x0009000000012224-15.dat	nsis_installer_1
behavioral1/files/0x0009000000012224-15.dat	nsis_installer_2
behavioral1/files/0x0009000000012224-12.dat	nsis_installer_1
behavioral1/files/0x0009000000012224-12.dat	nsis_installer_2
behavioral1/files/0x0009000000012224-10.dat	nsis_installer_1
behavioral1/files/0x0009000000012224-10.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1660	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2844	setup.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2688	1204	252f829dcb9c1525934fe45286bd2957.exe	28
PID 1204 wrote to memory of 2688	1204	252f829dcb9c1525934fe45286bd2957.exe	28
PID 1204 wrote to memory of 2688	1204	252f829dcb9c1525934fe45286bd2957.exe	28
PID 1204 wrote to memory of 2688	1204	252f829dcb9c1525934fe45286bd2957.exe	28
PID 1204 wrote to memory of 2844	1204	252f829dcb9c1525934fe45286bd2957.exe	29
PID 1204 wrote to memory of 2844	1204	252f829dcb9c1525934fe45286bd2957.exe	29
PID 1204 wrote to memory of 2844	1204	252f829dcb9c1525934fe45286bd2957.exe	29
PID 1204 wrote to memory of 2844	1204	252f829dcb9c1525934fe45286bd2957.exe	29
PID 1204 wrote to memory of 2844	1204	252f829dcb9c1525934fe45286bd2957.exe	29
PID 1204 wrote to memory of 2844	1204	252f829dcb9c1525934fe45286bd2957.exe	29
PID 1204 wrote to memory of 2844	1204	252f829dcb9c1525934fe45286bd2957.exe	29
PID 2688 wrote to memory of 1660	2688	WScript.exe	32
PID 2688 wrote to memory of 1660	2688	WScript.exe	32
PID 2688 wrote to memory of 1660	2688	WScript.exe	32
PID 2688 wrote to memory of 1660	2688	WScript.exe	32

C:\Users\Admin\AppData\Local\Temp\252f829dcb9c1525934fe45286bd2957.exe
"C:\Users\Admin\AppData\Local\Temp\252f829dcb9c1525934fe45286bd2957.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\info.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn anydesk /tr "C:\Users\Admin\AppData\Roaming\info.js
    3⤵
    - Creates scheduled task(s)
    PID:1660
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\info.js

Filesize
48KB

MD5
c7cbc0fa19952860d891ad4e274696e3

SHA1
4b099e5a3384032d6f636ce33149f8e6cf1b1d2a

SHA256
8e1f59a44019209def4f26cb0132419569e5eecff619258b661ef0d046d2510f

SHA512
4f23b4e59be6e3ac75bd9ca8d539d04543c3729962b369529e289e95a3ba61f7d42741a4a7727756534dc790c94ad2048448f17badb8055cae67f39539df7f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
129KB

MD5
1d3f67001de35ae13164232f0bd9f540

SHA1
116a0b768cc22b6b68fe09f5954c16a5ccc401f5

SHA256
0ab1e34a4035443277fc8a414ef17bfdc00c30851d8e56489c328f15074473fa

SHA512
bb00c6a3aadfcd89ed4a66e3d2cd95bd24ce10b8a20a9916b665454c49493f3a5447d2d21106f8e56d9b91336c2a49e476b8f5d75c560595ea3a679fea40f80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
64KB

MD5
e6d1af9d7a42a4fd98a7d18efe9ae671

SHA1
a96e6dbb11219e25edc13a006e6997299aeef70f

SHA256
083fd6ce13b599efe5e04acf2bdd9c7766b69a2f42cd04ce45243e345d3dfe3f

SHA512
ab83b85ab0180eaa5c49426d509924e7290a4acf2aa3cf74105259e4ad953fbbca3d9ea294755662b018ece3eccdf353654f9ce18c44b6ef3653fc6de7cf78de

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
56KB

MD5
36cba2395a3e712d87aae236c66e18d5

SHA1
2413c440e44915bf674d87701357c1bb1f350f04

SHA256
85045c505d4047ab59640226d2235c5c460714499d35c37e290b8156730af307

SHA512
0f5613ef63dd20c3771080f4e991bfda1ac1330b77b989c8a5aa3f016d74eb1bc566eeb8847a46e01f33b083137e56b1162c0893fc7c992bcfc879dc96807864

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4240.tmp\Aero.dll

Filesize
17KB

MD5
5155e506b908b41e113bbd7c10d4082f

SHA1
0e0d2d3a6c76c08d434ac7359eb9927f82ac6065

SHA256
9bbbdd180dac3cf4ce36cbc12bd862cdd00880d87027395f92ede5476d1f0dd0

SHA512
a43f04fffb05458a307054caaa45ba81c383b0265d7af798996806ecb07b72bb5350df7bf4d6d7b21a30c82f4308343845bb32cc8e0ad0cd36e352499ca7ccb1

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4240.tmp\BrandingURL.dll

Filesize
4KB

MD5
71c46b663baa92ad941388d082af97e7

SHA1
5a9fcce065366a526d75cc5ded9aade7cadd6421

SHA256
bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e

SHA512
5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4240.tmp\LangDLL.dll

Filesize
9KB

MD5
d6d8addfea0ee1bba9b841e3bec0b5cd

SHA1
a36ba78140600a7b1a502bea25c50c76666f5d3f

SHA256
ccb76172c2565356a838d7867a51e021478fed4d83eb41fe1dbb703f8efa28f9

SHA512
3f85eb0baca0794adbc7460af8b3b21d5b0b9d250eeba842f8524ea9736877aaabd5f51035bee8836ad46bf1d01e416119ca7f296bae32bacdad44622c1715ec

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4240.tmp\System.dll

Filesize
15KB

MD5
f4e3fa5c852d2bdc41756e58124b21d3

SHA1
a49ec55e50d25efa45ce93366fb64c4fbb1d8261

SHA256
e457505b7648838185fd971e19daf6fd626824d7935a2701342df7099315e62c

SHA512
3ccbd9bf27d7927fdf34aecf672d78cb85d00b2b53da631f60683e46d85eda73021d2ae2c7c3d533424b1f8d174093d2186e1bd821fe02312fc142048b75d243

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4240.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
93KB

MD5
66eb0f679a932afb5781b01299fba5b0

SHA1
e1654e5e55764918b88c0b0531f7619fa3d29fa6

SHA256
52273c76680a59a18d7e2e6ecadc3fb1769424565fda0283bc78e2d53c300cfa

SHA512
015e4583e08f54fcf8790368362ad14684b2a4c66714c80ffa57b42d5bcd8ea3f57c5f35cd04712c75d8ab51ec4f12f0e97ae702e5bc0951b8afd747509c0af2

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
85KB

MD5
ee92a67a7ee268332f79389c4b2e7efd

SHA1
35060703c6ebcb9121282bc86a4ce466d30c7483

SHA256
ffba803de98b0a4e9381ab1dfceef05615394b82c56bda4eb30c07d724c83318

SHA512
7b05efd50d9fc74b3b7de8a34d9c013eb910ca4fb8a3bc53827b3a1665438f0b23dec42e085429a617a412dab91a278929d4471ec18ff3019dd23911a50a57a5

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
125KB

MD5
59cfe06d87041213297b3ed3a527f894

SHA1
28e059cc9f49aa46ec5c4070bebf421f9bc2a365

SHA256
547e574374dc2439a2a62d112bd1fc4c9f1bdb2d457d4645a9adaf2d828ab7d0

SHA512
63bfb0c19e4593f92d42863d3438dcb9868620aff3b5fef51cf26cdbe02d647aeb795488bc0202967af71b800033506963a64f85236e94e5970ab22db0241907

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
105KB

MD5
9570722d617f3061417c600a03c5b34b

SHA1
e5597784c97ef47bb868faad266f659a04cab7f4

SHA256
670e4a911a0f276fb0c8d696b47304afb320c341097aae88a3a478a1d5d533de

SHA512
8ae8dae30c86be8026284cb2444b5e678b9c29b5e41dcf2763ba2a36748f4532f687418b20d58e9b69971a195e0f4b45ca9062a80a5b08e424ae995b1f396e9c

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
97KB

MD5
3c28818834053eb14f233c1e3f899dd5

SHA1
cd97add2e22bcc57189af8dbf906b07e36fd3318

SHA256
0c15f7819425f6e44aa5f44fcfb93ffd3eb0d7eb7156d7cb3dfb058c6f1eeaa3

SHA512
4ac9a4226e561e4de78f8c2dc8a84dc5644a92a5b7e44d072d7a7b84484eb80e429d7e0dbd1e810d81789d880258e886fda62dc6cdc9527c82ef46e617208819

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
84KB

MD5
5bce9e0016ad17fbcef5c0c1332f7ac4

SHA1
1f5c45e1fef38ef7626be7996245eed474af8941

SHA256
05e69a5325e1f9390445240e8dd09447d397c136e1cd579e7610b419689b3872

SHA512
4e1c560ff4bc48b9a4de4bebaf1f2e325ab800967494c5f9d4dc059133adb423e15ee80cc72eba404290d3a4ab0c833f85560bf97923691af7fd65b955ae2d63

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
633KB

MD5
19e752fa643f888370cdfa52ef0103a7

SHA1
9dd345e3f96219af5a213b50ccdcbb1c3d9daa7d

SHA256
88f1bc1a002e6eb54cde792690908447f007eee738c43b5e7fadc9826670e1fb

SHA512
ff9582a1fe5f098c470710624b4b23275fb9a207a995efe4aac79e4fd0ce26895e9a74c0872c119ad0d19fd444f51468452f9ac36aeab99bbd683ea8bc1d32ae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads