vjw0rm | ec2ff3ea783304168e8acdf7e60a3c4d97efa75bf922c10ee1b947d1b87a7cc2

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3d61c51677550bcab428e66d5ae3080.exe
Size

2.1MB
MD5

a3d61c51677550bcab428e66d5ae3080
SHA1

7ccd97e4c9afcd1006aaeb617f1d197d8913e34c
SHA256

ec2ff3ea783304168e8acdf7e60a3c4d97efa75bf922c10ee1b947d1b87a7cc2
SHA512

da991a168162ec3d0f551413bb9d7f21f3f20f9f171d8a81684f2cdde80883e9a06aaf789d3e8c48ee148b280d4cf757344d057187fb3839e031d94255b3e6cc
SSDEEP

49152:zbA3QEThXw57teXjNdbxkFPL01tYHYAsG3CfR3zF93DZvL1:zbqNw5peXp1x4jAH43+R3zz3FvL1

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	2884	WScript.exe
8	2884	WScript.exe
9	2884	WScript.exe
11	2884	WScript.exe
12	2884	WScript.exe
13	2884	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.js	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2040	setup.exe

Loads dropped DLL 8 IoCs

pid	Process
1248	a3d61c51677550bcab428e66d5ae3080.exe
2508	WerFault.exe
2508	WerFault.exe
2508	WerFault.exe
2508	WerFault.exe
2508	WerFault.exe
2508	WerFault.exe
2508	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\WEHHRB8F7I = "\"C:\\Users\\Admin\\AppData\\Roaming\\info.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2436	schtasks.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 2884	1248	a3d61c51677550bcab428e66d5ae3080.exe	28
PID 1248 wrote to memory of 2884	1248	a3d61c51677550bcab428e66d5ae3080.exe	28
PID 1248 wrote to memory of 2884	1248	a3d61c51677550bcab428e66d5ae3080.exe	28
PID 1248 wrote to memory of 2884	1248	a3d61c51677550bcab428e66d5ae3080.exe	28
PID 1248 wrote to memory of 2040	1248	a3d61c51677550bcab428e66d5ae3080.exe	29
PID 1248 wrote to memory of 2040	1248	a3d61c51677550bcab428e66d5ae3080.exe	29
PID 1248 wrote to memory of 2040	1248	a3d61c51677550bcab428e66d5ae3080.exe	29
PID 1248 wrote to memory of 2040	1248	a3d61c51677550bcab428e66d5ae3080.exe	29
PID 2040 wrote to memory of 2508	2040	setup.exe	30
PID 2040 wrote to memory of 2508	2040	setup.exe	30
PID 2040 wrote to memory of 2508	2040	setup.exe	30
PID 2884 wrote to memory of 2436	2884	WScript.exe	32
PID 2884 wrote to memory of 2436	2884	WScript.exe	32
PID 2884 wrote to memory of 2436	2884	WScript.exe	32
PID 2884 wrote to memory of 2436	2884	WScript.exe	32

C:\Users\Admin\AppData\Local\Temp\a3d61c51677550bcab428e66d5ae3080.exe
"C:\Users\Admin\AppData\Local\Temp\a3d61c51677550bcab428e66d5ae3080.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\info.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn anydesk /tr "C:\Users\Admin\AppData\Roaming\info.js
    3⤵
    - Creates scheduled task(s)
    PID:2436
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2040 -s 480
    3⤵
    - Loads dropped DLL
    PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\info.js

Filesize
56KB

MD5
6a89d3b24b67760618efe3d28c9011db

SHA1
9bdfcb2d237c91ea38b731611a135e345121729f

SHA256
0e54f80cede9e1aabf88c1676774c24888b5c72f34acdb1c88dc6e026abc76c4

SHA512
413153600e6a932a7f07394284ae4ee4a66916c72ff5375062374a6899bb81c96000972c4d376db46dba25385b3ca02c6704cfbac58ca948a01edc1b08658f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
3.8MB

MD5
0f15bd474cdebd661a30609f8fe623b0

SHA1
f044d7f97ef7794ecd78648c8692737cb0187ef8

SHA256
2389e35b1773212521345d8faa9db839d35a45f35fddf4ec17a313deed269fd4

SHA512
a8fdb0fce0a5e15da59ab4120df2012cf39b1b997b6dbd1a0ebb3d1045f804b69a60d7f33b50def03cc668ad2e409cc606600e053e9538a3f215317246812a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
3.6MB

MD5
0cd8e926ee9a6caedcb2648e08ed8930

SHA1
2ee2311a1354c200305eb90cb48f6c311f3a9de5

SHA256
c1c9d6a1acf25df317c67055940b868e5bcc58fbf473da6e1cfd8e95b012fa55

SHA512
9d293eeb87b44b2a6fc9422c5eff5e19cd3afac546fc8fd5853d1df873eccec33e8050d7572f32955d1d117cf1bf436c320d70e8a4f63b3da34277d668cdcd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
2.5MB

MD5
2020d7fcae540092c7e94422df6933d0

SHA1
cdf2da042da6650893a16237cb4b862e69d3508f

SHA256
c5e33bfa3ca69199deee541e8f7c21a2ec86f6cd2fe3043e0f0d096592fe06d4

SHA512
fb9d7e2dbe335edc1bd605a70b87e6af7f8336ac0ce09a5477afb2d7db22663c1295e0675c61b011f03c4da2303c1ca4a38473df889405c5ee759e8aafd0ab21

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
1024KB

MD5
1ab8012058342801166bc671cd8000a6

SHA1
5ae22526c53fb3b2811f45a7f1ebfb061e885403

SHA256
d9bd506faac8fac53a37ece17fbce4b46e2a7f4b5e87aee221a615501b8b0124

SHA512
7703c285ff3be1f0f6770627720ee1729e71c7128acb64ab30d41c0e37138fa6ed37d6f6ad43d07ae029e2125daeea343d3c3ff81c0199930b76526eb0d70f20

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
1.2MB

MD5
a153f54c66c2e2139054b05315478fda

SHA1
aac2e1d967074afec457273eee80b23856667587

SHA256
d0f84dda15e29cf31802c5389f5d9f7db593ded4a33c44db2016fc10d73ba5ca

SHA512
e8612a581e9846eb01c8528934d6602fe46236013e250b748b7ed18043f34029e6836304211b51b8dcfd29e537d408e609fa7ef130a8b06d3aa15a679090584c

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
1.1MB

MD5
bd66430349308aa5735b32d4003bfeab

SHA1
f113fc87a0494fe6525dc80707c19716faf95070

SHA256
7eae467bdabe0ebb66d7170d43a9ca23b9e0848873a5b411a55fdf0b63de43bb

SHA512
57de03bff7f64408bbde433f8e41abcfc1d5306de6411fa747c6dc2d09bee6b4612dc0c7eaa20a69fcfdebe208967e00931bd4f6932f98666edcd48b2643e637

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
1.1MB

MD5
14396a72429b596aafe68f2bffe08d4c

SHA1
a62e70d319c47f91df440fe05f4036302c2620d8

SHA256
187b872dd83df0bbd8d2ee5cc82293ce66723db00d71459f00aea3ae9ee9875f

SHA512
4bee01833a21c2c16898c05ac6111c55bcca4201fa389d06ab529aa5f92ae87e98812f7897abe0fc8a02e59defc6eab039a7faeb745545248761499de0ab4b46

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
960KB

MD5
cb333ef8b96afdddda55c7c67dd57e59

SHA1
63cabb14e16e68d8da7e3f3d7e47f8bf320f295d

SHA256
518738160daa3656537dbb53097f39929fcba29996db1d855efb2ee8ef87082d

SHA512
19e22e430695ba8df7fc6f9071394e41377afa30c5fa85348cbb194272fe015b69fe909a211e3e9422f47cdb4e8f26aeeea3414c3ba23382126c97116996d0b8

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
3.9MB

MD5
70c94ceb8c77c4733b94fd337dab4404

SHA1
43db7386f9a9e5584ca36380345eef9256eaca5a

SHA256
327ae5a89231599dea22eec253260821961d95a5f81f0385e45f8639225b7f74

SHA512
3b51ec1c063d309131a02f893a46d775735e996efdf8a859390a3cf8f260077a66cf4ada27d8aeca68672e7d7554e601ad5f5770f4b9927f3302c64ac667aede

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
4.5MB

MD5
31adbc555a9df3e7a17fe6077c1dae93

SHA1
231f3c01e17fc3f9ae898c7317f4e4eee386cde1

SHA256
16f8c2fc708874cf0648770c9910f481fe0f46e555ad57397247f5ce8b3b0de8

SHA512
991f8b0140635bfb37fce3b457021543e2ee4d6c80000534cbe515d15a6f02ff2c8b9e2f3e78a46a985eafcc2abcd9b0eb219bca29cb7af4544a9b33a0a0ca33

Download Submit
memory/2040-15-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2040-14-0x000000013F480000-0x000000013F908000-memory.dmp

Filesize
4.5MB

Download
memory/2040-25-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads