vjw0rm | ec2ff3ea783304168e8acdf7e60a3c4d97efa75bf922c10ee1b947d1b87a7cc2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3d61c51677550bcab428e66d5ae3080.exe
Size

2.1MB
MD5

a3d61c51677550bcab428e66d5ae3080
SHA1

7ccd97e4c9afcd1006aaeb617f1d197d8913e34c
SHA256

ec2ff3ea783304168e8acdf7e60a3c4d97efa75bf922c10ee1b947d1b87a7cc2
SHA512

da991a168162ec3d0f551413bb9d7f21f3f20f9f171d8a81684f2cdde80883e9a06aaf789d3e8c48ee148b280d4cf757344d057187fb3839e031d94255b3e6cc
SSDEEP

49152:zbA3QEThXw57teXjNdbxkFPL01tYHYAsG3CfR3zF93DZvL1:zbqNw5peXp1x4jAH43+R3zz3FvL1

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
25	4784	WScript.exe
37	4784	WScript.exe
43	4784	WScript.exe
47	4784	WScript.exe
53	4784	WScript.exe
54	4784	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	a3d61c51677550bcab428e66d5ae3080.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.js	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
224	setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WEHHRB8F7I = "\"C:\\Users\\Admin\\AppData\\Roaming\\info.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4936	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings	a3d61c51677550bcab428e66d5ae3080.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 4784	3420	a3d61c51677550bcab428e66d5ae3080.exe	88
PID 3420 wrote to memory of 4784	3420	a3d61c51677550bcab428e66d5ae3080.exe	88
PID 3420 wrote to memory of 4784	3420	a3d61c51677550bcab428e66d5ae3080.exe	88
PID 3420 wrote to memory of 224	3420	a3d61c51677550bcab428e66d5ae3080.exe	89
PID 3420 wrote to memory of 224	3420	a3d61c51677550bcab428e66d5ae3080.exe	89
PID 4784 wrote to memory of 4936	4784	WScript.exe	96
PID 4784 wrote to memory of 4936	4784	WScript.exe	96
PID 4784 wrote to memory of 4936	4784	WScript.exe	96

C:\Users\Admin\AppData\Local\Temp\a3d61c51677550bcab428e66d5ae3080.exe
"C:\Users\Admin\AppData\Local\Temp\a3d61c51677550bcab428e66d5ae3080.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\info.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn anydesk /tr "C:\Users\Admin\AppData\Roaming\info.js
    3⤵
    - Creates scheduled task(s)
    PID:4936
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\info.js

Filesize
56KB

MD5
6a89d3b24b67760618efe3d28c9011db

SHA1
9bdfcb2d237c91ea38b731611a135e345121729f

SHA256
0e54f80cede9e1aabf88c1676774c24888b5c72f34acdb1c88dc6e026abc76c4

SHA512
413153600e6a932a7f07394284ae4ee4a66916c72ff5375062374a6899bb81c96000972c4d376db46dba25385b3ca02c6704cfbac58ca948a01edc1b08658f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
4.5MB

MD5
31adbc555a9df3e7a17fe6077c1dae93

SHA1
231f3c01e17fc3f9ae898c7317f4e4eee386cde1

SHA256
16f8c2fc708874cf0648770c9910f481fe0f46e555ad57397247f5ce8b3b0de8

SHA512
991f8b0140635bfb37fce3b457021543e2ee4d6c80000534cbe515d15a6f02ff2c8b9e2f3e78a46a985eafcc2abcd9b0eb219bca29cb7af4544a9b33a0a0ca33

Download Submit
memory/224-17-0x000002799F530000-0x000002799F9B8000-memory.dmp

Filesize
4.5MB

Download
memory/224-18-0x00007FFAF4DA0000-0x00007FFAF5861000-memory.dmp

Filesize
10.8MB

Download
memory/224-19-0x00007FFAF4DA0000-0x00007FFAF5861000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads