adwind | 85b509c3352dde65b7dbd7c56207e2bcfe8245bf851132cbd61b93f4343077fc

General

Target

IMG-29062020.jar
Size

608KB
MD5

e2fdebfb3346325ae26240e1c2e0319b
SHA1

e2731770f57600dd347759523db864cf8fd68e7a
SHA256

85b509c3352dde65b7dbd7c56207e2bcfe8245bf851132cbd61b93f4343077fc
SHA512

4e0f30e6f8adb8b3fd7d1af9120907884d3447e1a6b41d8fac9d6fb5ad8b5e90a223474bda641f64a3f2cfecba06229e562b37e12a2f310d2d09db07a39475d7

Score

10^/10

persistence trojan adwind

Malware Config

Signatures

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

java.exewscript.exejavaw.exejava.execmd.execmd.execmd.execmd.exejavaw.execmd.execmd.exejava.execmd.execmd.exe

description	pid	process	target process
PID 3104 wrote to memory of 3816	3104	java.exe	wscript.exe
PID 3104 wrote to memory of 3816	3104	java.exe	wscript.exe
PID 3816 wrote to memory of 3928	3816	wscript.exe	javaw.exe
PID 3816 wrote to memory of 3928	3816	wscript.exe	javaw.exe
PID 3928 wrote to memory of 3496	3928	javaw.exe	java.exe
PID 3928 wrote to memory of 3496	3928	javaw.exe	java.exe
PID 3928 wrote to memory of 3820	3928	javaw.exe	cmd.exe
PID 3928 wrote to memory of 3820	3928	javaw.exe	cmd.exe
PID 3496 wrote to memory of 3036	3496	java.exe	cmd.exe
PID 3496 wrote to memory of 3036	3496	java.exe	cmd.exe
PID 3820 wrote to memory of 3832	3820	cmd.exe	cscript.exe
PID 3820 wrote to memory of 3832	3820	cmd.exe	cscript.exe
PID 3036 wrote to memory of 3868	3036	cmd.exe	cscript.exe
PID 3036 wrote to memory of 3868	3036	cmd.exe	cscript.exe
PID 3496 wrote to memory of 416	3496	java.exe	cmd.exe
PID 3496 wrote to memory of 416	3496	java.exe	cmd.exe
PID 3928 wrote to memory of 540	3928	javaw.exe	cmd.exe
PID 3928 wrote to memory of 540	3928	javaw.exe	cmd.exe
PID 416 wrote to memory of 804	416	cmd.exe	cscript.exe
PID 416 wrote to memory of 804	416	cmd.exe	cscript.exe
PID 540 wrote to memory of 396	540	cmd.exe	cscript.exe
PID 540 wrote to memory of 396	540	cmd.exe	cscript.exe
PID 3496 wrote to memory of 1672	3496	java.exe	xcopy.exe
PID 3496 wrote to memory of 1672	3496	java.exe	xcopy.exe
PID 3928 wrote to memory of 1356	3928	javaw.exe	xcopy.exe
PID 3928 wrote to memory of 1356	3928	javaw.exe	xcopy.exe
PID 3928 wrote to memory of 1692	3928	javaw.exe	cmd.exe
PID 3928 wrote to memory of 1692	3928	javaw.exe	cmd.exe
PID 3496 wrote to memory of 1592	3496	java.exe	cmd.exe
PID 3496 wrote to memory of 1592	3496	java.exe	cmd.exe
PID 3928 wrote to memory of 2448	3928	javaw.exe	reg.exe
PID 3928 wrote to memory of 2448	3928	javaw.exe	reg.exe
PID 3928 wrote to memory of 2560	3928	javaw.exe	attrib.exe
PID 3928 wrote to memory of 2560	3928	javaw.exe	attrib.exe
PID 3928 wrote to memory of 2720	3928	javaw.exe	attrib.exe
PID 3928 wrote to memory of 2720	3928	javaw.exe	attrib.exe
PID 3928 wrote to memory of 3172	3928	javaw.exe	javaw.exe
PID 3928 wrote to memory of 3172	3928	javaw.exe	javaw.exe
PID 3172 wrote to memory of 3964	3172	javaw.exe	java.exe
PID 3172 wrote to memory of 3964	3172	javaw.exe	java.exe
PID 3172 wrote to memory of 848	3172	javaw.exe	cmd.exe
PID 3172 wrote to memory of 848	3172	javaw.exe	cmd.exe
PID 848 wrote to memory of 1052	848	cmd.exe	cscript.exe
PID 848 wrote to memory of 1052	848	cmd.exe	cscript.exe
PID 3172 wrote to memory of 1580	3172	javaw.exe	cmd.exe
PID 3172 wrote to memory of 1580	3172	javaw.exe	cmd.exe
PID 1580 wrote to memory of 1576	1580	cmd.exe	cscript.exe
PID 1580 wrote to memory of 1576	1580	cmd.exe	cscript.exe
PID 3964 wrote to memory of 2144	3964	java.exe	cmd.exe
PID 3964 wrote to memory of 2144	3964	java.exe	cmd.exe
PID 2144 wrote to memory of 2684	2144	cmd.exe	cscript.exe
PID 2144 wrote to memory of 2684	2144	cmd.exe	cscript.exe
PID 3172 wrote to memory of 3912	3172	javaw.exe	cmd.exe
PID 3172 wrote to memory of 3912	3172	javaw.exe	cmd.exe
PID 3964 wrote to memory of 3500	3964	java.exe	cmd.exe
PID 3964 wrote to memory of 3500	3964	java.exe	cmd.exe
PID 3500 wrote to memory of 3820	3500	cmd.exe	cscript.exe
PID 3500 wrote to memory of 3820	3500	cmd.exe	cscript.exe
PID 3964 wrote to memory of 1760	3964	java.exe	cmd.exe
PID 3964 wrote to memory of 1760	3964	java.exe	cmd.exe
PID 3172 wrote to memory of 884	3172	javaw.exe	WMIC.exe
PID 3172 wrote to memory of 884	3172	javaw.exe	WMIC.exe

Loads dropped DLL 1 IoCs

Processes:

javaw.exe

pid process

3172 javaw.exe

pid	process
3172	javaw.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	884	WMIC.exe
Token: SeSecurityPrivilege	884	WMIC.exe
Token: SeTakeOwnershipPrivilege	884	WMIC.exe
Token: SeLoadDriverPrivilege	884	WMIC.exe
Token: SeSystemProfilePrivilege	884	WMIC.exe
Token: SeSystemtimePrivilege	884	WMIC.exe
Token: SeProfSingleProcessPrivilege	884	WMIC.exe
Token: SeIncBasePriorityPrivilege	884	WMIC.exe
Token: SeCreatePagefilePrivilege	884	WMIC.exe
Token: SeBackupPrivilege	884	WMIC.exe
Token: SeRestorePrivilege	884	WMIC.exe
Token: SeShutdownPrivilege	884	WMIC.exe
Token: SeDebugPrivilege	884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	884	WMIC.exe
Token: SeRemoteShutdownPrivilege	884	WMIC.exe
Token: SeUndockPrivilege	884	WMIC.exe
Token: SeManageVolumePrivilege	884	WMIC.exe
Token: 33	884	WMIC.exe
Token: 34	884	WMIC.exe
Token: 35	884	WMIC.exe
Token: 36	884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	884	WMIC.exe
Token: SeSecurityPrivilege	884	WMIC.exe
Token: SeTakeOwnershipPrivilege	884	WMIC.exe
Token: SeLoadDriverPrivilege	884	WMIC.exe
Token: SeSystemProfilePrivilege	884	WMIC.exe
Token: SeSystemtimePrivilege	884	WMIC.exe
Token: SeProfSingleProcessPrivilege	884	WMIC.exe
Token: SeIncBasePriorityPrivilege	884	WMIC.exe
Token: SeCreatePagefilePrivilege	884	WMIC.exe
Token: SeBackupPrivilege	884	WMIC.exe
Token: SeRestorePrivilege	884	WMIC.exe
Token: SeShutdownPrivilege	884	WMIC.exe
Token: SeDebugPrivilege	884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	884	WMIC.exe
Token: SeRemoteShutdownPrivilege	884	WMIC.exe
Token: SeUndockPrivilege	884	WMIC.exe
Token: SeManageVolumePrivilege	884	WMIC.exe
Token: 33	884	WMIC.exe
Token: 34	884	WMIC.exe
Token: 35	884	WMIC.exe
Token: 36	884	WMIC.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2448 reg.exe
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2560 attrib.exe
2720 attrib.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

javaw.exejava.exejavaw.exejava.exe

pid process

3928 javaw.exe
3496 java.exe
3172 javaw.exe
3964 java.exe

pid	process
2448	reg.exe

pid	process
2560	attrib.exe
2720	attrib.exe

pid	process
3928	javaw.exe
3496	java.exe
3172	javaw.exe
3964	java.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\oLiRcQboziP = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\XtfbYFSllUG\\HSlpmBTQGBC.ckIzMd\""	reg.exe

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

Drops file in System32 directory 4 IoCs

Processes:

javaw.exejava.exejavaw.exejava.exe

description	ioc	process
File opened for modification	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\System32\test.txt	java.exe
File created	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\System32\test.txt	java.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\IMG-29062020.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\xdssilkvar.js
2⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\szwjsw.txt"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
PID:3928

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.5500043542587664535895544992704730.class
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
PID:3496

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9102361154719635456.vbs
5⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9102361154719635456.vbs
6⤵
PID:3868

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3332808210308483435.vbs
5⤵
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3332808210308483435.vbs
6⤵
PID:804

C:\Windows\SYSTEM32\xcopy.exe
xcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
5⤵
PID:1672

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
5⤵
PID:1592

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8900040432391221653.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8900040432391221653.vbs
5⤵
PID:3832

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6111636188304267445.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6111636188304267445.vbs
5⤵
PID:396

C:\Windows\SYSTEM32\xcopy.exe
xcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
4⤵
PID:1356

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
4⤵
PID:1692

C:\Windows\SYSTEM32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v oLiRcQboziP /t REG_EXPAND_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\XtfbYFSllUG\HSlpmBTQGBC.ckIzMd\"" /f
4⤵
- Modifies registry key
- Adds Run entry to start application
PID:2448

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\Users\Admin\XtfbYFSllUG\*.*"
4⤵
- Views/modifies file attributes
PID:2560

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\Users\Admin\XtfbYFSllUG"
4⤵
- Views/modifies file attributes
PID:2720

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\XtfbYFSllUG\HSlpmBTQGBC.ckIzMd
4⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
PID:3172

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.64827634505706045298261972483566453.class
5⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
PID:3964

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1449502388640580975.vbs
6⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1449502388640580975.vbs
7⤵
PID:2684

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4710925469300568618.vbs
6⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4710925469300568618.vbs
7⤵
PID:3820

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
6⤵
PID:1760

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5550640236244372157.vbs
5⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5550640236244372157.vbs
6⤵
PID:1052

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7735343372693442479.vbs
5⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7735343372693442479.vbs
6⤵
PID:1576

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
5⤵
PID:3912

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive1449502388640580975.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive3332808210308483435.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive4710925469300568618.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive5550640236244372157.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive6111636188304267445.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive7735343372693442479.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive8900040432391221653.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive9102361154719635456.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.5500043542587664535895544992704730.class

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.64827634505706045298261972483566453.class

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2066881839-3229799743-3576549721-1000\83aa4cc77f591dfc2374580bbd95f6ba_664a9041-4ac4-46f3-b3dc-87db4d57890e

Download Submit
C:\Users\Admin\AppData\Roaming\szwjsw.txt

Download Submit
C:\Users\Admin\XtfbYFSllUG\HSlpmBTQGBC.ckIzMd

Download Submit
C:\Users\Admin\XtfbYFSllUG\ID.txt

Download Submit
C:\Users\Admin\fUTkALeaTxM\ID.txt

Download Submit
C:\Users\Admin\xdssilkvar.js

Download Submit
C:\Windows\System32\test.txt

Download Submit
C:\Windows\System32\test.txt

Download Submit
C:\Windows\System32\test.txt

Download Submit
\Users\Admin\AppData\Local\Temp\Windows1536363767033249568.dll

Download Submit
memory/396-37-0x0000000000000000-mapping.dmp

Download
memory/416-34-0x0000000000000000-mapping.dmp

Download
memory/540-35-0x0000000000000000-mapping.dmp

Download
memory/804-36-0x0000000000000000-mapping.dmp

Download
memory/848-67-0x0000000000000000-mapping.dmp

Download
memory/884-103-0x0000000000000000-mapping.dmp

Download
memory/1052-70-0x0000000000000000-mapping.dmp

Download
memory/1356-43-0x0000000000000000-mapping.dmp

Download
memory/1576-76-0x0000000000000000-mapping.dmp

Download
memory/1580-75-0x0000000000000000-mapping.dmp

Download
memory/1592-46-0x0000000000000000-mapping.dmp

Download
memory/1672-42-0x0000000000000000-mapping.dmp

Download
memory/1692-44-0x0000000000000000-mapping.dmp

Download
memory/1760-93-0x0000000000000000-mapping.dmp

Download
memory/2144-79-0x0000000000000000-mapping.dmp

Download
memory/2448-49-0x0000000000000000-mapping.dmp

Download
memory/2560-50-0x0000000000000000-mapping.dmp

Download
memory/2684-81-0x0000000000000000-mapping.dmp

Download
memory/2720-51-0x0000000000000000-mapping.dmp

Download
memory/3036-25-0x0000000000000000-mapping.dmp

Download
memory/3172-52-0x0000000000000000-mapping.dmp

Download
memory/3496-7-0x0000000000000000-mapping.dmp

Download
memory/3500-88-0x0000000000000000-mapping.dmp

Download
memory/3816-1-0x0000000000000000-mapping.dmp

Download
memory/3820-89-0x0000000000000000-mapping.dmp

Download
memory/3820-24-0x0000000000000000-mapping.dmp

Download
memory/3832-28-0x0000000000000000-mapping.dmp

Download
memory/3868-32-0x0000026EA9A70000-0x0000026EA9A74000-memory.dmp

Filesize
16KB

Download
memory/3868-29-0x0000000000000000-mapping.dmp

Download
memory/3912-84-0x0000000000000000-mapping.dmp

Download
memory/3928-3-0x0000000000000000-mapping.dmp

Download
memory/3964-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads