adwind | b2cfb719020e4c18fe7978bdf369e5c1fae69dd83260308747c608f4bdd8ecdb

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-en-20211014
submitted
07-12-2021 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO.211071(123).jar
Size

645KB
MD5

a114fe4550c52315ccac4b1fa42341a1
SHA1

cc572372b215e0f17fcfc04170dc3256f345f3c2
SHA256

b2cfb719020e4c18fe7978bdf369e5c1fae69dd83260308747c608f4bdd8ecdb
SHA512

60d097590b7291593180b80591d64bb7de36ef586db28f45d4b625bdbf036f98ddf5648e2aeaab016efe103034fc0335ed7fe38275cc11c5f8135379faadb2b0

Score

10^/10

adwind vjw0rm persistence trojan worm

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exe

flow pid process

5 412 WScript.exe
7 412 WScript.exe
10 412 WScript.exe
13 412 WScript.exe
14 412 WScript.exe
15 412 WScript.exe

flow	pid	process
5	412	WScript.exe
7	412	WScript.exe
10	412	WScript.exe
13	412	WScript.exe
14	412	WScript.exe
15	412	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oNBUwFBmaC.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oNBUwFBmaC.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\oNBUwFBmaC.js\""	WScript.exe

Drops file in System32 directory 2 IoCs

Processes:

java.exejavaw.exe

description ioc process

File created C:\Windows\System32\test.txt java.exe
File opened for modification C:\Windows\System32\test.txt javaw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

1364 regedit.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

java.exejavaw.exe

pid process

1836 java.exe
1644 javaw.exe

description	ioc	process
File created	C:\Windows\System32\test.txt	java.exe
File opened for modification	C:\Windows\System32\test.txt	javaw.exe

pid	process
1364	regedit.exe

pid	process
1836	java.exe
1644	javaw.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

java.exewscript.exejavaw.exejava.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 948 wrote to memory of 1312	948	java.exe	wscript.exe
PID 948 wrote to memory of 1312	948	java.exe	wscript.exe
PID 948 wrote to memory of 1312	948	java.exe	wscript.exe
PID 1312 wrote to memory of 412	1312	wscript.exe	WScript.exe
PID 1312 wrote to memory of 412	1312	wscript.exe	WScript.exe
PID 1312 wrote to memory of 412	1312	wscript.exe	WScript.exe
PID 1312 wrote to memory of 1644	1312	wscript.exe	javaw.exe
PID 1312 wrote to memory of 1644	1312	wscript.exe	javaw.exe
PID 1312 wrote to memory of 1644	1312	wscript.exe	javaw.exe
PID 1644 wrote to memory of 1836	1644	javaw.exe	java.exe
PID 1644 wrote to memory of 1836	1644	javaw.exe	java.exe
PID 1644 wrote to memory of 1836	1644	javaw.exe	java.exe
PID 1644 wrote to memory of 1632	1644	javaw.exe	cmd.exe
PID 1644 wrote to memory of 1632	1644	javaw.exe	cmd.exe
PID 1644 wrote to memory of 1632	1644	javaw.exe	cmd.exe
PID 1836 wrote to memory of 916	1836	java.exe	cmd.exe
PID 1836 wrote to memory of 916	1836	java.exe	cmd.exe
PID 1836 wrote to memory of 916	1836	java.exe	cmd.exe
PID 916 wrote to memory of 288	916	cmd.exe	cscript.exe
PID 916 wrote to memory of 288	916	cmd.exe	cscript.exe
PID 916 wrote to memory of 288	916	cmd.exe	cscript.exe
PID 1632 wrote to memory of 1552	1632	cmd.exe	cscript.exe
PID 1632 wrote to memory of 1552	1632	cmd.exe	cscript.exe
PID 1632 wrote to memory of 1552	1632	cmd.exe	cscript.exe
PID 1644 wrote to memory of 1528	1644	javaw.exe	cmd.exe
PID 1644 wrote to memory of 1528	1644	javaw.exe	cmd.exe
PID 1644 wrote to memory of 1528	1644	javaw.exe	cmd.exe
PID 1836 wrote to memory of 1056	1836	java.exe	cmd.exe
PID 1836 wrote to memory of 1056	1836	java.exe	cmd.exe
PID 1836 wrote to memory of 1056	1836	java.exe	cmd.exe
PID 1528 wrote to memory of 884	1528	cmd.exe	cscript.exe
PID 1528 wrote to memory of 884	1528	cmd.exe	cscript.exe
PID 1528 wrote to memory of 884	1528	cmd.exe	cscript.exe
PID 1056 wrote to memory of 1652	1056	cmd.exe	cscript.exe
PID 1056 wrote to memory of 1652	1056	cmd.exe	cscript.exe
PID 1056 wrote to memory of 1652	1056	cmd.exe	cscript.exe
PID 1644 wrote to memory of 600	1644	javaw.exe	xcopy.exe
PID 1644 wrote to memory of 600	1644	javaw.exe	xcopy.exe
PID 1644 wrote to memory of 600	1644	javaw.exe	xcopy.exe
PID 1836 wrote to memory of 1224	1836	java.exe	xcopy.exe
PID 1836 wrote to memory of 1224	1836	java.exe	xcopy.exe
PID 1836 wrote to memory of 1224	1836	java.exe	xcopy.exe
PID 1836 wrote to memory of 1080	1836	java.exe	cmd.exe
PID 1836 wrote to memory of 1080	1836	java.exe	cmd.exe
PID 1836 wrote to memory of 1080	1836	java.exe	cmd.exe
PID 1644 wrote to memory of 288	1644	javaw.exe	cmd.exe
PID 1644 wrote to memory of 288	1644	javaw.exe	cmd.exe
PID 1644 wrote to memory of 288	1644	javaw.exe	cmd.exe
PID 1644 wrote to memory of 324	1644	javaw.exe	cmd.exe
PID 1644 wrote to memory of 324	1644	javaw.exe	cmd.exe
PID 1644 wrote to memory of 324	1644	javaw.exe	cmd.exe
PID 324 wrote to memory of 1364	324	cmd.exe	regedit.exe
PID 324 wrote to memory of 1364	324	cmd.exe	regedit.exe
PID 324 wrote to memory of 1364	324	cmd.exe	regedit.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PO.211071(123).jar
1⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\_output.js
2⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oNBUwFBmaC.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:412

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\lpqmaoxkcd.txt"
3⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.242127480059964877908426036616068547.class
4⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1226309647230100232.vbs
5⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1226309647230100232.vbs
6⤵
PID:288

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5971684168347707365.vbs
5⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5971684168347707365.vbs
6⤵
PID:1652

C:\Windows\system32\xcopy.exe
xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
5⤵
PID:1224

C:\Windows\system32\cmd.exe
cmd.exe
5⤵
PID:1080

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8489099709813611207.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8489099709813611207.vbs
5⤵
PID:1552

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3876351846794042301.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3876351846794042301.vbs
5⤵
PID:884

C:\Windows\system32\xcopy.exe
xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
4⤵
PID:600

C:\Windows\system32\cmd.exe
cmd.exe
4⤵
PID:288

C:\Windows\system32\cmd.exe
cmd.exe /c regedit.exe /s C:\Users\Admin\AppData\Local\Temp\DQtgRftZFu7936448397834396162.reg
4⤵
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\DQtgRftZFu7936448397834396162.reg
5⤵
- Runs .reg file with regedit
PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Retrive1226309647230100232.vbs
MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive3876351846794042301.vbs
MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive5971684168347707365.vbs
MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive8489099709813611207.vbs
MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.242127480059964877908426036616068547.class
MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2955169046-2371869340-1800780948-1000\83aa4cc77f591dfc2374580bbd95f6ba_db4d14ed-021a-404a-968d-cb66a4d24831
MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\lpqmaoxkcd.txt
MD5
529b64eed8dec07be4c72502b77edfcd

SHA1
6f59cd6c20a49e1a6edb7102f7c3e9b0054c145a

SHA256
a69d1333c5c455c84db529905e03dd3ab28a5708730f75267262b730b9da25ef

SHA512
b5b88a16795c465b4e2ba192e108afbf6b0be051dd0b65150e58eed389e2f542977ffc08da03f4b1d5665f92d36ffdbd2809d6b51f8bea0be7248d4eaf5cd7e6

Download Submit
C:\Users\Admin\AppData\Roaming\oNBUwFBmaC.js
MD5
d89e1fab29610e8b10d94c6c38390b51

SHA1
17ced828e15afe2af1d39da994be3b166173c9f6

SHA256
b4bb442b04053e01e444cd22081854f871f893fdd91ca197664b2499a76b25bb

SHA512
728403666ba3b234117c242ae1b97673313a567c303f7289a4fd31c7df68db18c9f823cd503b9f6aae8e5a190b3c4e678e19bdc76468435c568ccde40744dae0

Download Submit
C:\Users\Admin\_output.js
MD5
3169f14df32bb6684f71fe30dafafd14

SHA1
1bbeae529da6059317383e2d600af8add4a37a01

SHA256
25511c466f3592e9a0f16450aaecd7be9f47a7672c10c86848a5d7e2bde1ac18

SHA512
13b12e87fd54abce54e628636e3d96474d1a659d6a47a0d3166197886a027e6f8cd0983d72872e4d26d514e00d384dcfb52ff92baebc2fd1702b39fb9d01940f

Download Submit
C:\Windows\System32\test.txt
MD5
278d4b5249a1b91a9c46f263e9f213be

SHA1
873dfd1393017e73ee9c98e64cd621b0d8a59eb0

SHA256
91756ee8ed3bc9b7b315c675aa9262c06c99a7699037699f26f6cde00bff44a8

SHA512
dc46da7ba136bcdbcf008065c76ea3801714c73b5c40c3dade6c91e53f41e2a2f51c6e812f4f2a92c363ba36868cdeb0bd4f857f0ed17d275fc26d7bc33ac26e

Download Submit
memory/288-81-0x0000000000000000-mapping.dmp

Download
memory/288-127-0x0000000000000000-mapping.dmp

Download
memory/324-130-0x0000000000000000-mapping.dmp

Download
memory/412-63-0x0000000000000000-mapping.dmp

Download
memory/600-91-0x0000000000000000-mapping.dmp

Download
memory/884-87-0x0000000000000000-mapping.dmp

Download
memory/916-80-0x0000000000000000-mapping.dmp

Download
memory/948-60-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/948-58-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/948-57-0x00000000021B0000-0x0000000002420000-memory.dmp

Filesize
2.4MB

Download
memory/948-56-0x00000000021B0000-0x0000000002420000-memory.dmp

Filesize
2.4MB

Download
memory/948-55-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download
memory/1056-86-0x0000000000000000-mapping.dmp

Download
memory/1080-93-0x0000000000000000-mapping.dmp

Download
memory/1224-92-0x0000000000000000-mapping.dmp

Download
memory/1312-59-0x0000000000000000-mapping.dmp

Download
memory/1364-133-0x0000000000000000-mapping.dmp

Download
memory/1528-85-0x0000000000000000-mapping.dmp

Download
memory/1552-82-0x0000000000000000-mapping.dmp

Download
memory/1632-79-0x0000000000000000-mapping.dmp

Download
memory/1644-78-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1644-77-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1644-125-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1644-131-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1644-129-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1644-128-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1644-65-0x0000000000000000-mapping.dmp

Download
memory/1644-69-0x0000000002250000-0x00000000024C0000-memory.dmp

Filesize
2.4MB

Download
memory/1652-88-0x0000000000000000-mapping.dmp

Download
memory/1836-100-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1836-98-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1836-97-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1836-95-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1836-94-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1836-70-0x0000000000000000-mapping.dmp

Download
memory/1836-74-0x0000000002210000-0x0000000002480000-memory.dmp

Filesize
2.4MB

Download
memory/1836-76-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download