Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:40
Static task
static1
Behavioral task
behavioral1
Sample
8459965329622cb67c7d3fe397ed100a25b57ee3e9f7695b4db0ddaa94035e88.jar
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8459965329622cb67c7d3fe397ed100a25b57ee3e9f7695b4db0ddaa94035e88.jar
Resource
win10v2004-20220414-en
General
-
Target
8459965329622cb67c7d3fe397ed100a25b57ee3e9f7695b4db0ddaa94035e88.jar
-
Size
62KB
-
MD5
e0b96fd8590ee49258f39eaebf8df251
-
SHA1
d9485c70b5e939b536a993997e7b53098f51025b
-
SHA256
8459965329622cb67c7d3fe397ed100a25b57ee3e9f7695b4db0ddaa94035e88
-
SHA512
91e3fda821b4ad5626110063e31d20b5b58dbde05e043697a866fd278a58bdb55c2ff4f104e8bf44014b890a392581a7817320e1528b9517ec85026a70b45384
Malware Config
Signatures
-
JAR file contains resources related to AdWind 1 IoCs
This JAR file potentially contains loader stubs used by the AdWind RAT.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoftpostsqdqsd\Microsoftpostqsds.jar family_adwind_stub -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoftpost = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoftpostsqdqsd\\Microsoftpostqsds.jar\"" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoftpost = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoftpostsqdqsd\\Microsoftpostqsds.jar\"" reg.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
java.exeattrib.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoftpostsqdqsd\Desktop.ini java.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoftpostsqdqsd\Desktop.ini attrib.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 4948 reg.exe 4904 reg.exe 3104 reg.exe 3472 reg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
java.exejavaw.exepid process 5016 java.exe 1588 javaw.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
java.exejavaw.exedescription pid process target process PID 5016 wrote to memory of 4904 5016 java.exe reg.exe PID 5016 wrote to memory of 4904 5016 java.exe reg.exe PID 5016 wrote to memory of 3104 5016 java.exe reg.exe PID 5016 wrote to memory of 3104 5016 java.exe reg.exe PID 5016 wrote to memory of 1304 5016 java.exe attrib.exe PID 5016 wrote to memory of 1304 5016 java.exe attrib.exe PID 5016 wrote to memory of 2184 5016 java.exe attrib.exe PID 5016 wrote to memory of 2184 5016 java.exe attrib.exe PID 5016 wrote to memory of 1588 5016 java.exe javaw.exe PID 5016 wrote to memory of 1588 5016 java.exe javaw.exe PID 1588 wrote to memory of 3472 1588 javaw.exe reg.exe PID 1588 wrote to memory of 3472 1588 javaw.exe reg.exe PID 1588 wrote to memory of 4948 1588 javaw.exe reg.exe PID 1588 wrote to memory of 4948 1588 javaw.exe reg.exe PID 1588 wrote to memory of 1360 1588 javaw.exe attrib.exe PID 1588 wrote to memory of 1360 1588 javaw.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1304 attrib.exe 2184 attrib.exe 1360 attrib.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\8459965329622cb67c7d3fe397ed100a25b57ee3e9f7695b4db0ddaa94035e88.jar1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoftpost /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\Microsoftpostsqdqsd\Microsoftpostqsds.jar\"" /f2⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SYSTEM32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoftpost /f2⤵
- Modifies registry key
-
C:\Windows\SYSTEM32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\Microsoftpostsqdqsd\*.*"2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\Microsoftpostsqdqsd"2⤵
- Views/modifies file attributes
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Microsoftpostsqdqsd\Microsoftpostqsds.jar"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoftpost /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\Microsoftpostsqdqsd\Microsoftpostqsds.jar\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SYSTEM32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Microsoftpost /f3⤵
- Modifies registry key
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\.Plugins33⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampFilesize
50B
MD57adf605a80d826b5afd0b47109b1ad0c
SHA12bc475ed5a8cdcfcac184a16b932da2352de6313
SHA2562e79f068353aa542c6b8552223b4c801dfd84a378f7ecffd9f279dc2b9fae3f7
SHA512881e0926b6813c98bb120ee9fa7393828fac6f241ab17493851a6de586a5bc32b17c6e95cb1bcc2466b09466116653ca99cec74663b4529389d69eb79360a89d
-
C:\Users\Admin\AppData\Roaming\Microsoftpostsqdqsd\Desktop.iniFilesize
63B
MD5e783bdd20a976eaeaae1ff4624487420
SHA1c2a44fab9df00b3e11582546b16612333c2f9286
SHA2562f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3
SHA5128c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80
-
C:\Users\Admin\AppData\Roaming\Microsoftpostsqdqsd\Microsoftpostqsds.jarFilesize
62KB
MD5e0b96fd8590ee49258f39eaebf8df251
SHA1d9485c70b5e939b536a993997e7b53098f51025b
SHA2568459965329622cb67c7d3fe397ed100a25b57ee3e9f7695b4db0ddaa94035e88
SHA51291e3fda821b4ad5626110063e31d20b5b58dbde05e043697a866fd278a58bdb55c2ff4f104e8bf44014b890a392581a7817320e1528b9517ec85026a70b45384
-
memory/1304-142-0x0000000000000000-mapping.dmp
-
memory/1360-160-0x0000000000000000-mapping.dmp
-
memory/1588-144-0x0000000000000000-mapping.dmp
-
memory/1588-154-0x00000000025B0000-0x00000000035B0000-memory.dmpFilesize
16.0MB
-
memory/2184-143-0x0000000000000000-mapping.dmp
-
memory/3104-141-0x0000000000000000-mapping.dmp
-
memory/3472-158-0x0000000000000000-mapping.dmp
-
memory/4904-140-0x0000000000000000-mapping.dmp
-
memory/4948-159-0x0000000000000000-mapping.dmp
-
memory/5016-132-0x0000000002770000-0x0000000003770000-memory.dmpFilesize
16.0MB