Analysis

  • max time kernel
    203s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 23:08

General

  • Target

    73d4e82c16b44e54e1d6fa7aea02dbfda6c68ecf53a0c344f71976c396646cbd.jar

  • Size

    290KB

  • MD5

    415b4fbe68f380c0d99f74e78e53405e

  • SHA1

    464f84b93b94361da11ad006a7dad78c9bd27134

  • SHA256

    73d4e82c16b44e54e1d6fa7aea02dbfda6c68ecf53a0c344f71976c396646cbd

  • SHA512

    932206ce85b4e774d404e388fc35444f6708c4d2e70b3240477872d5b6bed17a22de0b62f1475f920aa55498b29ddb369f5e026af6396a696c757c476e5ca8f2

Score
10/10

Malware Config

Signatures

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\73d4e82c16b44e54e1d6fa7aea02dbfda6c68ecf53a0c344f71976c396646cbd.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\ProgramData\Oracle\Java\javapath\java.exe
      java -jar C:\Users\Admin\AppData\Local\Temp\MCNKJHGGFFF6161718763833404654.JAR istmp
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4812
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3239256841136127608.vbs
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Windows\system32\cscript.exe
          cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3239256841136127608.vbs
          4⤵
            PID:856
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2147182563360349040.vbs
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Windows\system32\cscript.exe
            cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2147182563360349040.vbs
            4⤵
              PID:1096
          • C:\Windows\SYSTEM32\xcopy.exe
            xcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
            3⤵
              PID:4196
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe
              3⤵
                PID:4508
              • C:\Windows\SYSTEM32\reg.exe
                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v QYraFnSZOca /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\WCUkqDHuYPW.jpg\WUFKYxLvepBd.JStdFc\"" /f
                3⤵
                • Modifies registry key
                PID:4360
              • C:\Windows\SYSTEM32\attrib.exe
                attrib +h "C:\Users\Admin\WCUkqDHuYPW.jpg"
                3⤵
                • Views/modifies file attributes
                PID:2044
              • C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
                C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\WCUkqDHuYPW.jpg\WUFKYxLvepBd.JStdFc
                3⤵
                • Executes dropped EXE
                PID:1824
              • C:\Windows\SYSTEM32\attrib.exe
                attrib +h "C:\Users\Admin\WCUkqDHuYPW.jpg\*.*"
                3⤵
                • Views/modifies file attributes
                PID:4512
            • C:\Windows\SYSTEM32\REG.exe
              REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "REalTechInfo" /t REG_SZ /F /D "java -jar "C:\Users\Admin\AppData\Local\Temp\MCNKJHGGFFF6161718763833404654.JAR istmp""
              2⤵
                PID:3348

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

              Filesize

              50B

              MD5

              69709f3c93d6b53ab94641fff57ec8f2

              SHA1

              5a88f115b8c073b306cd39493febfbbb49a13e07

              SHA256

              26f3cb863033d1e0ded648df8db043ae718f1a422bb5b7f1c4dd81c4926f7f11

              SHA512

              6178cb8aa2ae885c203d44916f796d7befe466c9caeaf6c6938d8daac8290ad60f754f4fd2ad8fa818e50a42f92509f576718ec80db57a4c82d0e51b41c45027

            • C:\Users\Admin\AppData\Local\Temp\MCNKJHGGFFF6161718763833404654.JAR

              Filesize

              290KB

              MD5

              415b4fbe68f380c0d99f74e78e53405e

              SHA1

              464f84b93b94361da11ad006a7dad78c9bd27134

              SHA256

              73d4e82c16b44e54e1d6fa7aea02dbfda6c68ecf53a0c344f71976c396646cbd

              SHA512

              932206ce85b4e774d404e388fc35444f6708c4d2e70b3240477872d5b6bed17a22de0b62f1475f920aa55498b29ddb369f5e026af6396a696c757c476e5ca8f2

            • C:\Users\Admin\AppData\Local\Temp\Retrive2147182563360349040.vbs

              Filesize

              281B

              MD5

              a32c109297ed1ca155598cd295c26611

              SHA1

              dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

              SHA256

              45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

              SHA512

              70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

            • C:\Users\Admin\AppData\Local\Temp\Retrive3239256841136127608.vbs

              Filesize

              276B

              MD5

              3bdfd33017806b85949b6faa7d4b98e4

              SHA1

              f92844fee69ef98db6e68931adfaa9a0a0f8ce66

              SHA256

              9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

              SHA512

              ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

            • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2632097139-1792035885-811742494-1000\83aa4cc77f591dfc2374580bbd95f6ba_2c37a701-1043-4f89-b4d1-d05ed25c6971

              Filesize

              45B

              MD5

              c8366ae350e7019aefc9d1e6e6a498c6

              SHA1

              5731d8a3e6568a5f2dfbbc87e3db9637df280b61

              SHA256

              11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

              SHA512

              33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

              Filesize

              155KB

              MD5

              ce330d52fc60db54ddfb463ad2280722

              SHA1

              9506dfdaf3db5636a45b6e06006670387c62746c

              SHA256

              ec55bc29ddec5cfbe53cb366b6d1ce5011323f48b8411f22e27ba8dfe7cfbea9

              SHA512

              56e4cb6d55b166fbcaa2feeaa80b230f109cedadba2af0d7dfef80ae6289a49c00515f4d00e70d34355bc13ac98cc200b6a298046ce63e55f6c7a05668bd181c

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

              Filesize

              155KB

              MD5

              ce330d52fc60db54ddfb463ad2280722

              SHA1

              9506dfdaf3db5636a45b6e06006670387c62746c

              SHA256

              ec55bc29ddec5cfbe53cb366b6d1ce5011323f48b8411f22e27ba8dfe7cfbea9

              SHA512

              56e4cb6d55b166fbcaa2feeaa80b230f109cedadba2af0d7dfef80ae6289a49c00515f4d00e70d34355bc13ac98cc200b6a298046ce63e55f6c7a05668bd181c

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe

              Filesize

              202KB

              MD5

              aa120c29e7202ce9ae9c0752284c7e36

              SHA1

              94e7d33ccab298c67b1cc816d3c228cc7e6b84e4

              SHA256

              449036069e2bfe7ec052a614be07ad7105a3203d974d46423c0c32d6ce888661

              SHA512

              1442856f08213f4a356cd404c50a65a12b908f6fb86c299d636af595577ef8af82294ad4237fbb025578b946e8f179b9eed0f6d6c4aa88970bfb228ae8c767f8

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll

              Filesize

              809KB

              MD5

              df3ca8d16bded6a54977b30e66864d33

              SHA1

              b7b9349b33230c5b80886f5c1f0a42848661c883

              SHA256

              1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

              SHA512

              951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll

              Filesize

              809KB

              MD5

              df3ca8d16bded6a54977b30e66864d33

              SHA1

              b7b9349b33230c5b80886f5c1f0a42848661c883

              SHA256

              1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

              SHA512

              951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll

              Filesize

              1.1MB

              MD5

              28d5b414c0e548a139b977921e0087f6

              SHA1

              13ad3757de05fb8992e0522b5d3de39247e60cbd

              SHA256

              b1dfd4d86a641dadcb3878d9c11aa53afacbf17b98f6b2e00994341cbb555f24

              SHA512

              8c673ff412b9deb8bc490065a9cad1b77ab9a6fcd134e32acb67d4f2774411c81fdcd12e1c0632e80b193e73b5af319ba8dff668e279a46bbd1ae281e10e6b74

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll

              Filesize

              896KB

              MD5

              34dc63a0055aeb62d12621a972bcb2ce

              SHA1

              03af91d6055c03c79a0f7410fe9014e3e54b554f

              SHA256

              b87955963952ec60d112ca5bdaee2e6408f8c5400b33f4a1529274da3e5c0d8f

              SHA512

              166f0f9d4b1dc73448320148d63a420fc2e545d7e561a847d1470e7ec09df8c2da997474023a529fad274aa7d35e839836a81624e412ce9ff95b6f6eba3d3118

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll

              Filesize

              48KB

              MD5

              b140730c68a0d3e52d4533f4fb32dce8

              SHA1

              82687e557c57534f1e54f14a016eaac0f375e83d

              SHA256

              88cabc3823364a5abf3525f0aeaee11ba7353796e78cfb1aa5c047c35db2d943

              SHA512

              9f1cdee973c9c16b2f965118e12df571410c8e5bfb010e8738231ad59548c2999673f57f963cb3e4a2d71d6bc4fd714b4624556ed3530fa9b987a82fa5c7d4fe

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll

              Filesize

              48KB

              MD5

              b140730c68a0d3e52d4533f4fb32dce8

              SHA1

              82687e557c57534f1e54f14a016eaac0f375e83d

              SHA256

              88cabc3823364a5abf3525f0aeaee11ba7353796e78cfb1aa5c047c35db2d943

              SHA512

              9f1cdee973c9c16b2f965118e12df571410c8e5bfb010e8738231ad59548c2999673f57f963cb3e4a2d71d6bc4fd714b4624556ed3530fa9b987a82fa5c7d4fe

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll

              Filesize

              75KB

              MD5

              a56686411fc41f3abeea19f129935ee9

              SHA1

              6cb98bbc9d0e779a44dd0608cb2c7645c33de4e6

              SHA256

              0f906562f61761f3c66150362abfb04b4ca37c82071e91cc89d43fac5d7425ec

              SHA512

              be74f0a89c702e189d617a96d6b36506777c48ad41a2daaf43d7bf5719b8055de34ee567417b75ee6fadc1fa740a7e1c5f8d890723890b2c9e49965e469f352e

            • C:\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll

              Filesize

              75KB

              MD5

              a56686411fc41f3abeea19f129935ee9

              SHA1

              6cb98bbc9d0e779a44dd0608cb2c7645c33de4e6

              SHA256

              0f906562f61761f3c66150362abfb04b4ca37c82071e91cc89d43fac5d7425ec

              SHA512

              be74f0a89c702e189d617a96d6b36506777c48ad41a2daaf43d7bf5719b8055de34ee567417b75ee6fadc1fa740a7e1c5f8d890723890b2c9e49965e469f352e

            • C:\Users\Admin\AppData\Roaming\Oracle\lib\amd64\jvm.cfg

              Filesize

              634B

              MD5

              499f2a4e0a25a41c1ff80df2d073e4fd

              SHA1

              e2469cbe07e92d817637be4e889ebb74c3c46253

              SHA256

              80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb

              SHA512

              7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

            • C:\Users\Admin\AppData\Roaming\Oracle\lib\meta-index

              Filesize

              2KB

              MD5

              91aa6ea7320140f30379f758d626e59d

              SHA1

              3be2febe28723b1033ccdaa110eaf59bbd6d1f96

              SHA256

              4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4

              SHA512

              03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

            • C:\Users\Admin\AppData\Roaming\Oracle\lib\rt.jar

              Filesize

              512KB

              MD5

              c17d841b4946949dccc0a972894db0d1

              SHA1

              1bf122e3f1a21e35bdbc8ce420ea0c35cfd167b5

              SHA256

              9a80d24dd39089da694e67c8971fb59a3fb892f55083c8cd5fc970a770cea71e

              SHA512

              6ea8a196483cae2100bde0176887ddc0d822aaf506b5da7435fd564027d19fa3efd49c82cffad0e26d355654e13a2522c64cfaeaf559452b08827b44a91fcf6b

            • C:\Users\Admin\WCUkqDHuYPW.jpg\ID.txt

              Filesize

              47B

              MD5

              0d912fa49a3ba6f156ffb68bbb709c4d

              SHA1

              bb47003678dc711c757dd4df7e25f277c5c01ec9

              SHA256

              506c9c98eca046352e3fc8834637497d5e25bf3929e3bfd72b6e987316254fde

              SHA512

              c6b9962d791b3c0adb9c94195d623bdc2564f6a85a841fa03147fe20f906d9dc35e352cf736de86ef0e236a029e7de5a11ce0a76488d26a56fe13898842e70ae

            • C:\Users\Admin\WCUkqDHuYPW.jpg\WUFKYxLvepBd.JStdFc

              Filesize

              248KB

              MD5

              119e36f35b39c6a5b885abfc40ee7d81

              SHA1

              d07cd5766109293c1f20810f53595904deb22323

              SHA256

              0f960a7b4eb536a48eca9a9eb170f6997c11ffe64852bbb3148aafd1498ba448

              SHA512

              449bbc745bd4fa5b4ed47b6cdb5ad5906e6585a27d66471778be79563df11592acca4aaba77874d0932ff6c13689c5be48aedeca18a3464ef1e5387b79801088

            • memory/4812-176-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-169-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-191-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-190-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-189-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-181-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-182-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-175-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-174-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-173-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-172-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-194-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-168-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-167-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-166-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-165-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-164-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-156-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4812-155-0x0000000002A60000-0x0000000003A60000-memory.dmp

              Filesize

              16.0MB

            • memory/4908-134-0x00000000026E0000-0x00000000036E0000-memory.dmp

              Filesize

              16.0MB

            • memory/4908-139-0x00000000026E0000-0x00000000036E0000-memory.dmp

              Filesize

              16.0MB