adwind | 3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651

General

Target

3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe
Size

813KB
MD5

c78cc437caa7edfc9c3494c58b017e8a
SHA1

61cbbf0bef3c282c12a88fa927ce1447caffb3f7
SHA256

3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651
SHA512

bf049956c7cbf887820027f658a89f3833dccef089b50beaf3d60b8a8e539947728710d218a03d5948e9ae9b15e6640557425822daa57ef4b248bba7e81431f5

Score

10^/10

adwind netwire botnet rat stealer trojan

Malware Config

Extracted

Family

netwire

C2

blackhills.ddns.net:1030

213.183.58.34:1031

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
Lord Of Sabbath
install_path
%AppData%\Roaming\svchost.exe
lock_executable
true
mutex
conhost
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
true

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2016-65-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2016-69-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2016-71-0x00000000004022CA-mapping.dmp	netwire
behavioral1/memory/2016-74-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2016-78-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1308 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

2016 svchost.exe

pid	process
1308	svchost.exe

pid	process
2016	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe

description	pid	process	target process
PID 848 set thread context of 2016	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1292 schtasks.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

javaw.exejava.exe

pid process

1696 javaw.exe
1468 java.exe

pid	process
1292	schtasks.exe

pid	process
1696	javaw.exe
1468	java.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exesvchost.exejavaw.exejava.execmd.execmd.exe

description	pid	process	target process
PID 848 wrote to memory of 1292	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	schtasks.exe
PID 848 wrote to memory of 1292	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	schtasks.exe
PID 848 wrote to memory of 1292	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	schtasks.exe
PID 848 wrote to memory of 1292	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	schtasks.exe
PID 848 wrote to memory of 2016	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 848 wrote to memory of 2016	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 848 wrote to memory of 2016	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 848 wrote to memory of 2016	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 848 wrote to memory of 2016	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 848 wrote to memory of 2016	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 848 wrote to memory of 2016	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 848 wrote to memory of 2016	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 848 wrote to memory of 2016	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	svchost.exe
PID 848 wrote to memory of 1696	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	javaw.exe
PID 848 wrote to memory of 1696	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	javaw.exe
PID 848 wrote to memory of 1696	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	javaw.exe
PID 848 wrote to memory of 1696	848	3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe	javaw.exe
PID 2016 wrote to memory of 1308	2016	svchost.exe	svchost.exe
PID 2016 wrote to memory of 1308	2016	svchost.exe	svchost.exe
PID 2016 wrote to memory of 1308	2016	svchost.exe	svchost.exe
PID 2016 wrote to memory of 1308	2016	svchost.exe	svchost.exe
PID 1696 wrote to memory of 1468	1696	javaw.exe	java.exe
PID 1696 wrote to memory of 1468	1696	javaw.exe	java.exe
PID 1696 wrote to memory of 1468	1696	javaw.exe	java.exe
PID 1468 wrote to memory of 1460	1468	java.exe	cmd.exe
PID 1468 wrote to memory of 1460	1468	java.exe	cmd.exe
PID 1468 wrote to memory of 1460	1468	java.exe	cmd.exe
PID 1460 wrote to memory of 2000	1460	cmd.exe	cscript.exe
PID 1460 wrote to memory of 2000	1460	cmd.exe	cscript.exe
PID 1460 wrote to memory of 2000	1460	cmd.exe	cscript.exe
PID 1468 wrote to memory of 1592	1468	java.exe	cmd.exe
PID 1468 wrote to memory of 1592	1468	java.exe	cmd.exe
PID 1468 wrote to memory of 1592	1468	java.exe	cmd.exe
PID 1592 wrote to memory of 1192	1592	cmd.exe	cscript.exe
PID 1592 wrote to memory of 1192	1592	cmd.exe	cscript.exe
PID 1592 wrote to memory of 1192	1592	cmd.exe	cscript.exe
PID 1468 wrote to memory of 1748	1468	java.exe	xcopy.exe
PID 1468 wrote to memory of 1748	1468	java.exe	xcopy.exe
PID 1468 wrote to memory of 1748	1468	java.exe	xcopy.exe

C:\Users\Admin\AppData\Local\Temp\3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe
"C:\Users\Admin\AppData\Local\Temp\3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "ALGKF\ALGKF" /XML "C:\Users\Admin\AppData\Roaming\ALGKF\aqqqqq.xml"
2⤵
- Creates scheduled task(s)
PID:1292

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Roaming\Roaming\svchost.exe
-m "C:\Windows\SysWOW64\svchost.exe"
3⤵
- Executes dropped EXE
PID:1308

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\EAWET.jar"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.4871153365732568949495036599929600.class
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1016837867290675563.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1016837867290675563.vbs
5⤵
PID:2000

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8467573201941676963.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8467573201941676963.vbs
5⤵
PID:1192

C:\Windows\system32\xcopy.exe
xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
4⤵
PID:1748

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EAWET.jar
Filesize
473KB

MD5
d6d2b3e890041545cc409ab31157aa1a

SHA1
5b569bce8f9f00b2ce684738496cbffc908131f7

SHA256
fea9e7094bc95dc152f595f7b45c78ec15a76fc6ceec9812d38de6c601c4170e

SHA512
16419ec9491e8fc85a5ea7b71234e656cc33dd95703bbb6c2b05d2edf50f8f58f9bab624d395cd64e28d4ac56eb7af24f97264b79fe12d9bce4d2df1257c6ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive1016837867290675563.vbs
Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive8467573201941676963.vbs
Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.4871153365732568949495036599929600.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\ALGKF\aqqqqq.xml
Filesize
1KB

MD5
c8325ecb9abbb228d3b5d4e84c96f320

SHA1
9a84f6658bbe3a769bb204f7667672ce936fbb87

SHA256
a85c2c8e56106858330b70f234c37b0a7f6aaae75139a88bd446b46168490b7e

SHA512
31f6b28b61d31a127e8c4dcfcd5538b127ce82e31d1ae9172085d92636687dfa159e5ff31e047b35401575b6c92987eba2da3a5d1e7eaf980a4b950bb7efe278

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2277218442-1199762539-2004043321-1000\83aa4cc77f591dfc2374580bbd95f6ba_4cab856c-2ae4-4cbd-8a04-329969ee64da
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Roaming\svchost.exe
Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
\Users\Admin\AppData\Roaming\Roaming\svchost.exe
Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
memory/848-58-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download
memory/848-55-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download
memory/848-54-0x0000000075941000-0x0000000075943000-memory.dmp

Filesize
8KB

Download
memory/848-81-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download
memory/1192-118-0x0000000000000000-mapping.dmp

Download
memory/1292-56-0x0000000000000000-mapping.dmp

Download
memory/1308-77-0x0000000000000000-mapping.dmp

Download
memory/1460-114-0x0000000000000000-mapping.dmp

Download
memory/1468-111-0x0000000002200000-0x0000000005200000-memory.dmp

Filesize
48.0MB

Download
memory/1468-100-0x0000000002200000-0x0000000005200000-memory.dmp

Filesize
48.0MB

Download
memory/1468-93-0x0000000000000000-mapping.dmp

Download
memory/1592-117-0x0000000000000000-mapping.dmp

Download
memory/1696-109-0x00000000022A0000-0x00000000052A0000-memory.dmp

Filesize
48.0MB

Download
memory/1696-92-0x00000000022A0000-0x00000000052A0000-memory.dmp

Filesize
48.0MB

Download
memory/1696-80-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

Filesize
8KB

Download
memory/1696-76-0x0000000000000000-mapping.dmp

Download
memory/2000-115-0x0000000000000000-mapping.dmp

Download
memory/2016-78-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-71-0x00000000004022CA-mapping.dmp

Download
memory/2016-69-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads