Analysis Overview
SHA256
3704a8f86fe69466491c8423500bf1385554ce9d0f0deb2a373655f3abce653b
Threat Level: Known bad
The file 3704a8f86fe69466491c8423500bf1385554ce9d0f0deb2a373655f3abce653b was found to be: Known bad.
Malicious Activity Summary
Adwind family
JAR file contains resources related to AdWind
AdWind
Sets file to hidden
Adds Run key to start application
Drops desktop.ini file(s)
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-01 05:25
Signatures
Adwind family
JAR file contains resources related to AdWind
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-01 05:25
Reported
2022-07-01 06:26
Platform
win7-20220414-en
Max time kernel
140s
Max time network
158s
Command Line
Signatures
AdWind
JAR file contains resources related to AdWind
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asddresd = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\eqwzdd\\asdwsd.jar\"" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asddresd = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\eqwzdd\\asdwsd.jar\"" | C:\Windows\system32\reg.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\eqwzdd\Desktop.ini | C:\Windows\system32\java.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\eqwzdd\Desktop.ini | C:\Windows\system32\attrib.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\java.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre7\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\3704a8f86fe69466491c8423500bf1385554ce9d0f0deb2a373655f3abce653b.jar
C:\Windows\system32\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v asddresd /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\eqwzdd\asdwsd.jar\"" /f
C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v asddresd /f
C:\Windows\system32\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Roaming\eqwzdd\*.*"
C:\Windows\system32\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Roaming\eqwzdd"
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\eqwzdd\asdwsd.jar"
C:\Windows\system32\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v asddresd /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\eqwzdd\asdwsd.jar\"" /f
C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v asddresd /f
C:\Windows\system32\attrib.exe
attrib +H C:\Users\Admin\.Plugins3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rootsec.publicvm.com | udp |
| AU | 43.226.229.92:33 | rootsec.publicvm.com | tcp |
| AU | 43.226.229.92:33 | rootsec.publicvm.com | tcp |
| AU | 43.226.229.92:33 | rootsec.publicvm.com | tcp |
| AU | 43.226.229.92:33 | rootsec.publicvm.com | tcp |
| AU | 43.226.229.92:33 | rootsec.publicvm.com | tcp |
Files
memory/1880-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp
memory/1880-64-0x0000000002280000-0x0000000005280000-memory.dmp
memory/1188-65-0x0000000000000000-mapping.dmp
memory/2044-66-0x0000000000000000-mapping.dmp
memory/892-67-0x0000000000000000-mapping.dmp
memory/1956-68-0x0000000000000000-mapping.dmp
memory/1132-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\eqwzdd\Desktop.ini
| MD5 | e783bdd20a976eaeaae1ff4624487420 |
| SHA1 | c2a44fab9df00b3e11582546b16612333c2f9286 |
| SHA256 | 2f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3 |
| SHA512 | 8c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80 |
C:\Users\Admin\AppData\Roaming\eqwzdd\asdwsd.jar
| MD5 | 20de1c62ba825235d8ec0a6ccebac974 |
| SHA1 | 53b53e50377754928990f67101d320a69442398c |
| SHA256 | 3704a8f86fe69466491c8423500bf1385554ce9d0f0deb2a373655f3abce653b |
| SHA512 | 25e3985ced204a05fa8cb0016b6e0fe60237fa36ffed79b9f9dfd43ed09bb72821995cc4b3bfcc22b45efe95655dddcf26656a822b72f2b6cd06e1215cc55046 |
memory/1132-82-0x0000000002360000-0x0000000005360000-memory.dmp
memory/696-83-0x0000000000000000-mapping.dmp
memory/1508-84-0x0000000000000000-mapping.dmp
memory/1356-85-0x0000000000000000-mapping.dmp
memory/1132-86-0x0000000002360000-0x0000000005360000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-01 05:25
Reported
2022-07-01 06:26
Platform
win10v2004-20220414-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
AdWind
JAR file contains resources related to AdWind
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asddresd = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\eqwzdd\\asdwsd.jar\"" | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SYSTEM32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asddresd = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\eqwzdd\\asdwsd.jar\"" | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SYSTEM32\reg.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\eqwzdd\Desktop.ini | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\eqwzdd\Desktop.ini | C:\Windows\SYSTEM32\attrib.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\reg.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\reg.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\reg.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\reg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\3704a8f86fe69466491c8423500bf1385554ce9d0f0deb2a373655f3abce653b.jar
C:\Windows\SYSTEM32\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v asddresd /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\eqwzdd\asdwsd.jar\"" /f
C:\Windows\SYSTEM32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v asddresd /f
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\eqwzdd\asdwsd.jar"
C:\Windows\SYSTEM32\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Roaming\eqwzdd"
C:\Windows\SYSTEM32\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Roaming\eqwzdd\*.*"
C:\Windows\SYSTEM32\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v asddresd /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\eqwzdd\asdwsd.jar\"" /f
C:\Windows\SYSTEM32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v asddresd /f
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\.Plugins3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rootsec.publicvm.com | udp |
| AU | 43.226.229.92:33 | rootsec.publicvm.com | tcp |
| NL | 8.238.24.126:80 | tcp | |
| NL | 8.238.24.126:80 | tcp | |
| AU | 43.226.229.92:33 | rootsec.publicvm.com | tcp |
| AU | 43.226.229.92:33 | rootsec.publicvm.com | tcp |
| IE | 52.109.76.31:443 | tcp | |
| AU | 43.226.229.92:33 | rootsec.publicvm.com | tcp |
| US | 8.8.8.8:53 | rootsec.publicvm.com | udp |
| AU | 43.226.229.92:33 | rootsec.publicvm.com | tcp |
| AU | 43.226.229.92:33 | rootsec.publicvm.com | tcp |
Files
memory/2112-139-0x0000000002EB0000-0x0000000003EB0000-memory.dmp
memory/1004-140-0x0000000000000000-mapping.dmp
memory/672-141-0x0000000000000000-mapping.dmp
memory/1988-144-0x0000000000000000-mapping.dmp
memory/1832-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\eqwzdd\asdwsd.jar
| MD5 | 20de1c62ba825235d8ec0a6ccebac974 |
| SHA1 | 53b53e50377754928990f67101d320a69442398c |
| SHA256 | 3704a8f86fe69466491c8423500bf1385554ce9d0f0deb2a373655f3abce653b |
| SHA512 | 25e3985ced204a05fa8cb0016b6e0fe60237fa36ffed79b9f9dfd43ed09bb72821995cc4b3bfcc22b45efe95655dddcf26656a822b72f2b6cd06e1215cc55046 |
memory/2536-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\eqwzdd\Desktop.ini
| MD5 | e783bdd20a976eaeaae1ff4624487420 |
| SHA1 | c2a44fab9df00b3e11582546b16612333c2f9286 |
| SHA256 | 2f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3 |
| SHA512 | 8c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80 |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | f8db06f3d4369b96093fc7e93e5b5f5b |
| SHA1 | 5ddbbd4dc0abd12b88ef165ba2b42e81afd5d9b6 |
| SHA256 | 79701f8236b53898027290686c6f762e9223781ca84866276cf174a5180a6eac |
| SHA512 | 36ead269e0cdf360a408c73dc4ab08d7eebe04c68994394c738f5e34405172ca3e995d54ac27e394a417e877ad310c2ce5b2500bafd7aa690ef3c4d501674608 |
memory/1988-157-0x0000000002940000-0x0000000003940000-memory.dmp
memory/2632-158-0x0000000000000000-mapping.dmp
memory/3724-159-0x0000000000000000-mapping.dmp
memory/4016-160-0x0000000000000000-mapping.dmp
memory/1988-162-0x0000000002940000-0x0000000003940000-memory.dmp