Analysis

  • max time kernel
    184s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    14-07-2022 10:45

General

  • Target

    PO.220471.jar

  • Size

    627KB

  • MD5

    b715cb0f045aacb762f59d4b837b9cee

  • SHA1

    fdbf3dbc872a3a3654807ca955de5af4d4091dfb

  • SHA256

    df96f72858f4c3c10abee7f9dbb1ae38eb9cff069450bf87547c6cd2a7ef8754

  • SHA512

    e8332c5937e9aa989b20b6e443c31ec56c4b032e92ab6fc972ce5926bdaeef5384d262d543e4c19552e72710648133b5e353f98c726df2c26eb0844521c06f15

Score
10/10

Malware Config

Signatures

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Windows\system32\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\PO.220471.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\system32\wscript.exe
      wscript C:\Users\Admin\tfvufrkjag.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\jsKFpuMqvB.js"
        3⤵
          PID:668
        • C:\Program Files\Java\jre7\bin\javaw.exe
          "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\tbpaugcez.txt"
          3⤵
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1964
          • C:\Program Files\Java\jre7\bin\java.exe
            "C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.78518672258035826927510301424252648.class
            4⤵
            • Drops file in System32 directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1644
            • C:\Windows\system32\cmd.exe
              cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1424949207180361063.vbs
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1080
              • C:\Windows\system32\cscript.exe
                cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1424949207180361063.vbs
                6⤵
                  PID:1012
              • C:\Windows\system32\cmd.exe
                cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4212641570258202039.vbs
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1652
                • C:\Windows\system32\cscript.exe
                  cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4212641570258202039.vbs
                  6⤵
                    PID:1680
                • C:\Windows\system32\xcopy.exe
                  xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
                  5⤵
                    PID:948
                  • C:\Windows\system32\cmd.exe
                    cmd.exe
                    5⤵
                      PID:748
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1588163961006639217.vbs
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:556
                    • C:\Windows\system32\cscript.exe
                      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1588163961006639217.vbs
                      5⤵
                        PID:596
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7827127806811283859.vbs
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1220
                      • C:\Windows\system32\cscript.exe
                        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7827127806811283859.vbs
                        5⤵
                          PID:892
                      • C:\Windows\system32\xcopy.exe
                        xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
                        4⤵
                          PID:1368

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\Retrive1424949207180361063.vbs

                    Filesize

                    276B

                    MD5

                    3bdfd33017806b85949b6faa7d4b98e4

                    SHA1

                    f92844fee69ef98db6e68931adfaa9a0a0f8ce66

                    SHA256

                    9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

                    SHA512

                    ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

                  • C:\Users\Admin\AppData\Local\Temp\Retrive1588163961006639217.vbs

                    Filesize

                    276B

                    MD5

                    3bdfd33017806b85949b6faa7d4b98e4

                    SHA1

                    f92844fee69ef98db6e68931adfaa9a0a0f8ce66

                    SHA256

                    9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

                    SHA512

                    ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

                  • C:\Users\Admin\AppData\Local\Temp\Retrive4212641570258202039.vbs

                    Filesize

                    281B

                    MD5

                    a32c109297ed1ca155598cd295c26611

                    SHA1

                    dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

                    SHA256

                    45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

                    SHA512

                    70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

                  • C:\Users\Admin\AppData\Local\Temp\Retrive7827127806811283859.vbs

                    Filesize

                    281B

                    MD5

                    a32c109297ed1ca155598cd295c26611

                    SHA1

                    dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

                    SHA256

                    45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

                    SHA512

                    70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

                  • C:\Users\Admin\AppData\Local\Temp\_0.78518672258035826927510301424252648.class

                    Filesize

                    241KB

                    MD5

                    781fb531354d6f291f1ccab48da6d39f

                    SHA1

                    9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

                    SHA256

                    97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

                    SHA512

                    3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2277218442-1199762539-2004043321-1000\83aa4cc77f591dfc2374580bbd95f6ba_4cab856c-2ae4-4cbd-8a04-329969ee64da

                    Filesize

                    45B

                    MD5

                    c8366ae350e7019aefc9d1e6e6a498c6

                    SHA1

                    5731d8a3e6568a5f2dfbbc87e3db9637df280b61

                    SHA256

                    11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

                    SHA512

                    33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

                  • C:\Users\Admin\AppData\Roaming\jsKFpuMqvB.js

                    Filesize

                    9KB

                    MD5

                    fee0122aedf23a9751ff45273333c428

                    SHA1

                    c946203d5cbeb8d93c4a3cc8c6c61463a671b90d

                    SHA256

                    62b7edb1c394fcc1dcf1d7fecc368ec15cd3038a84fe67978b9fecc6025d8e0e

                    SHA512

                    d2b02c13143c4ff017be7668ba17281e061eaccf824fbd43da55b8bcffa54054b1449d32a970d4eda42b5e07ecea82fe16c76015b0c812c6bb7f8abb7c51a6fa

                  • C:\Users\Admin\AppData\Roaming\tbpaugcez.txt

                    Filesize

                    479KB

                    MD5

                    4d9a717a9d3bb25ed5fd107ec7795e3a

                    SHA1

                    341ff4f74c807650c0a81ca0c2711caceddbed44

                    SHA256

                    d4532757afd5774d841e830196ce2d5812f3443785f693d57e5c5d7d4ca3288a

                    SHA512

                    ca6445a628a057895bd62028a2353a12b008e28b6bcf11d4277ffb18a51c5282bdd74864eb4412512387282dd43b2f5b915f4ec0df8e3f74ba2fab3905a197ce

                  • C:\Users\Admin\tfvufrkjag.js

                    Filesize

                    916KB

                    MD5

                    ed6475d7ebbbba360940904aa683e697

                    SHA1

                    5984a814730dfa0a4bcb4fec1040cb4c02ec1321

                    SHA256

                    dcdec034dace11b4911bcbb12a2ac1f7c98571e46904f60d3e4000a7d0b7ae12

                    SHA512

                    bc73513fef1c2a0c0dee3b481d3a1630d0593902ef986bd2a7a0a7cec74408a3f6fc15f2085f77fa44cea0bf98522c9c100eedd75d4ac456f3809ac5257a7b57

                  • memory/556-100-0x0000000000000000-mapping.dmp

                  • memory/596-103-0x0000000000000000-mapping.dmp

                  • memory/668-69-0x0000000000000000-mapping.dmp

                  • memory/748-116-0x0000000000000000-mapping.dmp

                  • memory/892-109-0x0000000000000000-mapping.dmp

                  • memory/948-112-0x0000000000000000-mapping.dmp

                  • memory/1012-102-0x0000000000000000-mapping.dmp

                  • memory/1080-101-0x0000000000000000-mapping.dmp

                  • memory/1220-107-0x0000000000000000-mapping.dmp

                  • memory/1368-113-0x0000000000000000-mapping.dmp

                  • memory/1476-65-0x0000000000000000-mapping.dmp

                  • memory/1644-93-0x0000000002240000-0x0000000005240000-memory.dmp

                    Filesize

                    48.0MB

                  • memory/1644-115-0x0000000002240000-0x0000000005240000-memory.dmp

                    Filesize

                    48.0MB

                  • memory/1644-84-0x0000000000000000-mapping.dmp

                  • memory/1652-106-0x0000000000000000-mapping.dmp

                  • memory/1680-108-0x0000000000000000-mapping.dmp

                  • memory/1964-83-0x0000000002110000-0x0000000005110000-memory.dmp

                    Filesize

                    48.0MB

                  • memory/1964-114-0x0000000002110000-0x0000000005110000-memory.dmp

                    Filesize

                    48.0MB

                  • memory/1964-71-0x0000000000000000-mapping.dmp

                  • memory/1984-57-0x00000000020F0000-0x00000000050F0000-memory.dmp

                    Filesize

                    48.0MB

                  • memory/1984-54-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

                    Filesize

                    8KB