Analysis

  • max time kernel
    28s
  • max time network
    31s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 01:08

General

  • Target

    56f91c4ea4ed589357d942ee398095729879d21ba3f2ee59cb3ae96ced1c7c87.jar

  • Size

    483KB

  • MD5

    98b0a808e449d339a353f468b7e257ca

  • SHA1

    b4b7a00d49582e096c63f37aeb828d40fe2d33b7

  • SHA256

    56f91c4ea4ed589357d942ee398095729879d21ba3f2ee59cb3ae96ced1c7c87

  • SHA512

    e03cb658183cc99901aafe0a455f08e60d9671dff7988c9b81ea3659af9fa24a6faafd6ec1921d41dbd827342e72e5ad992f2b1d689ab2b9c654adb6b1848541

Score
10/10

Malware Config

Signatures

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\56f91c4ea4ed589357d942ee398095729879d21ba3f2ee59cb3ae96ced1c7c87.jar
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.3615128944638762261752153247821024.class
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4280
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6904941202481270943.vbs
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2016
        • C:\Windows\system32\cscript.exe
          cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6904941202481270943.vbs
          4⤵
            PID:2864
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7616163222509321169.vbs
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:456
        • C:\Windows\system32\cscript.exe
          cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7616163222509321169.vbs
          3⤵
            PID:2088

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

        Filesize

        50B

        MD5

        481cce1974702ade2df7a8abbf3f727d

        SHA1

        1068b34e0753cc2afad8922197d8daf5ff8a69d3

        SHA256

        8beff6f0a9fa4e1b60ef61e470b1e01fcae9274ab522b008d20720f0361bf0e8

        SHA512

        924af4b6814097aadea9f0f9a96e0c0ec48fdea5d8bd4dc6925b8580df6469ed0a97359f8b698adc9fe6a3fec1e96a4e0d92de10f9cf6a97e27d67c896b48041

      • C:\Users\Admin\AppData\Local\Temp\Retrive6904941202481270943.vbs

        Filesize

        276B

        MD5

        3bdfd33017806b85949b6faa7d4b98e4

        SHA1

        f92844fee69ef98db6e68931adfaa9a0a0f8ce66

        SHA256

        9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

        SHA512

        ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

      • C:\Users\Admin\AppData\Local\Temp\Retrive7616163222509321169.vbs

        Filesize

        276B

        MD5

        3bdfd33017806b85949b6faa7d4b98e4

        SHA1

        f92844fee69ef98db6e68931adfaa9a0a0f8ce66

        SHA256

        9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

        SHA512

        ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

      • C:\Users\Admin\AppData\Local\Temp\_0.3615128944638762261752153247821024.class

        Filesize

        241KB

        MD5

        781fb531354d6f291f1ccab48da6d39f

        SHA1

        9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

        SHA256

        97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

        SHA512

        3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3463845317-933582289-45817732-1000\83aa4cc77f591dfc2374580bbd95f6ba_bfe458be-6a47-4012-a9d0-2c4333e0df83

        Filesize

        45B

        MD5

        c8366ae350e7019aefc9d1e6e6a498c6

        SHA1

        5731d8a3e6568a5f2dfbbc87e3db9637df280b61

        SHA256

        11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

        SHA512

        33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

      • memory/456-174-0x0000000000000000-mapping.dmp

      • memory/2016-176-0x0000000000000000-mapping.dmp

      • memory/2088-177-0x0000000000000000-mapping.dmp

      • memory/2864-178-0x0000000000000000-mapping.dmp

      • memory/2936-158-0x0000000003090000-0x0000000004090000-memory.dmp

        Filesize

        16.0MB

      • memory/2936-175-0x0000000003090000-0x0000000004090000-memory.dmp

        Filesize

        16.0MB

      • memory/2936-162-0x0000000003090000-0x0000000004090000-memory.dmp

        Filesize

        16.0MB

      • memory/2936-160-0x0000000003090000-0x0000000004090000-memory.dmp

        Filesize

        16.0MB

      • memory/2936-134-0x0000000003090000-0x0000000004090000-memory.dmp

        Filesize

        16.0MB

      • memory/4280-168-0x0000000002530000-0x0000000003530000-memory.dmp

        Filesize

        16.0MB

      • memory/4280-144-0x0000000000000000-mapping.dmp