Malware Analysis Report

2024-12-07 20:56

Sample ID 220824-hzx2mshhel
Target TellerAdvice.jar
SHA256 2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e
Tags
adwind persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e

Threat Level: Known bad

The file TellerAdvice.jar was found to be: Known bad.

Malicious Activity Summary

adwind persistence trojan

AdWind

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-24 07:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-24 07:11

Reported

2022-08-24 07:14

Platform

win7-20220812-en

Max time kernel

165s

Max time network

54s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\TellerAdvice.jar

Signatures

AdWind

trojan adwind

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lMpweJSGDjr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\JVlpBjOuqsQ\\.jar.Bttolj\"" C:\Windows\system32\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\test.txt C:\Program Files\Java\jre7\bin\javaw.exe N/A
File opened for modification C:\Windows\System32\test.txt C:\Program Files\Java\jre7\bin\java.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre7\bin\java.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 1292 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 1752 wrote to memory of 1292 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 1752 wrote to memory of 1292 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 1292 wrote to memory of 696 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1292 wrote to memory of 696 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1292 wrote to memory of 696 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1292 wrote to memory of 1040 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1292 wrote to memory of 1040 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1292 wrote to memory of 1040 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1040 wrote to memory of 276 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1040 wrote to memory of 276 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1040 wrote to memory of 276 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1040 wrote to memory of 1744 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 1744 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 1744 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 276 wrote to memory of 2024 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 276 wrote to memory of 2024 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 276 wrote to memory of 2024 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2024 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2024 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2024 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1744 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1744 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1744 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 276 wrote to memory of 1636 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 276 wrote to memory of 1636 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 276 wrote to memory of 1636 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 1424 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 1424 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 1424 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1636 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1636 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1636 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1424 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1424 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1424 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 276 wrote to memory of 764 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 276 wrote to memory of 764 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 276 wrote to memory of 764 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 1040 wrote to memory of 1356 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 1040 wrote to memory of 1356 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 1040 wrote to memory of 1356 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 1040 wrote to memory of 1812 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 1812 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 1812 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 1588 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\reg.exe
PID 1040 wrote to memory of 1588 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\reg.exe
PID 1040 wrote to memory of 1588 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\reg.exe
PID 1040 wrote to memory of 1768 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1040 wrote to memory of 1768 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1040 wrote to memory of 1768 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1040 wrote to memory of 1748 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1040 wrote to memory of 1748 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1040 wrote to memory of 1748 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1040 wrote to memory of 1208 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1040 wrote to memory of 1208 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1040 wrote to memory of 1208 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1208 wrote to memory of 1564 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1208 wrote to memory of 1564 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1208 wrote to memory of 1564 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 276 wrote to memory of 1624 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 276 wrote to memory of 1624 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 276 wrote to memory of 1624 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\TellerAdvice.jar

C:\Windows\system32\wscript.exe

wscript C:\Users\Admin\auadjkcvuo.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\MHsaSuFjvX.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\cbcjiujwmc.txt"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.654876325451083318922411145411145.class

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7318842952099823111.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5473803077717362015.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7318842952099823111.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5473803077717362015.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1714349840790024828.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4744158781615123854.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4744158781615123854.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1714349840790024828.vbs

C:\Windows\system32\xcopy.exe

xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\system32\xcopy.exe

xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v lMpweJSGDjr /t REG_EXPAND_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\JVlpBjOuqsQ\.jar.Bttolj\"" /f

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar C:\Users\Admin\JVlpBjOuqsQ\.jar.Bttolj

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\JVlpBjOuqsQ"

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\JVlpBjOuqsQ\*.*"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.102874813469097662149555176643921270.class

C:\Windows\system32\cmd.exe

cmd.exe

Network

N/A

Files

memory/1752-54-0x000007FEFBC41000-0x000007FEFBC43000-memory.dmp

memory/1752-64-0x00000000023A0000-0x00000000053A0000-memory.dmp

memory/1292-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\auadjkcvuo.js

MD5 e6ed63c61a7ca096c6f6c34a2fee8f3e
SHA1 d30f07297d8721b6bdd1d4fb0ae3fd2974756cce
SHA256 fd7bd01b7bfae6a1e7b081bfd04199063e3155cd9744142b136c6bcbfe6bd4a0
SHA512 933f539ac918eaa17d8a4e01c354ea4078a6239702e90bb7e32e51d15156bd8053a37c4fd5c3ace2d2f22857600b92e3a78e7fb90184806e9a20d48b12b61123

memory/696-69-0x0000000000000000-mapping.dmp

memory/1040-70-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\cbcjiujwmc.txt

MD5 e4b4412a2e52f64ef1beb46cd4721869
SHA1 0d0f4da4f00ae3f424c3d70dd8a0426110696c4c
SHA256 7b7eb48626556344bbdddfb6d37173be5032093087635c81cb236e1d43c94b3c
SHA512 38e2e1813dcc5c7770d46611dde3cfebab1773c1837659ec662c0f38690d95aa48e3f732ff210e61216f9d3dc5530c8b754fb29c17cb3990409364acd8856144

C:\Users\Admin\AppData\Roaming\MHsaSuFjvX.js

MD5 75570c99891c0563e8d1ab94999955a7
SHA1 fd9fe8d5d438d1a7b12069ee770654a5a283d08d
SHA256 1c47f96f2b1be9434870a1fec926c344ef74106ed2c0fd4c9c0f985c5607e775
SHA512 b64f2bf6dbb8cb97106760a37fbdab600e8c71f0a668f6f10a5155543294c2ac310b6becfdccc306d12e26b84e1fe7a264894411e751e3e2d0b9c87bb4221ec5

memory/1040-82-0x0000000002310000-0x0000000005310000-memory.dmp

memory/276-84-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.654876325451083318922411145411145.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3845472200-3839195424-595303356-1000\83aa4cc77f591dfc2374580bbd95f6ba_7725c12a-7257-458e-a47f-7029d9191548

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/1744-98-0x0000000000000000-mapping.dmp

memory/276-100-0x0000000002190000-0x0000000005190000-memory.dmp

memory/2024-102-0x0000000000000000-mapping.dmp

memory/828-104-0x0000000000000000-mapping.dmp

memory/2036-103-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive7318842952099823111.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

C:\Users\Admin\AppData\Local\Temp\Retrive5473803077717362015.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

memory/1424-108-0x0000000000000000-mapping.dmp

memory/1636-107-0x0000000000000000-mapping.dmp

memory/940-110-0x0000000000000000-mapping.dmp

memory/1736-109-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive4744158781615123854.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

C:\Users\Admin\AppData\Local\Temp\Retrive1714349840790024828.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

memory/1356-114-0x0000000000000000-mapping.dmp

memory/764-113-0x0000000000000000-mapping.dmp

memory/1812-115-0x0000000000000000-mapping.dmp

memory/1588-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\JVlpBjOuqsQ\.jar.Bttolj

MD5 e4b4412a2e52f64ef1beb46cd4721869
SHA1 0d0f4da4f00ae3f424c3d70dd8a0426110696c4c
SHA256 7b7eb48626556344bbdddfb6d37173be5032093087635c81cb236e1d43c94b3c
SHA512 38e2e1813dcc5c7770d46611dde3cfebab1773c1837659ec662c0f38690d95aa48e3f732ff210e61216f9d3dc5530c8b754fb29c17cb3990409364acd8856144

C:\Users\Admin\JVlpBjOuqsQ\ID.txt

MD5 431cf7403f3a21451aab4f35e707d083
SHA1 57341a33da6f4bee46769714eabed63224ec0e63
SHA256 4e9a3b3f0e65c8f07463af002f123e5dc31e007b26ed13a02d45bd7a56e7ea65
SHA512 42aacb0cf523d4fb5fed32d4cd221be1ccdd424ead72279a3c8676f4827a4b4434255aada565141fec86e45c3a92821805404c3948a22d736dcddcec951509e8

memory/1208-119-0x0000000000000000-mapping.dmp

memory/1748-118-0x0000000000000000-mapping.dmp

memory/1768-117-0x0000000000000000-mapping.dmp

memory/1564-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.102874813469097662149555176643921270.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

memory/1208-135-0x0000000002420000-0x0000000005420000-memory.dmp

C:\Windows\System32\test.txt

MD5 271b729205ff88b56b01407a76c9bac1
SHA1 8c8cf346582893b3efef31832569e0ffd9843f13
SHA256 c4135ce065dd00aa9cd6da86cfcc31ea80312db959675de4a0cfaefab5171ab6
SHA512 3bb4b4eb050956be2bbca7b63c392d814ba8432be8d95764d7abc061749e9292af7c3a0ef16f0056a5cd4f627810557611e1a777a7ab8975b8482e03a9d4f054

memory/1624-137-0x0000000000000000-mapping.dmp

memory/276-146-0x0000000002190000-0x0000000005190000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-24 07:11

Reported

2022-08-24 07:14

Platform

win10v2004-20220812-en

Max time kernel

68s

Max time network

91s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\TellerAdvice.jar

Signatures

AdWind

trojan adwind

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SYSTEM32\wscript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Windows\SYSTEM32\wscript.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 392 wrote to memory of 3416 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\wscript.exe
PID 392 wrote to memory of 3416 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\wscript.exe
PID 3416 wrote to memory of 2632 N/A C:\Windows\SYSTEM32\wscript.exe C:\Windows\System32\WScript.exe
PID 3416 wrote to memory of 2632 N/A C:\Windows\SYSTEM32\wscript.exe C:\Windows\System32\WScript.exe
PID 3416 wrote to memory of 4140 N/A C:\Windows\SYSTEM32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 3416 wrote to memory of 4140 N/A C:\Windows\SYSTEM32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 4140 wrote to memory of 4468 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 4140 wrote to memory of 4468 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 4140 wrote to memory of 3976 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 4140 wrote to memory of 3976 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 4468 wrote to memory of 4328 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4468 wrote to memory of 4328 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4328 wrote to memory of 3492 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 4328 wrote to memory of 3492 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 3976 wrote to memory of 1164 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 3976 wrote to memory of 1164 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 4140 wrote to memory of 404 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 4140 wrote to memory of 404 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 4468 wrote to memory of 4464 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4468 wrote to memory of 4464 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 404 wrote to memory of 4556 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 404 wrote to memory of 4556 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 4464 wrote to memory of 2296 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 4464 wrote to memory of 2296 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 4140 wrote to memory of 4824 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Windows\SYSTEM32\xcopy.exe
PID 4140 wrote to memory of 4824 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Windows\SYSTEM32\xcopy.exe
PID 4468 wrote to memory of 1132 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\xcopy.exe
PID 4468 wrote to memory of 1132 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\xcopy.exe

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\TellerAdvice.jar

C:\Windows\SYSTEM32\wscript.exe

wscript C:\Users\Admin\auadjkcvuo.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\MHsaSuFjvX.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\stqviwp.txt"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.69995727568123534358386742018769093.class

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7844671037638282753.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5031514280305936362.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7844671037638282753.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5031514280305936362.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6330189385174092392.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4158590728726044950.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6330189385174092392.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4158590728726044950.vbs

C:\Windows\SYSTEM32\xcopy.exe

xcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\SYSTEM32\xcopy.exe

xcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\SYSTEM32\cmd.exe

cmd.exe

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
IE 13.69.239.72:443 tcp
US 93.184.220.29:80 tcp
IE 20.190.159.0:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
NL 104.80.225.205:443 tcp

Files

memory/392-140-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

memory/3416-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\auadjkcvuo.js

MD5 e6ed63c61a7ca096c6f6c34a2fee8f3e
SHA1 d30f07297d8721b6bdd1d4fb0ae3fd2974756cce
SHA256 fd7bd01b7bfae6a1e7b081bfd04199063e3155cd9744142b136c6bcbfe6bd4a0
SHA512 933f539ac918eaa17d8a4e01c354ea4078a6239702e90bb7e32e51d15156bd8053a37c4fd5c3ace2d2f22857600b92e3a78e7fb90184806e9a20d48b12b61123

memory/2632-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\MHsaSuFjvX.js

MD5 75570c99891c0563e8d1ab94999955a7
SHA1 fd9fe8d5d438d1a7b12069ee770654a5a283d08d
SHA256 1c47f96f2b1be9434870a1fec926c344ef74106ed2c0fd4c9c0f985c5607e775
SHA512 b64f2bf6dbb8cb97106760a37fbdab600e8c71f0a668f6f10a5155543294c2ac310b6becfdccc306d12e26b84e1fe7a264894411e751e3e2d0b9c87bb4221ec5

memory/4140-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\stqviwp.txt

MD5 e4b4412a2e52f64ef1beb46cd4721869
SHA1 0d0f4da4f00ae3f424c3d70dd8a0426110696c4c
SHA256 7b7eb48626556344bbdddfb6d37173be5032093087635c81cb236e1d43c94b3c
SHA512 38e2e1813dcc5c7770d46611dde3cfebab1773c1837659ec662c0f38690d95aa48e3f732ff210e61216f9d3dc5530c8b754fb29c17cb3990409364acd8856144

memory/4140-157-0x0000000002FC0000-0x0000000003FC0000-memory.dmp

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 2fdebb1fa24fb37664420208c7e61a70
SHA1 9de9c68f6104f9556666c51b4483bd0afeff3112
SHA256 4098fab5add3b9fc6c3b19180b1066688b2542d23641526ebb2c6816db86a945
SHA512 97aafb539d0de96bb9ba41c6a0c0aec0670de4cf8806b059caca9943eda64a47f61d1d29f699d0120f2e8b943d60f8c8f6b7deb9a75b610aa224c8cf74d9924c

memory/4468-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.69995727568123534358386742018769093.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 a13cf6b6f4eb2c6b6fc97932798c7d7d
SHA1 1f3dbac53e2e047055fa07a643c21cfee6e47bf2
SHA256 5113fd29ba3442d66e55c866ab97a8f0167198a40e0d2f58d1adec24819c2513
SHA512 cac3fe24b1e08ba154b4b02dd0bb85d88eb66cd127515c774f10b41004a6a156992471922d52447a925a232a75c0f8252d3d0950659ea4f0e600dfe0d03e816a

memory/4468-171-0x0000000003130000-0x0000000004130000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629973501-4017243118-3254762364-1000\83aa4cc77f591dfc2374580bbd95f6ba_e32e1c79-b88e-4709-94fb-81034ca3398e

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/4140-178-0x0000000002FC0000-0x0000000003FC0000-memory.dmp

memory/3976-189-0x0000000000000000-mapping.dmp

memory/4140-190-0x0000000002FC0000-0x0000000003FC0000-memory.dmp

memory/4328-191-0x0000000000000000-mapping.dmp

memory/3492-192-0x0000000000000000-mapping.dmp

memory/1164-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive5031514280305936362.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

C:\Users\Admin\AppData\Local\Temp\Retrive7844671037638282753.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

memory/4140-196-0x0000000002FC0000-0x0000000003FC0000-memory.dmp

memory/404-197-0x0000000000000000-mapping.dmp

memory/4140-198-0x0000000002FC0000-0x0000000003FC0000-memory.dmp

memory/4464-199-0x0000000000000000-mapping.dmp

memory/4556-200-0x0000000000000000-mapping.dmp

memory/2296-201-0x0000000000000000-mapping.dmp

memory/4468-202-0x0000000003130000-0x0000000004130000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive4158590728726044950.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

C:\Users\Admin\AppData\Local\Temp\Retrive6330189385174092392.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

memory/4824-206-0x0000000000000000-mapping.dmp

memory/4468-209-0x0000000003130000-0x0000000004130000-memory.dmp

memory/1132-207-0x0000000000000000-mapping.dmp

memory/4468-210-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4468-211-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4468-212-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4468-213-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4468-214-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4468-215-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4140-216-0x0000000002FC0000-0x0000000003FC0000-memory.dmp

memory/4140-217-0x0000000002FC0000-0x0000000003FC0000-memory.dmp

memory/4468-219-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4572-220-0x0000000000000000-mapping.dmp

memory/4468-221-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4140-224-0x0000000002FC0000-0x0000000003FC0000-memory.dmp

memory/4140-225-0x0000000002FC0000-0x0000000003FC0000-memory.dmp

memory/4140-226-0x0000000002FC0000-0x0000000003FC0000-memory.dmp

memory/4140-227-0x0000000002FC0000-0x0000000003FC0000-memory.dmp

memory/4468-228-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4468-229-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4140-230-0x0000000002FC0000-0x0000000003FC0000-memory.dmp

memory/4140-231-0x0000000002FC0000-0x0000000003FC0000-memory.dmp

memory/4468-232-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4468-233-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4468-234-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4468-235-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4468-236-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4468-237-0x0000000003130000-0x0000000004130000-memory.dmp

memory/4468-238-0x0000000003130000-0x0000000004130000-memory.dmp