Malware Analysis Report

2024-12-07 21:05

Sample ID 220831-wrfdhsbfc5
Target Order-List-xlsx.js
SHA256 9f4a59e42b7183652c9ebb2eacdfd9e2b8a02f3fbad6f692751360b465034aad
Tags
adwind trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f4a59e42b7183652c9ebb2eacdfd9e2b8a02f3fbad6f692751360b465034aad

Threat Level: Known bad

The file Order-List-xlsx.js was found to be: Known bad.

Malicious Activity Summary

adwind trojan

AdWind

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-31 18:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-31 18:09

Reported

2022-08-31 18:11

Platform

win7-20220812-en

Max time kernel

47s

Max time network

52s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Order-List-xlsx.js

Signatures

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 996 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1708 wrote to memory of 996 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1708 wrote to memory of 996 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1708 wrote to memory of 1784 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1708 wrote to memory of 1784 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1708 wrote to memory of 1784 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Order-List-xlsx.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\dWtcdEbEtH.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\hogiluke.txt"

Network

N/A

Files

memory/1708-54-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmp

memory/996-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\dWtcdEbEtH.js

MD5 9303945ea537b6f3315e4b1f7b858324
SHA1 b10968f9164c22008504af65ca00676b32f51caf
SHA256 c103ca6f320132abcaae4c4622518c40a782797c46332ce141a7aa11cfc67f88
SHA512 6992992c7edcdf5f9e4ffbcb34308b4e8e32844f2a12c356c290d07f1f58ce8b25c1b22ee263588b2222d9e6ed54f09923b4baf1b7202f9f4ad2ff9e9a13bdfd

memory/1784-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\hogiluke.txt

MD5 14472173042ea431af31e30cb01e0f9e
SHA1 fcd32682ed6881b9d1507b5252c39a862d187440
SHA256 561dcdfbabf3d7a0183ef052a17bd57b0822a4e9de31afb0eb14c3d531ba69fd
SHA512 09849118aeb2cba08f452a9364701cbcdc740a9c9b6e98edae1fc868d272a8809a0ec9c203faf5668516e0bd2fddf1ca2a13b9c885d976264823c799f40f7898

memory/1784-69-0x0000000002140000-0x0000000005140000-memory.dmp

memory/1784-70-0x0000000002140000-0x0000000005140000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-31 18:09

Reported

2022-08-31 18:11

Platform

win10v2004-20220812-en

Max time kernel

44s

Max time network

75s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Order-List-xlsx.js

Signatures

AdWind

trojan adwind

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Order-List-xlsx.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\dWtcdEbEtH.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\trhtuijak.txt"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.0374840551427846347593451691406037238.class

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7583461529115037328.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3034134199086379814.vbs

Network

Country Destination Domain Proto
NL 104.80.225.205:443 tcp
US 52.182.143.211:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

memory/1936-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\dWtcdEbEtH.js

MD5 9303945ea537b6f3315e4b1f7b858324
SHA1 b10968f9164c22008504af65ca00676b32f51caf
SHA256 c103ca6f320132abcaae4c4622518c40a782797c46332ce141a7aa11cfc67f88
SHA512 6992992c7edcdf5f9e4ffbcb34308b4e8e32844f2a12c356c290d07f1f58ce8b25c1b22ee263588b2222d9e6ed54f09923b4baf1b7202f9f4ad2ff9e9a13bdfd

memory/320-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\trhtuijak.txt

MD5 14472173042ea431af31e30cb01e0f9e
SHA1 fcd32682ed6881b9d1507b5252c39a862d187440
SHA256 561dcdfbabf3d7a0183ef052a17bd57b0822a4e9de31afb0eb14c3d531ba69fd
SHA512 09849118aeb2cba08f452a9364701cbcdc740a9c9b6e98edae1fc868d272a8809a0ec9c203faf5668516e0bd2fddf1ca2a13b9c885d976264823c799f40f7898

memory/320-138-0x00000000032D0000-0x00000000042D0000-memory.dmp

memory/4016-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.0374840551427846347593451691406037238.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

memory/4016-157-0x00000000032C0000-0x00000000042C0000-memory.dmp

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 e3c1f79560a48d5769f81651eaeebbcd
SHA1 a8828f10d7374473de12d52b35fd4d7f322012a9
SHA256 53d94ec17daea35401303c2168f517f2f7dd02cfefd55674146a09cafffcf375
SHA512 23aa43dce7d244aff070560995df9814c07aeb7152aa926c966ff8149a0ddbd93c3f97992f4592865e466815acac2bcd042f3d486cd777fbe3e026b252f02364

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2891029575-1462575-1165213807-1000\83aa4cc77f591dfc2374580bbd95f6ba_9be0bf4d-f8db-4af4-be85-dc38433c9501

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/320-162-0x00000000032D0000-0x00000000042D0000-memory.dmp

memory/4016-168-0x00000000032C0000-0x00000000042C0000-memory.dmp

memory/320-170-0x00000000032D0000-0x00000000042D0000-memory.dmp

memory/4016-174-0x00000000032C0000-0x00000000042C0000-memory.dmp

memory/3796-177-0x0000000000000000-mapping.dmp

memory/2608-178-0x0000000000000000-mapping.dmp