adwind | cfdace4d2aa40a226f876f8de2fa1c04d3defc161dcee8be705cc62464e0ad23

Analysis

max time kernel
18s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2023, 13:42

Target

485096d3585435a174bac6a0d43140c4c8a0ca79.jar
Size

263KB
MD5

4b798fe8fc253c99025a61d3a5eadb02
SHA1

485096d3585435a174bac6a0d43140c4c8a0ca79
SHA256

cfdace4d2aa40a226f876f8de2fa1c04d3defc161dcee8be705cc62464e0ad23
SHA512

7946a4d771e9dddd4534f0acb3f6828d90ac494b4abcd88a412205a7e327c6ca16c4b8bc20285feee91777b8cf71f812871104dc5a1897c55a3ab46f5edd58b5
SSDEEP

3072:Cl8K+b2aeiVH6EN8zDWe4b1CHJmVIoXsdXYRYSt+ohoLfvKQ9l5m4DKxRfhWsTn4:CmDVDDCJmGoXsdokS0K05m7RfpTKhz9

Score

10^/10

adwind trojan

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2960	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2116	2960	java.exe	81
PID 2960 wrote to memory of 2116	2960	java.exe	81

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\485096d3585435a174bac6a0d43140c4c8a0ca79.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive820498127112724454.vbs
  2⤵
  PID:2116
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive820498127112724454.vbs
    3⤵
    PID:3900
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3511426879745333326.vbs
  2⤵
  PID:4472
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3511426879745333326.vbs
    3⤵
    PID:368
- C:\Windows\SYSTEM32\xcopy.exe
  xcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
  2⤵
  PID:3780

C:\Users\Admin\AppData\Local\Temp\Retrive3511426879745333326.vbs

Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive820498127112724454.vbs

Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
memory/2960-155-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-160-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-136-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-153-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-152-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download
memory/2960-163-0x00000000031E0000-0x00000000041E0000-memory.dmp

Filesize
16.0MB

Download