adwind | f65ae8f2b7540ff93010945ecba328569fa0d193545b422d02145cb92e811f9c

Analysis

max time kernel
145s
max time network
118s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10/05/2023, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe
Size

945KB
MD5

8c954b7b1b63e226c6997b1e0260ba69
SHA1

47676b03a41c3711842091156984754b25a4771c
SHA256

540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267
SHA512

c449ef2778e286c5add39c5bae7c9a0fd3fce23f034f68d4f49e9c0ac5373289d7d82d475253dbf984aaf4140023ba396556194de66182bcf3ab3fb71f4cbe2e
SSDEEP

12288:ZV+mzTiV2KQ4p2+fk104bYOgTY3+0dXHjVqouwYnb3pENT4a/gFDV3MzQHmVbb:Z858F+81XYHTm+GoouwCZENVgH88HmVX

Score

10^/10

adwind trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

NirSoft MailPassView 9 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral11/files/0x0009000000012342-81.dat	MailPassView
behavioral11/files/0x0009000000012342-84.dat	MailPassView
behavioral11/files/0x0009000000012342-85.dat	MailPassView
behavioral11/files/0x0009000000012342-88.dat	MailPassView
behavioral11/files/0x0009000000012342-90.dat	MailPassView
behavioral11/files/0x0009000000012342-92.dat	MailPassView
behavioral11/files/0x0009000000012342-94.dat	MailPassView
behavioral11/memory/1272-199-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral11/memory/1272-202-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 7 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral11/files/0x0009000000012342-81.dat	WebBrowserPassView
behavioral11/files/0x0009000000012342-84.dat	WebBrowserPassView
behavioral11/files/0x0009000000012342-85.dat	WebBrowserPassView
behavioral11/files/0x0009000000012342-88.dat	WebBrowserPassView
behavioral11/files/0x0009000000012342-90.dat	WebBrowserPassView
behavioral11/files/0x0009000000012342-92.dat	WebBrowserPassView
behavioral11/files/0x0009000000012342-94.dat	WebBrowserPassView

Nirsoft 9 IoCs

resource	yara_rule
behavioral11/files/0x0009000000012342-81.dat	Nirsoft
behavioral11/files/0x0009000000012342-84.dat	Nirsoft
behavioral11/files/0x0009000000012342-85.dat	Nirsoft
behavioral11/files/0x0009000000012342-88.dat	Nirsoft
behavioral11/files/0x0009000000012342-90.dat	Nirsoft
behavioral11/files/0x0009000000012342-92.dat	Nirsoft
behavioral11/files/0x0009000000012342-94.dat	Nirsoft
behavioral11/memory/1272-199-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral11/memory/1272-202-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
672	orimi.sfx.exe
696	orimi.exe
1836	0rin.exe

Loads dropped DLL 7 IoCs

pid	Process
1588	cmd.exe
672	orimi.sfx.exe
672	orimi.sfx.exe
696	orimi.exe
696	orimi.exe
696	orimi.exe
696	orimi.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	whatismyipaddress.com
7	whatismyipaddress.com
4	whatismyipaddress.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	0rin.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1120	java.exe
1368	javaw.exe
1836	0rin.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1588	1772	540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe	28
PID 1772 wrote to memory of 1588	1772	540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe	28
PID 1772 wrote to memory of 1588	1772	540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe	28
PID 1772 wrote to memory of 1588	1772	540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe	28
PID 1588 wrote to memory of 672	1588	cmd.exe	30
PID 1588 wrote to memory of 672	1588	cmd.exe	30
PID 1588 wrote to memory of 672	1588	cmd.exe	30
PID 1588 wrote to memory of 672	1588	cmd.exe	30
PID 672 wrote to memory of 696	672	orimi.sfx.exe	31
PID 672 wrote to memory of 696	672	orimi.sfx.exe	31
PID 672 wrote to memory of 696	672	orimi.sfx.exe	31
PID 672 wrote to memory of 696	672	orimi.sfx.exe	31
PID 696 wrote to memory of 1836	696	orimi.exe	32
PID 696 wrote to memory of 1836	696	orimi.exe	32
PID 696 wrote to memory of 1836	696	orimi.exe	32
PID 696 wrote to memory of 1836	696	orimi.exe	32
PID 696 wrote to memory of 1368	696	orimi.exe	33
PID 696 wrote to memory of 1368	696	orimi.exe	33
PID 696 wrote to memory of 1368	696	orimi.exe	33
PID 696 wrote to memory of 1368	696	orimi.exe	33
PID 1368 wrote to memory of 1120	1368	javaw.exe	34
PID 1368 wrote to memory of 1120	1368	javaw.exe	34
PID 1368 wrote to memory of 1120	1368	javaw.exe	34
PID 1120 wrote to memory of 932	1120	java.exe	36
PID 1120 wrote to memory of 932	1120	java.exe	36
PID 1120 wrote to memory of 932	1120	java.exe	36
PID 932 wrote to memory of 1524	932	cmd.exe	38
PID 932 wrote to memory of 1524	932	cmd.exe	38
PID 932 wrote to memory of 1524	932	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe
"C:\Users\Admin\AppData\Local\Temp\540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\eisde33w7t54e0bbgi.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\orimi.sfx.exe
    orimi.sfx.exe -piodfse34w882dfsi -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:696
    - - C:\Users\Admin\AppData\Local\Temp\0rin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0rin.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1836
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        6⤵
        
        PID:1272
    - - C:\Program Files\Java\jre7\bin\javaw.exe
        
        "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\orim.jar"
        5⤵
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1368
      - C:\Program Files\Java\jre7\bin\java.exe
        
        "C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.46511107209414047968786273220999189.class
        6⤵
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8202984917907845893.vbs
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8202984917907845893.vbs
        8⤵
        
        PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0rin.exe

Filesize
502KB

MD5
32a5395bd5e6c5fd25704000077aea8b

SHA1
e96ebe86c955756f0be6ffbe993269651949bfc8

SHA256
e51d61462bf93a5dedd37a71332e61c003fc46cf40b328233364891ad47b6f41

SHA512
56987571b6a735a43ae80f20c948a77595b07fc7286a1da9bc25c320f8cb907140ac0bf78521977e496d1af25c8d37022fd9ccab1863d7cabca2a2cb5cae95c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rin.exe

Filesize
502KB

MD5
32a5395bd5e6c5fd25704000077aea8b

SHA1
e96ebe86c955756f0be6ffbe993269651949bfc8

SHA256
e51d61462bf93a5dedd37a71332e61c003fc46cf40b328233364891ad47b6f41

SHA512
56987571b6a735a43ae80f20c948a77595b07fc7286a1da9bc25c320f8cb907140ac0bf78521977e496d1af25c8d37022fd9ccab1863d7cabca2a2cb5cae95c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rin.exe

Filesize
502KB

MD5
32a5395bd5e6c5fd25704000077aea8b

SHA1
e96ebe86c955756f0be6ffbe993269651949bfc8

SHA256
e51d61462bf93a5dedd37a71332e61c003fc46cf40b328233364891ad47b6f41

SHA512
56987571b6a735a43ae80f20c948a77595b07fc7286a1da9bc25c320f8cb907140ac0bf78521977e496d1af25c8d37022fd9ccab1863d7cabca2a2cb5cae95c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\eisde33w7t54e0bbgi.bat

Filesize
41B

MD5
acba6e1cd59b8530089cd5bc0e4fa3f5

SHA1
72acc3eeded8af656a52fff77cf25d9546767864

SHA256
c2bda0b74b66e35822281059f43bd31ca7c3f1d885fc0bdc92372da01793695b

SHA512
60c24e2231a4ccb573a5f37e0736e6513f622997ba461f00978ed1be561139676b71f352d3d8d9bf16ecf4b03cc232704e3e3877936e9048a738057fd90a07f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\eisde33w7t54e0bbgi.bat

Filesize
41B

MD5
acba6e1cd59b8530089cd5bc0e4fa3f5

SHA1
72acc3eeded8af656a52fff77cf25d9546767864

SHA256
c2bda0b74b66e35822281059f43bd31ca7c3f1d885fc0bdc92372da01793695b

SHA512
60c24e2231a4ccb573a5f37e0736e6513f622997ba461f00978ed1be561139676b71f352d3d8d9bf16ecf4b03cc232704e3e3877936e9048a738057fd90a07f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\orimi.sfx.exe

Filesize
894KB

MD5
dcb154f08779bceee91d88abdf29fe98

SHA1
8251e71f8518d7b8913e8ab5ce283de194aa7eff

SHA256
0b366060e0189a9b85ea6efb29bbb8142a168be3fabca60c67c3fd6a20a6193e

SHA512
ca8d9c9165900c9282d368516aa7aad3e603d71d37c4b40b192db0317b5222c9672fe29fb5c89d01941c253ce51b0360d94b0dcb7942cb14fd72e90ae5989da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\orimi.sfx.exe

Filesize
894KB

MD5
dcb154f08779bceee91d88abdf29fe98

SHA1
8251e71f8518d7b8913e8ab5ce283de194aa7eff

SHA256
0b366060e0189a9b85ea6efb29bbb8142a168be3fabca60c67c3fd6a20a6193e

SHA512
ca8d9c9165900c9282d368516aa7aad3e603d71d37c4b40b192db0317b5222c9672fe29fb5c89d01941c253ce51b0360d94b0dcb7942cb14fd72e90ae5989da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe

Filesize
802KB

MD5
ba16b0741b90153284a324fac53f8a91

SHA1
ef4d0855352cfe8aa5675e1cecb4d87298a84098

SHA256
9c4324bf614dd4edf60abad7c7d97c6e67ee37977dc7c4d00be096ea22efac74

SHA512
351b829ee345bf8ce06d714f5e1e0ce734ff2bd8816bb1c14480d34517226417019a38eed78303af2c3cd7c668b1eada26430004d643b32bfec6ac50aec7c8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe

Filesize
802KB

MD5
ba16b0741b90153284a324fac53f8a91

SHA1
ef4d0855352cfe8aa5675e1cecb4d87298a84098

SHA256
9c4324bf614dd4edf60abad7c7d97c6e67ee37977dc7c4d00be096ea22efac74

SHA512
351b829ee345bf8ce06d714f5e1e0ce734ff2bd8816bb1c14480d34517226417019a38eed78303af2c3cd7c668b1eada26430004d643b32bfec6ac50aec7c8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive8202984917907845893.vbs

Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.46511107209414047968786273220999189.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\orim.jar

Filesize
479KB

MD5
6a8979d38cd1d99c33eaa74aa7775143

SHA1
efa1b842a8c66c2800e870f090eaeddca0bacdb6

SHA256
50fb5acf95563164b7c3e5a922641cfefbfec4abb6d31439dc69fba075ca4b56

SHA512
4e529d575800446246c7011c907c5dd7169892680d3a8fc126b22d0996e6a1819e013da41133090bc1f287d4358b059d3d5f1c48f57d02a0a148cdd0e0150acb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3948302646-268491222-1934009652-1000\83aa4cc77f591dfc2374580bbd95f6ba_a276eab5-dc44-4cc2-8d9b-a6b30cc2da67

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
\Users\Admin\AppData\Local\Temp\0rin.exe

Filesize
502KB

MD5
32a5395bd5e6c5fd25704000077aea8b

SHA1
e96ebe86c955756f0be6ffbe993269651949bfc8

SHA256
e51d61462bf93a5dedd37a71332e61c003fc46cf40b328233364891ad47b6f41

SHA512
56987571b6a735a43ae80f20c948a77595b07fc7286a1da9bc25c320f8cb907140ac0bf78521977e496d1af25c8d37022fd9ccab1863d7cabca2a2cb5cae95c4

Download Submit
\Users\Admin\AppData\Local\Temp\0rin.exe

Filesize
502KB

MD5
32a5395bd5e6c5fd25704000077aea8b

SHA1
e96ebe86c955756f0be6ffbe993269651949bfc8

SHA256
e51d61462bf93a5dedd37a71332e61c003fc46cf40b328233364891ad47b6f41

SHA512
56987571b6a735a43ae80f20c948a77595b07fc7286a1da9bc25c320f8cb907140ac0bf78521977e496d1af25c8d37022fd9ccab1863d7cabca2a2cb5cae95c4

Download Submit
\Users\Admin\AppData\Local\Temp\0rin.exe

Filesize
502KB

MD5
32a5395bd5e6c5fd25704000077aea8b

SHA1
e96ebe86c955756f0be6ffbe993269651949bfc8

SHA256
e51d61462bf93a5dedd37a71332e61c003fc46cf40b328233364891ad47b6f41

SHA512
56987571b6a735a43ae80f20c948a77595b07fc7286a1da9bc25c320f8cb907140ac0bf78521977e496d1af25c8d37022fd9ccab1863d7cabca2a2cb5cae95c4

Download Submit
\Users\Admin\AppData\Local\Temp\0rin.exe

Filesize
502KB

MD5
32a5395bd5e6c5fd25704000077aea8b

SHA1
e96ebe86c955756f0be6ffbe993269651949bfc8

SHA256
e51d61462bf93a5dedd37a71332e61c003fc46cf40b328233364891ad47b6f41

SHA512
56987571b6a735a43ae80f20c948a77595b07fc7286a1da9bc25c320f8cb907140ac0bf78521977e496d1af25c8d37022fd9ccab1863d7cabca2a2cb5cae95c4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\orimi.sfx.exe

Filesize
894KB

MD5
dcb154f08779bceee91d88abdf29fe98

SHA1
8251e71f8518d7b8913e8ab5ce283de194aa7eff

SHA256
0b366060e0189a9b85ea6efb29bbb8142a168be3fabca60c67c3fd6a20a6193e

SHA512
ca8d9c9165900c9282d368516aa7aad3e603d71d37c4b40b192db0317b5222c9672fe29fb5c89d01941c253ce51b0360d94b0dcb7942cb14fd72e90ae5989da2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe

Filesize
802KB

MD5
ba16b0741b90153284a324fac53f8a91

SHA1
ef4d0855352cfe8aa5675e1cecb4d87298a84098

SHA256
9c4324bf614dd4edf60abad7c7d97c6e67ee37977dc7c4d00be096ea22efac74

SHA512
351b829ee345bf8ce06d714f5e1e0ce734ff2bd8816bb1c14480d34517226417019a38eed78303af2c3cd7c668b1eada26430004d643b32bfec6ac50aec7c8b2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe

Filesize
802KB

MD5
ba16b0741b90153284a324fac53f8a91

SHA1
ef4d0855352cfe8aa5675e1cecb4d87298a84098

SHA256
9c4324bf614dd4edf60abad7c7d97c6e67ee37977dc7c4d00be096ea22efac74

SHA512
351b829ee345bf8ce06d714f5e1e0ce734ff2bd8816bb1c14480d34517226417019a38eed78303af2c3cd7c668b1eada26430004d643b32bfec6ac50aec7c8b2

Download Submit
memory/672-97-0x0000000003080000-0x000000000314B000-memory.dmp

Filesize
812KB

Download
memory/672-102-0x0000000003080000-0x00000000030DD000-memory.dmp

Filesize
372KB

Download
memory/672-101-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/672-96-0x0000000003080000-0x000000000314B000-memory.dmp

Filesize
812KB

Download
memory/696-95-0x0000000000400000-0x00000000004CA1BF-memory.dmp

Filesize
808KB

Download
memory/1120-135-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1120-131-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1120-180-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1272-202-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1272-199-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-115-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1368-167-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1368-130-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1368-181-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1772-107-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1836-127-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1836-106-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download