adwind | f8273617fe63d7b1e783427b76f0b250b428648e7cb47a45bcf98fa72bc708f3

Analysis

max time kernel
152s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KNRyOLnGcT_UKWN.jar
Size

1.2MB
MD5

5cdffc26c265c48cdbbf1aae06cc101c
SHA1

566fb395a9586ca59c4317af8b8a6e656352d5fa
SHA256

5a894d00f75d512b8b3604dabf49b049f40721a82397ac2e6bdf3f910565c737
SHA512

f0976bf6d5d35f36a8c625b5e520c94e1569da793d3d03e86bd9c6531a0ca2790f003bd5be210267081632e21964fd81936bfbad8cd9d81918666b53514058fd
SSDEEP

24576:q5P4Aday/1OtGC/HPXubl2Emy4AK+5pCwncs9hJh0+bqbK9X2XzVR:MdX8PXuIZZLkpCts9hJh0+OuIzz

Score

10^/10

adwind vjw0rm persistence trojan worm

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVvEfMYHrV.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVvEfMYHrV.js	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\eVvEfMYHrV.js\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1128	java.exe
2748	javaw.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 2796	1516	java.exe	29
PID 1516 wrote to memory of 2796	1516	java.exe	29
PID 1516 wrote to memory of 2796	1516	java.exe	29
PID 2796 wrote to memory of 2024	2796	wscript.exe	30
PID 2796 wrote to memory of 2024	2796	wscript.exe	30
PID 2796 wrote to memory of 2024	2796	wscript.exe	30
PID 2796 wrote to memory of 2748	2796	wscript.exe	31
PID 2796 wrote to memory of 2748	2796	wscript.exe	31
PID 2796 wrote to memory of 2748	2796	wscript.exe	31
PID 2748 wrote to memory of 1128	2748	javaw.exe	34
PID 2748 wrote to memory of 1128	2748	javaw.exe	34
PID 2748 wrote to memory of 1128	2748	javaw.exe	34
PID 1128 wrote to memory of 2816	1128	java.exe	40
PID 1128 wrote to memory of 2816	1128	java.exe	40
PID 1128 wrote to memory of 2816	1128	java.exe	40
PID 2748 wrote to memory of 2856	2748	javaw.exe	41
PID 2748 wrote to memory of 2856	2748	javaw.exe	41
PID 2748 wrote to memory of 2856	2748	javaw.exe	41
PID 2856 wrote to memory of 1096	2856	cmd.exe	44
PID 2856 wrote to memory of 1096	2856	cmd.exe	44
PID 2856 wrote to memory of 1096	2856	cmd.exe	44
PID 2816 wrote to memory of 2848	2816	cmd.exe	45
PID 2816 wrote to memory of 2848	2816	cmd.exe	45
PID 2816 wrote to memory of 2848	2816	cmd.exe	45
PID 1128 wrote to memory of 2792	1128	java.exe	51
PID 1128 wrote to memory of 2792	1128	java.exe	51
PID 1128 wrote to memory of 2792	1128	java.exe	51
PID 2748 wrote to memory of 2608	2748	javaw.exe	49
PID 2748 wrote to memory of 2608	2748	javaw.exe	49
PID 2748 wrote to memory of 2608	2748	javaw.exe	49
PID 2792 wrote to memory of 3060	2792	cmd.exe	48
PID 2792 wrote to memory of 3060	2792	cmd.exe	48
PID 2792 wrote to memory of 3060	2792	cmd.exe	48
PID 2608 wrote to memory of 2984	2608	cmd.exe	50
PID 2608 wrote to memory of 2984	2608	cmd.exe	50
PID 2608 wrote to memory of 2984	2608	cmd.exe	50
PID 2748 wrote to memory of 2112	2748	javaw.exe	52
PID 2748 wrote to memory of 2112	2748	javaw.exe	52
PID 2748 wrote to memory of 2112	2748	javaw.exe	52
PID 1128 wrote to memory of 2672	1128	java.exe	53
PID 1128 wrote to memory of 2672	1128	java.exe	53
PID 1128 wrote to memory of 2672	1128	java.exe	53

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\KNRyOLnGcT_UKWN.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\_output.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eVvEfMYHrV.js"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2024
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\krkaonfaq.txt"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.328904898315288247197557545556721844.class
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5205537196399905753.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5205537196399905753.vbs
        6⤵
        
        PID:2848
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5325236251099423869.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2792
    - - C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
        5⤵
        
        PID:2672
  - - C:\Windows\system32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6831381897748270754.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6831381897748270754.vbs
        5⤵
        
        PID:1096
  - - C:\Windows\system32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7705067739133398184.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7705067739133398184.vbs
        5⤵
        
        PID:2984
  - - C:\Windows\system32\xcopy.exe
      xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
      4⤵
      PID:2112

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5325236251099423869.vbs
1⤵
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Retrive6831381897748270754.vbs

Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive7705067739133398184.vbs

Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.328904898315288247197557545556721844.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-452311807-3713411997-1028535425-1000\83aa4cc77f591dfc2374580bbd95f6ba_ccfa0506-02d3-430a-9cb5-3bbf5536069a

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll

Filesize
9KB

MD5
815d6b1628fd31a01731d0b99a74db67

SHA1
21b3e97ae9dfcd3b1ada3daae562f34c75a3b0b3

SHA256
912c544929b1aea6b97ec7801bb5139c9f89f581bdf8ef0091bf14c92b03be48

SHA512
e3672ebd8129911c7217b9dbc0fabed45a654fb3998ab08c81f91d97613610c5043dda8552c28fc2401b9daf033f10cc85945a6391de5ca633742edc693e785f

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties

Filesize
3KB

MD5
0547e7c8dade7157d58f6bf5e74bcce7

SHA1
f1ef0a100276e7d3adf38b9fbb802d12f4bb8d9f

SHA256
6953ed5729acafb594c9e81b970f946848453abc6033d4b5519870b58c72abac

SHA512
b213982a0935465b8d468822912169457b60a55382eba7ee39c62be953512a2d524aa6d01953d05dab981b72c417e62bcdff661bac99534e54778f906ad44d6b

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT

Filesize
27B

MD5
7da9aa0de33b521b3399a4ffd4078bdb

SHA1
f188a712f77103d544d4acf91d13dbc664c67034

SHA256
0a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d

SHA512
9d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+10

Filesize
27B

MD5
715dc3fcec7a4b845347b628caf46c84

SHA1
1b194cdd0a0dc5560680c33f19fc2e7c09523cd1

SHA256
3144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08

SHA512
72ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+2

Filesize
27B

MD5
e256eccde666f27e69199b07497437b2

SHA1
b2912c99ee4dff27ab1e3e897a31fc8f0cfcf5d7

SHA256
9e971632a3e9860a15af04efec3a9d5af9e7220cd4a731c3d9262d00670496a5

SHA512
460a225678c59a0259edef0c2868a45140ce139a394a00f07245cc1c542b4a74ff6fe36248f2fccc91a30d0a1d59d4ebcc497d6d3c31afad39934463f0496ee4

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+5

Filesize
27B

MD5
a2abe32f03e019dbd5c21e71cc0f0db9

SHA1
25b042eb931fff4e815adcc2ddce3636debf0ae1

SHA256
27ba8b5814833b1e8e8b5d08246b383cb8a5fb7e74e237cdbcadf320e882ab78

SHA512
197c065b9c17c6849a15f45ac69dafa68aaa0b792219fedb153d146f23997bfa4fbc4127b1d030a92a4d7103bded76a1389df715b9539ea23ea21e6a4bb65fb2

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+7

Filesize
27B

MD5
11f8e73ad57571383afa5eaf6bc0456a

SHA1
65a736dddd8e9a3f1dd6fbe999b188910b5f7931

SHA256
0e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e

SHA512
578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Indian\Christmas

Filesize
27B

MD5
02bc5aaee85e8b96af646d479bb3307c

SHA1
1bf41be125fe8058d5999555add1ea2a83505e72

SHA256
e8d8d94f0a94768716701faa977a4d0d6ef93603de925078822f5c7a89cc8fca

SHA512
e01d82ac33729e7ee14516f5d9ff753559f73143c7aa8a25ed4cc65b59dc364b1a020bc28427f8ec43fec8ef139cf30b09e492d77f15d7b09ae83240cdf8bc14

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\MET

Filesize
1KB

MD5
df1d6d7601b75822e9cf454c03c583b6

SHA1
966737a61ec5f9bcac90154389f5249ca6c0e1e2

SHA256
f3936669b75c67d577d93655b07629b30371aefd32845f69d7cef09b27409d8c

SHA512
50f1943794f84faa26ec8aa1175d98dac365ad3a48eda7b1899e57f1e7fe88365d595403131df926c0471900bf1dcf43f534c57bfb2fb33fe5a81870f4e103ba

Download Submit
C:\Users\Admin\AppData\Roaming\eVvEfMYHrV.js

Filesize
14KB

MD5
7da63b5e09aca81ff9226cb98eb7c07f

SHA1
95b8e956af1684adfa7eeb44fbb8703e314ed714

SHA256
9591223d96a8fbdef996a889892846b7162aee19904f030080dbf3ca2d966c20

SHA512
608af6335c141e95cb8b1f95dae2d47c5cc7c0ba18fbcfca851681ddabfa17be920d5d5b2986b0da69fbaec6e4cd9d3bcadc70b6c63e2f9e31957eff6d347e70

Download Submit
C:\Users\Admin\AppData\Roaming\krkaonfaq.txt

Filesize
64KB

MD5
d54aecfc1565a98ebae11b68a2630d6f

SHA1
0e8730672acec00fe44cbb36d03d1a3074a630e6

SHA256
54d98a03c02b60342825bbedd5e2d0eac0641258eacab906132bb4f2d86f1bf6

SHA512
23d1cdbe393714bacd4ce8577ae499444cd44dc275c811db6baa29b27f125966df9d0d357cf993c6fa09960ae8f8c574644891c2f71b4eb8adc1e16c0c6a9754

Download Submit
C:\Users\Admin\_output.js

Filesize
1.8MB

MD5
6b365cde2eb2200cf974830e8e89ff74

SHA1
c7b2dd8fe2e63a784f3c304e8c8e6e4fb414c770

SHA256
873bd289f8f446b716b39c7d229cd3a065547b68f54f771682156300c4247150

SHA512
5aaceb9826db8a966cff9e43042a34baa27847512adb700844c63afe972db36e39eb8e522f592f184efbf5adc224f84f358cb9397b87b1fc437cdf6d9cc52609

Download Submit
memory/1128-47-0x0000000002300000-0x0000000005300000-memory.dmp

Filesize
48.0MB

Download
memory/1128-67-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/1128-111-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/1128-112-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/1128-104-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/1128-48-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/1128-1086-0x0000000002300000-0x0000000005300000-memory.dmp

Filesize
48.0MB

Download
memory/1516-10-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1516-14-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1516-6-0x00000000022B0000-0x00000000052B0000-memory.dmp

Filesize
48.0MB

Download
memory/2748-118-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2748-75-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2748-51-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2748-88-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2748-185-0x0000000002340000-0x0000000005340000-memory.dmp

Filesize
48.0MB

Download
memory/2748-94-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2748-32-0x0000000002340000-0x0000000005340000-memory.dmp

Filesize
48.0MB

Download
memory/2748-33-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2748-105-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2748-110-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads