adwind | bc4332dccc1fa3c7c057435036712aa886316ec7091b94f5ce33cb852ae13a29

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER-2452298.XLS.js
Size

721KB
MD5

aea8cd84b955bbcb32afc1689859b4e8
SHA1

51571e4e76b3c3ec9c998eebf90c49461dab6b19
SHA256

44ef24d5b5f3dd42944b06dcbc7778fee151dedbb005673b683831040315d34c
SHA512

9b71ad0bc516da946d88f8d0aad3a54556ab256db367fe0d7d63c88ae18388dc5fb823c4f8bc6b8ef247c33331d7baf7229dcb391dbfef2c9fb1265d273b5ed5
SSDEEP

12288:XgKde2i4XlRhaklFFm7Bpr1QkTt4awZdpF878NSTrQFerz0Ov+0cFYLvvdQIqjkn:X1deEXlBlvqLHmdpF87aMXZ/cFavykrr

Score

10^/10

adwind discovery execution trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
Class file contains resources related to AdWind 1 IoCs

Processes:

resource yara_rule

sample family_adwind5

resource	yara_rule
sample	family_adwind5

Detect jar appended to MSI 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Fml.jar	jar_in_msi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	wscript.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2376 icacls.exe
Drops file in System32 directory 1 IoCs

Processes:

java.exe

description ioc process

File created C:\Windows\System32\test.txt java.exe
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings wscript.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

javaw.exejava.exe

pid process

1564 javaw.exe
2676 java.exe

pid	process
2376	icacls.exe

description	ioc	process
File created	C:\Windows\System32\test.txt	java.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	wscript.exe

pid	process
1564	javaw.exe
2676	java.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

wscript.exejavaw.exejava.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1876 wrote to memory of 1564	1876	wscript.exe	javaw.exe
PID 1876 wrote to memory of 1564	1876	wscript.exe	javaw.exe
PID 1564 wrote to memory of 2376	1564	javaw.exe	icacls.exe
PID 1564 wrote to memory of 2376	1564	javaw.exe	icacls.exe
PID 1564 wrote to memory of 2676	1564	javaw.exe	java.exe
PID 1564 wrote to memory of 2676	1564	javaw.exe	java.exe
PID 1564 wrote to memory of 64	1564	javaw.exe	cmd.exe
PID 1564 wrote to memory of 64	1564	javaw.exe	cmd.exe
PID 2676 wrote to memory of 1784	2676	java.exe	cmd.exe
PID 2676 wrote to memory of 1784	2676	java.exe	cmd.exe
PID 1784 wrote to memory of 3036	1784	cmd.exe	cscript.exe
PID 1784 wrote to memory of 3036	1784	cmd.exe	cscript.exe
PID 64 wrote to memory of 1744	64	cmd.exe	cscript.exe
PID 64 wrote to memory of 1744	64	cmd.exe	cscript.exe
PID 2676 wrote to memory of 1100	2676	java.exe	cmd.exe
PID 2676 wrote to memory of 1100	2676	java.exe	cmd.exe
PID 1564 wrote to memory of 3868	1564	javaw.exe	cmd.exe
PID 1564 wrote to memory of 3868	1564	javaw.exe	cmd.exe
PID 1100 wrote to memory of 928	1100	cmd.exe	cscript.exe
PID 1100 wrote to memory of 928	1100	cmd.exe	cscript.exe
PID 3868 wrote to memory of 3384	3868	cmd.exe	cscript.exe
PID 3868 wrote to memory of 3384	3868	cmd.exe	cscript.exe
PID 2676 wrote to memory of 2580	2676	java.exe	xcopy.exe
PID 2676 wrote to memory of 2580	2676	java.exe	xcopy.exe
PID 1564 wrote to memory of 2844	1564	javaw.exe	xcopy.exe
PID 1564 wrote to memory of 2844	1564	javaw.exe	xcopy.exe
PID 2676 wrote to memory of 2684	2676	java.exe	cmd.exe
PID 2676 wrote to memory of 2684	2676	java.exe	cmd.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-2452298.XLS.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1876

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Fml.jar"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
3⤵
- Modifies file permissions
PID:2376

C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.4523862349071587528661473190737429.class
3⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4735604846827149019.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4735604846827149019.vbs
5⤵
PID:3036

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6479289505445786289.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6479289505445786289.vbs
5⤵
PID:928

C:\Windows\SYSTEM32\xcopy.exe
xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
4⤵
PID:2580

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
4⤵
PID:2684

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8456469226723333092.vbs
3⤵
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8456469226723333092.vbs
4⤵
PID:1744

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6869927976825797710.vbs
3⤵
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6869927976825797710.vbs
4⤵
PID:3384

C:\Windows\SYSTEM32\xcopy.exe
xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
3⤵
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
e00a715896d1521d3a775fff7c8e9ec1

SHA1
a7e8ceae133db960b47db3ca9ba5c86d05f54209

SHA256
9d6a397a67d6a63891c2cee4676b4bbc1a90db7db63f5f870d65622ffe7ed9b7

SHA512
0f9e6190b384182a7345f26eef5d8847457a24399f7bbaaf44dc5617ef5c22d834e3c308510a93ed470239f82d8f68b757c7c7d5d82fea58a8a2ee7b733d539a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fml.jar

Filesize
522KB

MD5
b4befe0293de26fed501f6c56871e1e1

SHA1
fe4f832435ef2c3d6bbca0ef0aa4857eec6f78f4

SHA256
0e9f78916316965e8e08e16537b10abcbe8ee35267ec274d6bb0fd4a4d24da6f

SHA512
75a28dd215691cc7f6ca859df4cf7fc3354ec09f8d802aa2cb30e8aa20e8e093689855d9b6601130eb7feb7780ff99f78b1adea13028bfe0eeb37c8da3f0d0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive4735604846827149019.vbs

Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive6479289505445786289.vbs

Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.4523862349071587528661473190737429.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\83aa4cc77f591dfc2374580bbd95f6ba_310807ab-751f-4d81-ae09-b202eaf21e19

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll

Filesize
558KB

MD5
bf78c15068d6671693dfcdfa5770d705

SHA1
4418c03c3161706a4349dfe3f97278e7a5d8962a

SHA256
a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb

SHA512
5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140.dll

Filesize
95KB

MD5
7415c1cc63a0c46983e2a32581daefee

SHA1
5f8534d79c84ac45ad09b5a702c8c5c288eae240

SHA256
475ab98b7722e965bd38c8fa6ed23502309582ccf294ff1061cb290c7988f0d1

SHA512
3d4b24061f72c0e957c7b04a0c4098c94c8f1afb4a7e159850b9939c7210d73398be6f27b5ab85073b4e8c999816e7804fef0f6115c39cd061f4aaeb4dcda8cf

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140_1.dll

Filesize
36KB

MD5
fcda37abd3d9e9d8170cd1cd15bf9d3f

SHA1
b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2

SHA256
0579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6

SHA512
de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties

Filesize
3KB

MD5
880baacb176553deab39edbe4b74380d

SHA1
37a57aad121c14c25e149206179728fa62203bf0

SHA256
ff4a3a92bc92cb08d2c32c435810440fd264edd63e56efa39430e0240c835620

SHA512
3039315bb283198af9090bd3d31cfae68ee73bc2b118bbae0b32812d4e3fd0f11ce962068d4a17b065dab9a66ef651b9cb8404c0a2defce74bb6b2d1d93646d5

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\security\policy\unlimited\US_export_policy.jar

Filesize
7KB

MD5
12f971b6e65cbc7184701235469f0339

SHA1
06cb165157c5e0078b872c48707a1328b1dcba19

SHA256
84e035372ca8979bb4a387428a74942ffc7248a0e61988b7033b5b266cd187c8

SHA512
58646fc81de2e4750a3259d79a207a8cff2dc6692f178a63d92a453fc408c8d1088007ef4e93157d1017be706565716a0236039dbac848c40745a0ad89c4d0de

Download Submit
memory/1564-62-0x000001F64FF20000-0x000001F64FF21000-memory.dmp

Filesize
4KB

Download
memory/1564-399-0x000001F64FF20000-0x000001F64FF21000-memory.dmp

Filesize
4KB

Download
memory/1564-34-0x000001F64FF20000-0x000001F64FF21000-memory.dmp

Filesize
4KB

Download
memory/1564-967-0x000001F6517B0000-0x000001F651A20000-memory.dmp

Filesize
2.4MB

Download
memory/1564-5-0x000001F6517B0000-0x000001F651A20000-memory.dmp

Filesize
2.4MB

Download
memory/2676-55-0x000001EC34140000-0x000001EC34141000-memory.dmp

Filesize
4KB

Download
memory/2676-869-0x000001EC34140000-0x000001EC34141000-memory.dmp

Filesize
4KB

Download
memory/2676-338-0x000001EC34140000-0x000001EC34141000-memory.dmp

Filesize
4KB

Download
memory/2676-950-0x000001EC34140000-0x000001EC34141000-memory.dmp

Filesize
4KB

Download
memory/2676-955-0x000001EC34140000-0x000001EC34141000-memory.dmp

Filesize
4KB

Download
memory/2676-966-0x000001EC34140000-0x000001EC34141000-memory.dmp

Filesize
4KB

Download
memory/2676-21-0x000001EC359B0000-0x000001EC35C20000-memory.dmp

Filesize
2.4MB

Download
memory/2676-969-0x000001EC359B0000-0x000001EC35C20000-memory.dmp

Filesize
2.4MB

Download
memory/2676-977-0x000001EC34140000-0x000001EC34141000-memory.dmp

Filesize
4KB

Download
memory/2676-976-0x000001EC34140000-0x000001EC34141000-memory.dmp

Filesize
4KB

Download
memory/2676-980-0x000001EC34140000-0x000001EC34141000-memory.dmp

Filesize
4KB

Download
memory/2676-1000-0x000001EC34140000-0x000001EC34141000-memory.dmp

Filesize
4KB

Download
memory/2676-1001-0x000001EC34140000-0x000001EC34141000-memory.dmp

Filesize
4KB

Download
memory/2676-1007-0x000001EC34140000-0x000001EC34141000-memory.dmp

Filesize
4KB

Download