Overview

overview

10

Static

static

3

Blank-Owner455.exe

windows10-1703-x64

10

Blank-Owner455.exe

windows10-2004-x64

10

Blank-Owner455.exe

windows11-21h2-x64

10

Resubmissions

21/06/2024, 17:58

240621-wkgm1ayfmc 10

Analysis

  • max time kernel
    139s
  • max time network
    157s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06/06/2024, 04:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Blank-Owner455.exe

  • Size

    1.3MB

  • MD5

    0708b141816e1287fb4bfec4c837ef6e

  • SHA1

    65884a0d7f3fab21c1e1d9432525f6f9d255744a

  • SHA256

    ddf1395c86c239c3c9c930038e69e5992c3d8260a47c96c1a21cdc770dfd5bf4

  • SHA512

    cab5388cbad7750362acec225385d62abfb01cf7dcc32c85555334d90c86d84212bcf0dff47ff960003805cb2c4ef962543ae328ffe2fc75f4c156e01ef24e84

  • SSDEEP

    24576:8x6//3ra8haNNG+NOYJFYNxNTvliZMa3X3N:MSWMaHtNnKNiOaH3N

Score
10/10
adwinddiscoverypersistencetrojan

Malware Config

Signatures

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

    trojanadwind
  • Class file contains resources related to AdWind 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Blank-Owner455.exe
    "C:\Users\Admin\AppData\Local\Temp\Blank-Owner455.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\MoonRar.jar"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Windows\system32\icacls.exe
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        3⤵
        • Modifies file permissions
        PID:1984
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1717649100089.tmp
        3⤵
        • Views/modifies file attributes
        PID:2244
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1717649100089.tmp" /f"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3620
        • C:\Windows\system32\reg.exe
          REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1717649100089.tmp" /f
          4⤵
          • Adds Run key to start application
          PID:2304
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4092

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
          Filesize

          46B

          MD5

          c9dcff4aa99c1c41666004a936a335e1

          SHA1

          d94e2e68184e93c63f184535331088f984323cf5

          SHA256

          35f0dc68c1df4698a68a65730eab670a923f033f51976103e79d4ad6733ab5dc

          SHA512

          f097b5b9b6b898e614fcc24bdd1797d7421b52d603defa6206aafcc4f57b9c92346d47c81d6e2a4f54c6cb0fedeea9de9b9be9474ec4729b88aa8b53e4e5651e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MoonRar.jar
          Filesize

          830KB

          MD5

          d8339dcc4a19345bd7cb55def570eef1

          SHA1

          de69d3fe9a794282859c106e9a90e6647c1a0305

          SHA256

          5eec9251dc8001252eec5303f4de828ee5d9dc079680d6d6ce6b192c10a1f7e3

          SHA512

          207e56d4a3d2d60297d01098c23835482187fe444850f9abea8fb0e3f75e18d4c0403f0e893f30b51b307ccae020a512dec94f0963c29b429be5176613425fa7

          Download Submit

        • memory/3668-0-0x00007FFE96333000-0x00007FFE96334000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3668-1-0x00000000003D0000-0x0000000000520000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4088-22-0x000001D85C580000-0x000001D85C581000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4088-33-0x000001D85C580000-0x000001D85C581000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4088-38-0x000001D85C580000-0x000001D85C581000-memory.dmp

          Filesize

          4KB

          Download