Overview

overview

10

Static

static

3

Blank-Owner455.exe

windows10-1703-x64

10

Blank-Owner455.exe

windows10-2004-x64

10

Blank-Owner455.exe

windows11-21h2-x64

10

Resubmissions

21/06/2024, 17:58

240621-wkgm1ayfmc 10

Analysis

  • max time kernel
    588s
  • max time network
    482s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2024, 04:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Blank-Owner455.exe

  • Size

    1.3MB

  • MD5

    0708b141816e1287fb4bfec4c837ef6e

  • SHA1

    65884a0d7f3fab21c1e1d9432525f6f9d255744a

  • SHA256

    ddf1395c86c239c3c9c930038e69e5992c3d8260a47c96c1a21cdc770dfd5bf4

  • SHA512

    cab5388cbad7750362acec225385d62abfb01cf7dcc32c85555334d90c86d84212bcf0dff47ff960003805cb2c4ef962543ae328ffe2fc75f4c156e01ef24e84

  • SSDEEP

    24576:8x6//3ra8haNNG+NOYJFYNxNTvliZMa3X3N:MSWMaHtNnKNiOaH3N

Score
10/10
adwinddiscoverypersistencetrojan

Malware Config

Signatures

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

    trojanadwind
  • Class file contains resources related to AdWind 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Blank-Owner455.exe
    "C:\Users\Admin\AppData\Local\Temp\Blank-Owner455.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\MoonRar.jar"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\system32\icacls.exe
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        3⤵
        • Modifies file permissions
        PID:3004
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1717649097757.tmp
        3⤵
        • Views/modifies file attributes
        PID:1876
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1717649097757.tmp" /f"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\system32\reg.exe
          REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1717649097757.tmp" /f
          4⤵
          • Adds Run key to start application
          PID:4316
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1096

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
          Filesize

          46B

          MD5

          3afa89093d9a18541c6cef0257522632

          SHA1

          64d9f1c7bf428b4d08945eac19786e93f8957cce

          SHA256

          f90904dac08a4a0837283aebf3fac5973299001ff7b43c34888f7cd2f78c3df0

          SHA512

          3b9487f7021e137f63c3e10c85bb55f2c52feac392b598adf0ab5c783c149fb0e8dce741c1a90ebe209359218ebe1c29f4cc81f5e789915a8252e2edf5aba7a2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MoonRar.jar
          Filesize

          830KB

          MD5

          d8339dcc4a19345bd7cb55def570eef1

          SHA1

          de69d3fe9a794282859c106e9a90e6647c1a0305

          SHA256

          5eec9251dc8001252eec5303f4de828ee5d9dc079680d6d6ce6b192c10a1f7e3

          SHA512

          207e56d4a3d2d60297d01098c23835482187fe444850f9abea8fb0e3f75e18d4c0403f0e893f30b51b307ccae020a512dec94f0963c29b429be5176613425fa7

          Download Submit

        • memory/1008-0-0x00007FFA2B193000-0x00007FFA2B195000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1008-1-0x00000000007E0000-0x0000000000930000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2928-22-0x000001A8A7F20000-0x000001A8A7F21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2928-38-0x000001A8A7F20000-0x000001A8A7F21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2928-46-0x000001A8A7F20000-0x000001A8A7F21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2928-48-0x000001A8A7F20000-0x000001A8A7F21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2928-71-0x000001A8A7F20000-0x000001A8A7F21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2928-79-0x000001A8A7F20000-0x000001A8A7F21000-memory.dmp

          Filesize

          4KB

          Download