Overview

overview

10

Static

static

3

Blank-Owner455.exe

windows10-1703-x64

10

Blank-Owner455.exe

windows10-2004-x64

10

Blank-Owner455.exe

windows11-21h2-x64

10

Resubmissions

21-06-2024 17:58

240621-wkgm1ayfmc 10

Analysis

  • max time kernel
    528s
  • max time network
    537s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06-06-2024 04:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Blank-Owner455.exe

  • Size

    1.3MB

  • MD5

    0708b141816e1287fb4bfec4c837ef6e

  • SHA1

    65884a0d7f3fab21c1e1d9432525f6f9d255744a

  • SHA256

    ddf1395c86c239c3c9c930038e69e5992c3d8260a47c96c1a21cdc770dfd5bf4

  • SHA512

    cab5388cbad7750362acec225385d62abfb01cf7dcc32c85555334d90c86d84212bcf0dff47ff960003805cb2c4ef962543ae328ffe2fc75f4c156e01ef24e84

  • SSDEEP

    24576:8x6//3ra8haNNG+NOYJFYNxNTvliZMa3X3N:MSWMaHtNnKNiOaH3N

Score
10/10
adwinddiscoverypersistencetrojan

Malware Config

Signatures

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

    trojanadwind
  • Class file contains resources related to AdWind 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Blank-Owner455.exe
    "C:\Users\Admin\AppData\Local\Temp\Blank-Owner455.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\MoonRar.jar"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\system32\icacls.exe
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        3⤵
        • Modifies file permissions
        PID:3984
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1717649098661.tmp
        3⤵
        • Views/modifies file attributes
        PID:5100
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1717649098661.tmp" /f"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2436
        • C:\Windows\system32\reg.exe
          REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1717649098661.tmp" /f
          4⤵
          • Adds Run key to start application
          PID:3924
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    0da1b5c9d8ba0b5c9ed7bbde977d7a1b

    SHA1

    cf5193295373187006dc013d5f029c0fc89f0bd6

    SHA256

    fbaf5fbe07b5cd1e1ed5d043d454e63c94f31d4e45f5033b3eef2b7d54685ae0

    SHA512

    1e7ef9818164d914ddec001764acea4f35a16318276ee2075788de3c4cfe54081d6cdbd53a5a9cd1b21afa7f42df35b5917b32e217ffc5557160c662e171c05d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MoonRar.jar
    Filesize

    830KB

    MD5

    d8339dcc4a19345bd7cb55def570eef1

    SHA1

    de69d3fe9a794282859c106e9a90e6647c1a0305

    SHA256

    5eec9251dc8001252eec5303f4de828ee5d9dc079680d6d6ce6b192c10a1f7e3

    SHA512

    207e56d4a3d2d60297d01098c23835482187fe444850f9abea8fb0e3f75e18d4c0403f0e893f30b51b307ccae020a512dec94f0963c29b429be5176613425fa7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\imageio4223178323805802207.tmp
    Filesize

    41KB

    MD5

    23ce59da9ae0a95c1d5d377e771d1102

    SHA1

    7caab2ede86e624f7f1a3b30d6f01898946cc7d7

    SHA256

    4b0ead345a36035e04aaf62c99b9299cd22b34e5b0bfcfe9c5f7d14eebcb8fbc

    SHA512

    06e74ec7527525012d832dd08ae33f4e2cf242656a69586ab3c8260bfc8331efd508ad0e4ffa4f49405e2b37766b9e248f3a9b59798a3173595804cc0e3c4a75

    Download Submit

  • memory/1120-0-0x00007FFD97EF3000-0x00007FFD97EF5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1120-1-0x0000000000AA0000-0x0000000000BF0000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1780-65-0x0000022E897F0000-0x0000022E897F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-107-0x0000022E897F0000-0x0000022E897F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-46-0x0000022E897F0000-0x0000022E897F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-58-0x0000022E897F0000-0x0000022E897F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-61-0x0000022E897F0000-0x0000022E897F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-37-0x0000022E897F0000-0x0000022E897F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-74-0x0000022E897F0000-0x0000022E897F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-41-0x0000022E897F0000-0x0000022E897F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-22-0x0000022E897F0000-0x0000022E897F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-164-0x0000022E897F0000-0x0000022E897F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-169-0x0000022E897F0000-0x0000022E897F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-176-0x0000022E897F0000-0x0000022E897F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-180-0x0000022E897F0000-0x0000022E897F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-181-0x0000022E897F0000-0x0000022E897F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-185-0x0000022E897F0000-0x0000022E897F1000-memory.dmp

    Filesize

    4KB

    Download