adwind | 6f819a3dbe5ac75261f157c14035baf0f72bf93033c12e581def1a4cdf9f8039

Analysis

max time kernel
50s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trolled.exe
Size

4.3MB
MD5

e24cc98957c91dabed02cf84e47b8278
SHA1

00607cff2e6d37b6f271f5e5f8794024814722ee
SHA256

6f819a3dbe5ac75261f157c14035baf0f72bf93033c12e581def1a4cdf9f8039
SHA512

aafca528c9ca2f4e756df04e0b95862cd872b712fe5c3138752d9f65de90f340423d7bab976d9c6a1d890118c720026a9d8b9a229d4dee78dc02d6595f31cc41
SSDEEP

98304:pIgu5JSgwY2bb+YIqdhoBmoziggpNamZTHwwYFiFN:pVu/SSE6YboBmo23KmZTHwwN

Score

10^/10

adwind skuld discovery persistence stealer trojan

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1256063120926052463/-iFGknjVKFXSNv3DZWbEqQQxHdmFRgLmT1KDCJ79ELk0eZPk3sQv7UfngRseF16uBUN5

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

Class file contains resources related to AdWind 1 IoCs

resource	yara_rule
sample	family_adwind4

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	trolled.exe

Executes dropped EXE 1 IoCs

pid	Process
3804	skuld.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3632	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1719545149812.tmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	skuld.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	api.ipify.org
17	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1728	taskkill.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	3804	skuld.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1676	wmic.exe
Token: SeSecurityPrivilege	1676	wmic.exe
Token: SeTakeOwnershipPrivilege	1676	wmic.exe
Token: SeLoadDriverPrivilege	1676	wmic.exe
Token: SeSystemProfilePrivilege	1676	wmic.exe
Token: SeSystemtimePrivilege	1676	wmic.exe
Token: SeProfSingleProcessPrivilege	1676	wmic.exe
Token: SeIncBasePriorityPrivilege	1676	wmic.exe
Token: SeCreatePagefilePrivilege	1676	wmic.exe
Token: SeBackupPrivilege	1676	wmic.exe
Token: SeRestorePrivilege	1676	wmic.exe
Token: SeShutdownPrivilege	1676	wmic.exe
Token: SeDebugPrivilege	1676	wmic.exe
Token: SeSystemEnvironmentPrivilege	1676	wmic.exe
Token: SeRemoteShutdownPrivilege	1676	wmic.exe
Token: SeUndockPrivilege	1676	wmic.exe
Token: SeManageVolumePrivilege	1676	wmic.exe
Token: 33	1676	wmic.exe
Token: 34	1676	wmic.exe
Token: 35	1676	wmic.exe
Token: 36	1676	wmic.exe
Token: SeIncreaseQuotaPrivilege	1676	wmic.exe
Token: SeSecurityPrivilege	1676	wmic.exe
Token: SeTakeOwnershipPrivilege	1676	wmic.exe
Token: SeLoadDriverPrivilege	1676	wmic.exe
Token: SeSystemProfilePrivilege	1676	wmic.exe
Token: SeSystemtimePrivilege	1676	wmic.exe
Token: SeProfSingleProcessPrivilege	1676	wmic.exe
Token: SeIncBasePriorityPrivilege	1676	wmic.exe
Token: SeCreatePagefilePrivilege	1676	wmic.exe
Token: SeBackupPrivilege	1676	wmic.exe
Token: SeRestorePrivilege	1676	wmic.exe
Token: SeShutdownPrivilege	1676	wmic.exe
Token: SeDebugPrivilege	1676	wmic.exe
Token: SeSystemEnvironmentPrivilege	1676	wmic.exe
Token: SeRemoteShutdownPrivilege	1676	wmic.exe
Token: SeUndockPrivilege	1676	wmic.exe
Token: SeManageVolumePrivilege	1676	wmic.exe
Token: 33	1676	wmic.exe
Token: 34	1676	wmic.exe
Token: 35	1676	wmic.exe
Token: 36	1676	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1152	java.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 3528	2960	trolled.exe	90
PID 2960 wrote to memory of 3528	2960	trolled.exe	90
PID 2960 wrote to memory of 3528	2960	trolled.exe	90
PID 3528 wrote to memory of 2548	3528	cmd.exe	93
PID 3528 wrote to memory of 2548	3528	cmd.exe	93
PID 3528 wrote to memory of 2548	3528	cmd.exe	93
PID 3528 wrote to memory of 852	3528	cmd.exe	94
PID 3528 wrote to memory of 852	3528	cmd.exe	94
PID 3528 wrote to memory of 852	3528	cmd.exe	94
PID 3528 wrote to memory of 4572	3528	cmd.exe	95
PID 3528 wrote to memory of 4572	3528	cmd.exe	95
PID 3528 wrote to memory of 4572	3528	cmd.exe	95
PID 3528 wrote to memory of 1336	3528	cmd.exe	96
PID 3528 wrote to memory of 1336	3528	cmd.exe	96
PID 3528 wrote to memory of 1336	3528	cmd.exe	96
PID 852 wrote to memory of 1760	852	cmd.exe	97
PID 852 wrote to memory of 1760	852	cmd.exe	97
PID 852 wrote to memory of 1760	852	cmd.exe	97
PID 4572 wrote to memory of 5084	4572	cmd.exe	98
PID 4572 wrote to memory of 5084	4572	cmd.exe	98
PID 4572 wrote to memory of 5084	4572	cmd.exe	98
PID 3528 wrote to memory of 2948	3528	cmd.exe	100
PID 3528 wrote to memory of 2948	3528	cmd.exe	100
PID 3528 wrote to memory of 2948	3528	cmd.exe	100
PID 2948 wrote to memory of 776	2948	cmd.exe	102
PID 2948 wrote to memory of 776	2948	cmd.exe	102
PID 2948 wrote to memory of 776	2948	cmd.exe	102
PID 776 wrote to memory of 1728	776	cmd.exe	106
PID 776 wrote to memory of 1728	776	cmd.exe	106
PID 776 wrote to memory of 1728	776	cmd.exe	106
PID 1336 wrote to memory of 1152	1336	cmd.exe	105
PID 1336 wrote to memory of 1152	1336	cmd.exe	105
PID 2548 wrote to memory of 3804	2548	cmd.exe	104
PID 2548 wrote to memory of 3804	2548	cmd.exe	104
PID 1760 wrote to memory of 1652	1760	cmd.exe	107
PID 1760 wrote to memory of 1652	1760	cmd.exe	107
PID 1760 wrote to memory of 1652	1760	cmd.exe	107
PID 3804 wrote to memory of 3644	3804	skuld.exe	109
PID 3804 wrote to memory of 3644	3804	skuld.exe	109
PID 3804 wrote to memory of 1676	3804	skuld.exe	111
PID 3804 wrote to memory of 1676	3804	skuld.exe	111
PID 3804 wrote to memory of 4148	3804	skuld.exe	114
PID 3804 wrote to memory of 4148	3804	skuld.exe	114
PID 1152 wrote to memory of 3632	1152	java.exe	117
PID 1152 wrote to memory of 3632	1152	java.exe	117
PID 1152 wrote to memory of 4584	1152	java.exe	127
PID 1152 wrote to memory of 4584	1152	java.exe	127
PID 1152 wrote to memory of 2056	1152	java.exe	129
PID 1152 wrote to memory of 2056	1152	java.exe	129
PID 2056 wrote to memory of 1448	2056	cmd.exe	131
PID 2056 wrote to memory of 1448	2056	cmd.exe	131

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4148	attrib.exe
4584	attrib.exe
3644	attrib.exe

C:\Users\Admin\AppData\Local\Temp\trolled.exe
"C:\Users\Admin\AppData\Local\Temp\trolled.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\cracker.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3804
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
        5⤵
        Views/modifies file attributes
        
        PID:3644
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
        5⤵
        Views/modifies file attributes
        
        PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript /nologo /e:jscript "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat"
        5⤵
        
        PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat"
      4⤵
      PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" java -jar "C:\Users\Admin\AppData\Local\Temp\RarSFX0\iidk.jar""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
      java -jar "C:\Users\Admin\AppData\Local\Temp\RarSFX0\iidk.jar"
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Windows\system32\icacls.exe
        
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        5⤵
        Modifies file permissions
        
        PID:3632
    - - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1719545149812.tmp
        5⤵
        Views/modifies file attributes
        
        PID:4584
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1719545149812.tmp" /f"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1719545149812.tmp" /f
        6⤵
        Adds Run key to start application
        
        PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskkiller.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskkiller.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im cmd.exe /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3144 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
b56f1bcc9b3d2127fc6852e627d71b93

SHA1
277e2e41b9ec8f869547c82cd0cf294f0f8452f2

SHA256
9d719bcd7e21c2b122a269f10019e0505146b3b216a0a3b0bcb17f42d60f760b

SHA512
0ae4d0e2c15151052d5da144974747ca332d1a724c317d6d35fce9cf8d8fb2c3b8e3bdbdf77519faa36bedfbc394842d2e8eb13e9a4270bfd1e1a48f7c331d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cracker.bat

Filesize
563B

MD5
76c3d1865f41ab708d1e2accf999d3c8

SHA1
9502f0b7e4387a1facbc30ef0cc5915cd15da126

SHA256
d23dd8777f83432b7583ab2e41b07dd5406b114bd3bd50eaf8a841476099bd43

SHA512
cd800c73ec7cd61df4e4f7613af05aa067b7c07fd4bf1cbdc3e978887a1106e0d849d02b42d5d231049af62625ed39029a95197d1daa976672f20831f4ae7a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iidk.jar

Filesize
639KB

MD5
252fd90861780cafa9c3636effd29d37

SHA1
a5338e8c723f9643de231fbbe95bd4930964ac39

SHA256
2d0ffc551620087ec69cbd4102297e9cd531d7d5e8337c8559795b5cc962d665

SHA512
f53406416525546a66984ced9fef87226f23d818fb6f6e073adfe7c7983d08acd428047cc91934468ba8009a468da4fe368018bbaf001fe56f12b9ba4282b8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe

Filesize
9.5MB

MD5
396758811eab54260eab74b18729ad1d

SHA1
3240b27807b2d42877f80565da042a8efefece23

SHA256
65263fc409ca9fd3fa186f3774a0705664a42102c94cda95b0c753dc98f7d11a

SHA512
b5c8c27fd521ca13b74eb26948345086f1289a1c2699753b0b3e296801abb72649d8d017763fd41e48634a2b3192e1714eb2feb1bea04db7d929cef653f28bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskkiller.bat

Filesize
54B

MD5
18ef03e1045b224a70d9afdf8247a241

SHA1
117b3959ded227b5cf0015229db0386f6479df70

SHA256
daf87ae302bcd7c7a65f6db2b93216116de0621169f724f564812a6a8614f33d

SHA512
2ef552283ed844801dc6b7a2ec143e1e52f77b6f7ee2516bb70b3c8db6592eaef9e435f063bbb94019ac135c2e37ccfcb9db8f926a7358c3590b3fc9c63beafd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat

Filesize
74B

MD5
b3be17a14609d812602af67da8b7acc2

SHA1
e1fcc3e3989ee6846694eba252622a336ce63795

SHA256
f6cb1a4b508b1650cc1eaa607f545e50967157eef4f676de39836f2806d63b81

SHA512
780a624a79bb3b293d83017595f709dd9fdc9e645f9c8bc5102aacaaad89a622e6a0dae9ea30fc3679378f6fe4afe34937f4909594c32351ee831917e8b0c1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat

Filesize
340B

MD5
6943c2eb7e78b8b8cb8171b940de20f2

SHA1
e428c6dc0ffc17ab70178765e0bcb23dc0c12b8a

SHA256
eb79d4bf846dfbd540085f0972658373f26709f281dfb88ad461f9df03d83095

SHA512
1d628f3c5ac6e41ed14cc0069bde0278248e32c77e2e111bc842a71ba62d52913b47fb29402ce79b3d0880b6b5763b0d9906d6fb65bcfdf33103aefa0044552b

Download Submit
memory/1152-36-0x000002D2B9120000-0x000002D2B9121000-memory.dmp

Filesize
4KB

Download
memory/1152-42-0x000002D2B9120000-0x000002D2B9121000-memory.dmp

Filesize
4KB

Download
memory/1152-49-0x000002D2B9120000-0x000002D2B9121000-memory.dmp

Filesize
4KB

Download
memory/1152-63-0x000002D2B9120000-0x000002D2B9121000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads