adwind | 2df5c0ce570c728c5063372b10ba49562ae056e07a29df6c6e82189ea849f1a4

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/10/2024, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XBinderOutput.exe
Size

629KB
MD5

de7dbf0995218de34d55ea9181238f6a
SHA1

1be9fecd1399177e37827132d532b655f4a0410e
SHA256

2df5c0ce570c728c5063372b10ba49562ae056e07a29df6c6e82189ea849f1a4
SHA512

def27b1f577bef0dfc850cecfef007b7dd3316192635e9810efa55d986d35b49b206c22ed2bb076f15427bffc72642504a6162071f2aeb88e3a5d6236d38589a
SSDEEP

12288:fpdOPOPxDYgKHQkZsZ7vXeB+YPbTf7VTMUMqYs2iOLeU:fpdf5Kw6E7vOnTTf7VTMUM1TNLP

Score

10^/10

adwind trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

Class file contains resources related to AdWind 1 IoCs

resource	yara_rule
sample	family_adwind4

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2856	2468	XBinderOutput.exe	30
PID 2468 wrote to memory of 2856	2468	XBinderOutput.exe	30
PID 2468 wrote to memory of 2856	2468	XBinderOutput.exe	30

C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\sga.jar"
  2⤵
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sga.jar

Filesize
639KB

MD5
708384ec7862f5d3e4866a0988c79c8b

SHA1
c5b8b09d1594fbffd8233233c59f0c143eaa6154

SHA256
b44dac1dd0b9cb11a5561195dfbd6c9f977cf27aadedb25bd9cca4775794c24b

SHA512
3d4c4327071d0706c5a9762db3c4ee1060012c05b25bad00e61df38fb4e8d81317999d106ca7352d0697318f62fd68eae6aca875b2ed1560e8ef80f31fd584ad

Download Submit
memory/2468-0-0x000007FEF5303000-0x000007FEF5304000-memory.dmp

Filesize
4KB

Download
memory/2468-1-0x0000000000C60000-0x0000000000D04000-memory.dmp

Filesize
656KB

Download
memory/2468-3-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2468-5-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2856-8-0x00000000026B0000-0x0000000002920000-memory.dmp

Filesize
2.4MB

Download
memory/2856-17-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2856-18-0x00000000026B0000-0x0000000002920000-memory.dmp

Filesize
2.4MB

Download