adwind | 012d2fcae6942de8aa569557c3b95ba0434f66e7ae2bfe35b0a800d3e99a4cfc

Analysis

max time kernel
1793s
max time network
1798s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
15-11-2024 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

expensive crack.zip
Size

6.8MB
MD5

ba38a6d34c3e2674b6160ae8d1c1a2d4
SHA1

0e851ec1602e1fb80083a8d20b6b6aba225a9d04
SHA256

012d2fcae6942de8aa569557c3b95ba0434f66e7ae2bfe35b0a800d3e99a4cfc
SHA512

684e89bde6fe0da9a4b58911fba3e8a7c3653dff7915f8d9382265b5ec6976909a218d516aa669196f289664f5236b23f13bbe4d9ef5fb31430799303d41460e
SSDEEP

196608:dXE4PwPjhDcjIAXsDvI/9fNipnptqvRYj8mgJriQ+C:pENjyR/9lbRC8rm6

Score

10^/10

adwind persistence trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
Adwind family
adwind

Class file contains resources related to AdWind 1 IoCs

resource	yara_rule
sample	family_adwind4

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705296182.tmp"	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5088	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	5088	7zFM.exe
Token: 35	5088	7zFM.exe
Token: SeSecurityPrivilege	5088	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5088	7zFM.exe
5088	7zFM.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2556	java.exe
2556	java.exe
2556	java.exe
2556	java.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 220	4876	cmd.exe	97
PID 4876 wrote to memory of 220	4876	cmd.exe	97
PID 4876 wrote to memory of 2556	4876	cmd.exe	98
PID 4876 wrote to memory of 2556	4876	cmd.exe	98
PID 2556 wrote to memory of 736	2556	java.exe	99
PID 2556 wrote to memory of 736	2556	java.exe	99
PID 2556 wrote to memory of 2712	2556	java.exe	101
PID 2556 wrote to memory of 2712	2556	java.exe	101
PID 2712 wrote to memory of 2800	2712	cmd.exe	103
PID 2712 wrote to memory of 2800	2712	cmd.exe	103

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
736	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\expensive crack.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:220
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java -jar expapasta.jar
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705296182.tmp
    3⤵
    - Views/modifies file attributes
    PID:736
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705296182.tmp" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705296182.tmp" /f
      4⤵
      Adds Run key to start application
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\expensive 3.2 crack\expapasta.jar

Filesize
6.9MB

MD5
0d086bd973376fccd4a544a2413a8669

SHA1
7e7f37a586c0cc0cf76d9ac89d4aa3accac73b63

SHA256
56e11160890d361c8175760ac8ad16dc46d8e35dc18caf3d3e64b8fbd83ba6bd

SHA512
8b8b2eeea1dbc7a1722ed099ac113a50a80ba8b2a260e6a342ce527086bbf2b18d72705a5e9fb0593a1d964ea01c66f246bbfea821aa90dfa85fec3d90d5f1f0

Download Submit
C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd

Filesize
764B

MD5
01b8ed92434e95a011e8e8dacba2fd68

SHA1
d1f538dfbab7a19c792b8325b2e9cbcc3cd9937d

SHA256
59a12fd47b56fa697512484117f37bd4a69b733c44614c13153e955581eb6799

SHA512
ce14085421d4902b300370896048a3e901508def1bdd5158a7df286cbc9de32163e3ef67afe416a5879816915ec75badf6604adaf19218b6343467c9391d1f9a

Download Submit
memory/2556-8-0x000001958EFD0000-0x000001958F240000-memory.dmp

Filesize
2.4MB

Download
memory/2556-26-0x000001958D730000-0x000001958D731000-memory.dmp

Filesize
4KB

Download
memory/2556-34-0x000001958D730000-0x000001958D731000-memory.dmp

Filesize
4KB

Download
memory/2556-43-0x000001958D730000-0x000001958D731000-memory.dmp

Filesize
4KB

Download
memory/2556-49-0x000001958D730000-0x000001958D731000-memory.dmp

Filesize
4KB

Download
memory/2556-50-0x000001958EFD0000-0x000001958F240000-memory.dmp

Filesize
2.4MB

Download
memory/2556-52-0x000001958D730000-0x000001958D731000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads