adwind | 237ef7673a0f6438a7d52f1a127e0cca1a7665f27d8fd3f80258d6a3718a948f

General

Target

sevkanigger.zip
Size

6.8MB
MD5

2f747823c6da001537a5aeef505de22f
SHA1

5a31fad8218da1944df6fd0749e4be5d3133455c
SHA256

237ef7673a0f6438a7d52f1a127e0cca1a7665f27d8fd3f80258d6a3718a948f
SHA512

7236d02c2412c56e1640b6deb7d01e6415d0c6ae95c765eb5c870fd2f6cb86cdf3cc1a8e84819a877c12077c6da819b01a97ceaa8b58c2a6351cc68c2db1b713
SSDEEP

196608:dXE4P3cMAiTVAFYS2+uVcr4tRkmJCfwm1cVXCDsB:pEtMAGCuWFmJCfwQco+

Score

10^/10

adwind persistence trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
Adwind family
adwind

Class file contains resources related to AdWind 1 IoCs

resource	yara_rule
sample	family_adwind4

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705459427.tmp"	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2940	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2940	7zFM.exe
Token: 35	2940	7zFM.exe
Token: SeSecurityPrivilege	2940	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2940	7zFM.exe
2940	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
484	java.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 4724	1000	cmd.exe	83
PID 1000 wrote to memory of 4724	1000	cmd.exe	83
PID 1000 wrote to memory of 484	1000	cmd.exe	84
PID 1000 wrote to memory of 484	1000	cmd.exe	84
PID 484 wrote to memory of 668	484	java.exe	85
PID 484 wrote to memory of 668	484	java.exe	85
PID 484 wrote to memory of 2536	484	java.exe	87
PID 484 wrote to memory of 2536	484	java.exe	87
PID 2536 wrote to memory of 4064	2536	cmd.exe	89
PID 2536 wrote to memory of 4064	2536	cmd.exe	89

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
668	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\sevkanigger.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4724
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java -jar expapasta.jar
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705459427.tmp
    3⤵
    - Views/modifies file attributes
    PID:668
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705459427.tmp" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705459427.tmp" /f
      4⤵
      Adds Run key to start application
      PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\expensive 3.2 crack\expapasta.jar

Filesize
6.9MB

MD5
adc85420c269bf5e808f6f703611d57c

SHA1
6b899a737504a4568bd7cd4f7dc5fef7a039958f

SHA256
fba508fae28635f44b9933b276e85e2618f7d05dc7fef1282ff49af32d454a02

SHA512
739b900f29da1c2503781048240f7c73367390a2a55fb2e5be204291c7db941a27f65c77ed8c67b0e5c68e2e35e046a8a51ad3f12a46ff72aaa17887c7408fa9

Download Submit
C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd

Filesize
764B

MD5
01b8ed92434e95a011e8e8dacba2fd68

SHA1
d1f538dfbab7a19c792b8325b2e9cbcc3cd9937d

SHA256
59a12fd47b56fa697512484117f37bd4a69b733c44614c13153e955581eb6799

SHA512
ce14085421d4902b300370896048a3e901508def1bdd5158a7df286cbc9de32163e3ef67afe416a5879816915ec75badf6604adaf19218b6343467c9391d1f9a

Download Submit
memory/484-8-0x00000220B0B70000-0x00000220B0DE0000-memory.dmp

Filesize
2.4MB

Download
memory/484-29-0x00000220AF2F0000-0x00000220AF2F1000-memory.dmp

Filesize
4KB

Download
memory/484-34-0x00000220AF2F0000-0x00000220AF2F1000-memory.dmp

Filesize
4KB

Download
memory/484-36-0x00000220B0B70000-0x00000220B0DE0000-memory.dmp

Filesize
2.4MB

Download
memory/484-39-0x00000220AF2F0000-0x00000220AF2F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads