Analysis Overview
SHA256
b568557f6219bf59cd785dd1b9f73a1ed9bf99b1f09a1b4f450a3b06214093d4
Threat Level: Known bad
The file built.jar was found to be: Known bad.
Malicious Activity Summary
Adwind family
Class file contains resources related to AdWind
Adds Run key to start application
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-16 06:09
Signatures
Adwind family
Class file contains resources related to AdWind
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-16 06:09
Reported
2024-11-16 06:13
Platform
win11-20241007-en
Max time kernel
150s
Max time network
93s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731737489907.tmp" | C:\Windows\system32\reg.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 4576 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\attrib.exe |
| PID 2332 wrote to memory of 4576 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\attrib.exe |
| PID 2332 wrote to memory of 856 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 2332 wrote to memory of 856 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 856 wrote to memory of 1012 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 856 wrote to memory of 1012 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\reg.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\built.jar
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731737489907.tmp
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731737489907.tmp" /f"
C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731737489907.tmp" /f
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\RepairInstall.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\d0830889e21a40f4bab1b3ebba194b26 /t 5004 /p 4684
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:4411 | tcp | |
| N/A | 127.0.0.1:4411 | tcp | |
| N/A | 127.0.0.1:4411 | tcp | |
| N/A | 127.0.0.1:4411 | tcp | |
| N/A | 127.0.0.1:4411 | tcp | |
| N/A | 127.0.0.1:4411 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2332-2-0x000002436E8C0000-0x000002436EB30000-memory.dmp
memory/2332-14-0x000002436D050000-0x000002436D051000-memory.dmp
memory/2332-18-0x000002436EB40000-0x000002436EB50000-memory.dmp
memory/2332-17-0x000002436EB30000-0x000002436EB40000-memory.dmp
memory/2332-24-0x000002436EB70000-0x000002436EB80000-memory.dmp
memory/2332-23-0x000002436EB60000-0x000002436EB70000-memory.dmp
memory/2332-26-0x000002436EB80000-0x000002436EB90000-memory.dmp
memory/2332-22-0x000002436EB50000-0x000002436EB60000-memory.dmp
memory/2332-28-0x000002436EB90000-0x000002436EBA0000-memory.dmp
memory/2332-30-0x000002436EBA0000-0x000002436EBB0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731737489907.tmp
| MD5 | 6b5b829c063142549a57c945b056ad3f |
| SHA1 | 07ad97d0e1252a28ec1ab8fbfb0bddc647a3df5a |
| SHA256 | b568557f6219bf59cd785dd1b9f73a1ed9bf99b1f09a1b4f450a3b06214093d4 |
| SHA512 | 8c59065dc07ee1b3fabeefea90355cf3c361de96b094f6eee194df14afb9e87041fde8bf1d729e4fc5610a829e9382e06e9054676104ae6a7157c1deef99c44f |
memory/2332-34-0x000002436EBB0000-0x000002436EBC0000-memory.dmp
memory/2332-38-0x000002436E8C0000-0x000002436EB30000-memory.dmp
memory/2332-39-0x000002436EBC0000-0x000002436EBD0000-memory.dmp
memory/2332-40-0x000002436D050000-0x000002436D051000-memory.dmp
memory/2332-41-0x000002436EB30000-0x000002436EB40000-memory.dmp
memory/2332-45-0x000002436EBD0000-0x000002436EBE0000-memory.dmp
memory/2332-44-0x000002436EB40000-0x000002436EB50000-memory.dmp
memory/2332-46-0x000002436D050000-0x000002436D051000-memory.dmp
memory/2332-48-0x000002436EB50000-0x000002436EB60000-memory.dmp
memory/2332-50-0x000002436EB70000-0x000002436EB80000-memory.dmp
memory/2332-49-0x000002436EB60000-0x000002436EB70000-memory.dmp
memory/2332-51-0x000002436EB80000-0x000002436EB90000-memory.dmp
memory/2332-52-0x000002436EB90000-0x000002436EBA0000-memory.dmp
memory/2332-53-0x000002436EBA0000-0x000002436EBB0000-memory.dmp
memory/2332-54-0x000002436EBB0000-0x000002436EBC0000-memory.dmp
memory/2332-55-0x000002436EBC0000-0x000002436EBD0000-memory.dmp
memory/2332-56-0x000002436EBD0000-0x000002436EBE0000-memory.dmp
memory/2332-57-0x000002436E8C0000-0x000002436EB30000-memory.dmp
memory/2332-60-0x000002436EBD0000-0x000002436EBE0000-memory.dmp
memory/2332-59-0x000002436EBA0000-0x000002436EBB0000-memory.dmp
memory/2332-58-0x000002436EB40000-0x000002436EB50000-memory.dmp
C:\Users\Admin\Downloads\InstallConfirm.mhtml
| MD5 | 322528b698ca3bfe6a8803ba7b0c11b1 |
| SHA1 | 9ade6065c9303f114843bcb1d5c56e5bde725bbe |
| SHA256 | 0f82aa197d9b1b78c4262817a8e6c79220a8185646335a9dab0b2a099b7dbe06 |
| SHA512 | 833a507c66a2b433bd655befb2720912fd46577ee67a5beda6e107e22ccdfd751a7f3f2198fdbc45dd4ecedfbf8287055927c18f1e8bd6ea05b9f399d89fd0d3 |