adwind | 2ad1440758ab2ea7297a288ed1b018444054dbc82f67a7fe9e888151cd19f25c

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-02-2025 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DemonicRat.exe
Size

92.2MB
MD5

a14eceecde0122a246d1fa026f8bd7b7
SHA1

ab10f646cd84da146bff2a7b2659515d4ea6e45a
SHA256

2ad1440758ab2ea7297a288ed1b018444054dbc82f67a7fe9e888151cd19f25c
SHA512

d489205ff29c0506b198d684a443825399ddf7383d5fc026acad579e98852ac1c3772c31d50993c0546502fb9ce413fdc807bee8beeadcc9fd514b39e6b1229b
SSDEEP

49152:2hpWTHXw/twZXyD8GAVVBWpJ87xTrJZIJ87xTRW0I4anWY9BW9twZXyD8GAVVBWE:

Score

10^/10

adwind discovery trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
Adwind family
adwind

Class file contains resources related to AdWind 1 IoCs

resource	yara_rule
sample	family_adwind4

Executes dropped EXE 1 IoCs

pid	Process
2252	Demonic Rat.exe

Loads dropped DLL 1 IoCs

pid	Process
1820	DemonicRat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DemonicRat.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2260	1820	DemonicRat.exe	28
PID 1820 wrote to memory of 2260	1820	DemonicRat.exe	28
PID 1820 wrote to memory of 2260	1820	DemonicRat.exe	28
PID 1820 wrote to memory of 2260	1820	DemonicRat.exe	28
PID 1820 wrote to memory of 2252	1820	DemonicRat.exe	29
PID 1820 wrote to memory of 2252	1820	DemonicRat.exe	29
PID 1820 wrote to memory of 2252	1820	DemonicRat.exe	29
PID 1820 wrote to memory of 2252	1820	DemonicRat.exe	29

C:\Users\Admin\AppData\Local\Temp\DemonicRat.exe
"C:\Users\Admin\AppData\Local\Temp\DemonicRat.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\jar.jar"
  2⤵
  PID:2260
- C:\Users\Admin\AppData\Local\Temp\Demonic Rat.exe
  "C:\Users\Admin\AppData\Local\Temp\Demonic Rat.exe"
  2⤵
  - Executes dropped EXE
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jar.jar

Filesize
639KB

MD5
a202d36de662422258bc8cded79e929d

SHA1
1941c6182873d32460e2e9b8466a472e70a3307b

SHA256
2fd888671025424171d9f6f85dc2d8380b2a0e811d524a01eac9f60f5b6115a5

SHA512
f8e69c2f04ad91a7e5e24909ad62eb2aa8a9da7a6b5c8916c88549e6fa9f0985037ab109f409ebf0dc3b53e4ad4fe524d3ed4c81f6262090efd4218ac4be563a

Download Submit
memory/1820-0-0x0000000074911000-0x0000000074912000-memory.dmp

Filesize
4KB

Download
memory/1820-1-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1820-3-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1820-21-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2252-22-0x0000000000810000-0x0000000004C96000-memory.dmp

Filesize
68.5MB

Download
memory/2260-7-0x0000000002650000-0x00000000028C0000-memory.dmp

Filesize
2.4MB

Download
memory/2260-24-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2260-25-0x0000000002650000-0x00000000028C0000-memory.dmp

Filesize
2.4MB

Download
memory/2260-28-0x0000000002650000-0x00000000028C0000-memory.dmp

Filesize
2.4MB

Download