Overview

overview

10

Static

static

3

DemonicRat.exe

windows7-x64

10

DemonicRat.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-02-2025 17:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DemonicRat.exe

  • Size

    92.2MB

  • MD5

    a14eceecde0122a246d1fa026f8bd7b7

  • SHA1

    ab10f646cd84da146bff2a7b2659515d4ea6e45a

  • SHA256

    2ad1440758ab2ea7297a288ed1b018444054dbc82f67a7fe9e888151cd19f25c

  • SHA512

    d489205ff29c0506b198d684a443825399ddf7383d5fc026acad579e98852ac1c3772c31d50993c0546502fb9ce413fdc807bee8beeadcc9fd514b39e6b1229b

  • SSDEEP

    49152:2hpWTHXw/twZXyD8GAVVBWpJ87xTrJZIJ87xTRW0I4anWY9BW9twZXyD8GAVVBWE:

Score
10/10
adwinddiscoverypersistencetrojan

Malware Config

Signatures

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

    trojanadwind
  • Adwind family
    adwind
  • Class file contains resources related to AdWind 1 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DemonicRat.exe
    "C:\Users\Admin\AppData\Local\Temp\DemonicRat.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\jar.jar"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1739381081618.tmp" /f"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Windows\system32\reg.exe
          REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1739381081618.tmp" /f
          4⤵
          • Adds Run key to start application
          PID:3392
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 856
      2⤵
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDk3QzRGQjUtMjExMi00MEE2LUIxQjAtOUYzRDVDMjE2ODM3fSIgdXNlcmlkPSJ7OEY1NDkxM0MtQURBQi00MEU5LTg5RTQtRDVGNDhCQkU5Rjk0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MUFENzM5OTItODUxNS00QTM4LTk5ODEtQTVFNDBDNEMzRDhEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDA4MzQ2NDk3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:3012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\jar.jar
    Filesize

    639KB

    MD5

    a202d36de662422258bc8cded79e929d

    SHA1

    1941c6182873d32460e2e9b8466a472e70a3307b

    SHA256

    2fd888671025424171d9f6f85dc2d8380b2a0e811d524a01eac9f60f5b6115a5

    SHA512

    f8e69c2f04ad91a7e5e24909ad62eb2aa8a9da7a6b5c8916c88549e6fa9f0985037ab109f409ebf0dc3b53e4ad4fe524d3ed4c81f6262090efd4218ac4be563a

    Download Submit

  • memory/1988-32-0x0000000073D20000-0x00000000742D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1988-1-0x0000000073D20000-0x00000000742D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1988-2-0x0000000073D20000-0x00000000742D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1988-52-0x0000000073D20000-0x00000000742D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1988-0-0x0000000073D22000-0x0000000073D23000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1988-35-0x0000000073D22000-0x0000000073D23000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2672-27-0x00000174DE870000-0x00000174DE880000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-8-0x00000174DE5E0000-0x00000174DE850000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2672-23-0x00000174DE850000-0x00000174DE860000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-31-0x00000174DE890000-0x00000174DE8A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-36-0x00000174DE8B0000-0x00000174DE8C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-24-0x00000174DE860000-0x00000174DE870000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-30-0x00000174DE880000-0x00000174DE890000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-20-0x00000174DCD10000-0x00000174DCD11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2672-38-0x00000174DE8C0000-0x00000174DE8D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-44-0x00000174DE8D0000-0x00000174DE8E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-45-0x00000174DCD10000-0x00000174DCD11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2672-33-0x00000174DE8A0000-0x00000174DE8B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-53-0x00000174DE5E0000-0x00000174DE850000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2672-55-0x00000174DE850000-0x00000174DE860000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-56-0x00000174DE860000-0x00000174DE870000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-57-0x00000174DE870000-0x00000174DE880000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-58-0x00000174DE8E0000-0x00000174DE8F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-62-0x00000174DE880000-0x00000174DE890000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-63-0x00000174DE8A0000-0x00000174DE8B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-64-0x00000174DE8B0000-0x00000174DE8C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-65-0x00000174DE8C0000-0x00000174DE8D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-66-0x00000174DE8D0000-0x00000174DE8E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-67-0x00000174DE8E0000-0x00000174DE8F0000-memory.dmp

    Filesize

    64KB

    Download