File name:

Quotation Request 140919,pdf,doc.jar

Full analysis: https://app.any.run/tasks/6eb8c741-7500-4b2a-bb22-aaad956c69a0
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Malware Trends Tracker     >>>
Analysis date: March 14, 2019, 14:08:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adwind
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

D028EEC1F1CB59D4193B5FF44FF21249

SHA1:

5A90D7D561170EB80FE815ED325EE58E997CD480

SHA256:

79965D1A6937D952AC6F693FCDA9B0DF20C52E979C33C98AA798A34D5901A79E

SSDEEP:

24576:x+maTro/Xmxvs77w652WHkGHBazushHWtDuSKCdCzrbn:xoT4XhAyHBTslWxmRzn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 2936)
      • WScript.exe (PID: 2444)
      • wscript.exe (PID: 2416)
      • javaw.exe (PID: 4024)
      • reg.exe (PID: 2356)

    • Writes to a start menu file

      • WScript.exe (PID: 2444)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2472)

    • Uses Task Scheduler to run other applications

      • WScript.exe (PID: 2444)

    • AdWind was detected

      • java.exe (PID: 3140)
      • java.exe (PID: 2176)

    • Loads dropped or rewritten executable

      • wscript.exe (PID: 2416)
      • WScript.exe (PID: 2936)
      • javaw.exe (PID: 4024)
      • javaw.exe (PID: 2908)
      • java.exe (PID: 2176)
      • javaw.exe (PID: 3620)
      • explorer.exe (PID: 284)
      • java.exe (PID: 3140)
      • javaw.exe (PID: 2996)
      • javaw.exe (PID: 3468)

    • Application was dropped or rewritten from another process

      • java.exe (PID: 3140)
      • java.exe (PID: 2176)
      • javaw.exe (PID: 3468)
      • javaw.exe (PID: 4024)
      • javaw.exe (PID: 3620)
      • javaw.exe (PID: 2908)
      • javaw.exe (PID: 2996)

    • UAC/LUA settings modification

      • regedit.exe (PID: 972)

    • Uses TASKKILL.EXE to kill security tools

      • javaw.exe (PID: 2908)

    • Turns off system restore

      • regedit.exe (PID: 972)

    • Changes Image File Execution Options

      • regedit.exe (PID: 972)

  • SUSPICIOUS

    • Connects to unusual port

      • WScript.exe (PID: 2444)
      • javaw.exe (PID: 3620)
      • javaw.exe (PID: 2908)

    • Creates files in the user directory

      • javaw.exe (PID: 4024)
      • WScript.exe (PID: 2936)
      • WScript.exe (PID: 2444)
      • wscript.exe (PID: 2416)
      • javaw.exe (PID: 3468)
      • xcopy.exe (PID: 3532)

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 3468)
      • java.exe (PID: 3140)
      • javaw.exe (PID: 2908)
      • java.exe (PID: 2176)

    • Application launched itself

      • wscript.exe (PID: 2416)
      • javaw.exe (PID: 4024)

    • Executes scripts

      • WScript.exe (PID: 2936)
      • cmd.exe (PID: 1528)
      • cmd.exe (PID: 3344)
      • cmd.exe (PID: 3704)
      • cmd.exe (PID: 3720)
      • cmd.exe (PID: 4008)
      • wscript.exe (PID: 2416)
      • javaw.exe (PID: 2996)
      • cmd.exe (PID: 3476)
      • cmd.exe (PID: 1076)
      • cmd.exe (PID: 2916)

    • Executes JAVA applets

      • WScript.exe (PID: 2936)
      • wscript.exe (PID: 2416)
      • javaw.exe (PID: 4024)
      • javaw.exe (PID: 3468)
      • explorer.exe (PID: 284)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 3532)

    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 3468)

    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 3468)

    • Starts itself from another location

      • javaw.exe (PID: 3468)

    • Uses TASKKILL.EXE to kill process

      • javaw.exe (PID: 2908)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:03:13 16:22:03
ZipCRC: 0x950e32e2
ZipCompressedSize: 1095625
ZipUncompressedSize: 1763368
ZipFileName: pxsyiitazy/resources/uibdetopiv
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
302
Monitored processes
145
Malicious processes
14
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaw.exe no specs wscript.exe wscript.exe wscript.exe javaw.exe schtasks.exe no specs javaw.exe javaw.exe no specs java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs cmd.exe no specs xcopy.exe cscript.exe no specs attrib.exe no specs reg.exe attrib.exe no specs javaw.exe java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs explorer.exe no specs cscript.exe no specs taskkill.exe no specs cmd.exe no specs regedit.exe no specs regedit.exe no specs taskkill.exe no specs regedit.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
252taskkill /IM fshoster32.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
256taskkill /IM nnf.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
284C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
312taskkill /IM CONSCTLX.EXE /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
360taskkill /IM AVKProxy.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
456cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2344291966852893198.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
456taskkill /IM BullGuardBhvScanner.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\msisip.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\crypt32.dll
560taskkill /IM V3Main.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
584taskkill /IM V3Proxy.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
676taskkill /IM nanosvc.exe /T /FC:\Windows\system32\taskkill.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
Total events
2 630
Read events
2 383
Write events
247
Delete events
0

Modification events

(PID) Process:(2416) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2416) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2936) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2936) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2936) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:ntfsmgr
Value:
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ddmqonik.txt"
(PID) Process:(2444) WScript.exeKey:HKEY_CURRENT_USER
Operation:writeName:vjw0rm
Value:
FALSE
(PID) Process:(2444) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:0IDR124VF6
Value:
"C:\Users\admin\AppData\Roaming\IyFfaseYOW.js"
(PID) Process:(2444) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2444) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(4024) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Server
Value:
C:\Program Files\Java\jre1.8.0_92\bin\javaw -jar "C:\Users\admin\AppData\RoamingServer1674728148.jar"
Executable files
110
Suspicious files
12
Text files
82
Unknown types
15

Dropped files

PID
Process
Filename
Type
3468javaw.exeC:\Users\admin\AppData\Local\Temp\Retrive2594086255150999555.vbs
MD5:
SHA256:
3140java.exeC:\Users\admin\AppData\Local\Temp\Retrive487587211144863209.vbs
MD5:
SHA256:
2444WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IyFfaseYOW.jstext
MD5:
SHA256:
2996javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
2936WScript.exeC:\Users\admin\AppData\Roaming\IyFfaseYOW.jstext
MD5:
SHA256:
2936WScript.exeC:\Users\admin\AppData\Roaming\ddmqonik.txtcompressed
MD5:
SHA256:
4024javaw.exeC:\Users\admin\AppData\RoamingServer1674728148.jarcompressed
MD5:
SHA256:
2416wscript.exeC:\Users\admin\AppData\Roaming\nmfbsimf.txtjava
MD5:
SHA256:
3468javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
3140java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
33
DNS requests
9
Threats
3

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2444
WScript.exe
41.217.25.9:7755
unknownsoft.hopto.org
Spectranet
NG
unknown
2908
javaw.exe
185.165.153.199:18
lexdeerex.duckdns.org
NL
malicious
3620
javaw.exe
41.217.25.9:7744
unknownsoft.hopto.org
Spectranet
NG
unknown

DNS requests

Domain
IP
Reputation
unknownsoft.hopto.org
  • 41.217.25.9
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
lexdeerex.duckdns.org
  • 185.165.153.199
malicious

Threats

PID
Process
Class
Message
1052
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1052
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1052
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Quotation Request 140919,pdf,doc.jar