Analysis
-
max time kernel
58s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
16-12-2022 07:55
Static task
static1
Behavioral task
behavioral1
Sample
Payment Swift.jar
Resource
win7-20221111-en
General
-
Target
Payment Swift.jar
-
Size
631KB
-
MD5
a610242a0b3b54cab36a82c544194359
-
SHA1
757ad55aca925ae83146400d27468ef2ff1f6bc6
-
SHA256
ebb080655706287f25fa86d155d27265594051b40325fa72bb9bffc89f2ef6d9
-
SHA512
27cbca2372bef04f2f6d4ebbc7e4ff95dccf47fe9aa3fcd7864018ef0143c0a738e148a47da69d8f1320282479165818f082e81a8b75996b6a9cede9789d8a7d
-
SSDEEP
12288:X0vtjud9VUl9NeSMjTG7KGB6jB4S3PnGoDzKFT6Xss/Aq4DIup:X0ljy9VYeSsmKm6N4WnGo/mc/P48A
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
javaw.exepid process 1072 javaw.exe -
Loads dropped DLL 5 IoCs
Processes:
javaw.exepid process 1400 javaw.exe 1400 javaw.exe 1400 javaw.exe 888 888 -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\lMpweJSGDjr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\JVlpBjOuqsQ\\.jar.Bttolj\"" reg.exe -
Drops file in System32 directory 1 IoCs
Processes:
javaw.exedescription ioc process File created C:\Windows\System32\test.txt javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
javaw.exejava.exepid process 1400 javaw.exe 1532 java.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
java.exewscript.exejavaw.execmd.execmd.exejava.execmd.execmd.exedescription pid process target process PID 2044 wrote to memory of 320 2044 java.exe wscript.exe PID 2044 wrote to memory of 320 2044 java.exe wscript.exe PID 2044 wrote to memory of 320 2044 java.exe wscript.exe PID 320 wrote to memory of 1400 320 wscript.exe javaw.exe PID 320 wrote to memory of 1400 320 wscript.exe javaw.exe PID 320 wrote to memory of 1400 320 wscript.exe javaw.exe PID 1400 wrote to memory of 1532 1400 javaw.exe java.exe PID 1400 wrote to memory of 1532 1400 javaw.exe java.exe PID 1400 wrote to memory of 1532 1400 javaw.exe java.exe PID 1400 wrote to memory of 1360 1400 javaw.exe cmd.exe PID 1400 wrote to memory of 1360 1400 javaw.exe cmd.exe PID 1400 wrote to memory of 1360 1400 javaw.exe cmd.exe PID 1360 wrote to memory of 1156 1360 cmd.exe cscript.exe PID 1360 wrote to memory of 1156 1360 cmd.exe cscript.exe PID 1360 wrote to memory of 1156 1360 cmd.exe cscript.exe PID 1400 wrote to memory of 1980 1400 javaw.exe cmd.exe PID 1400 wrote to memory of 1980 1400 javaw.exe cmd.exe PID 1400 wrote to memory of 1980 1400 javaw.exe cmd.exe PID 1980 wrote to memory of 2028 1980 cmd.exe cscript.exe PID 1980 wrote to memory of 2028 1980 cmd.exe cscript.exe PID 1980 wrote to memory of 2028 1980 cmd.exe cscript.exe PID 1532 wrote to memory of 1592 1532 java.exe cmd.exe PID 1532 wrote to memory of 1592 1532 java.exe cmd.exe PID 1532 wrote to memory of 1592 1532 java.exe cmd.exe PID 1592 wrote to memory of 1756 1592 cmd.exe cscript.exe PID 1592 wrote to memory of 1756 1592 cmd.exe cscript.exe PID 1592 wrote to memory of 1756 1592 cmd.exe cscript.exe PID 1532 wrote to memory of 268 1532 java.exe cmd.exe PID 1532 wrote to memory of 268 1532 java.exe cmd.exe PID 1532 wrote to memory of 268 1532 java.exe cmd.exe PID 1400 wrote to memory of 584 1400 javaw.exe xcopy.exe PID 1400 wrote to memory of 584 1400 javaw.exe xcopy.exe PID 1400 wrote to memory of 584 1400 javaw.exe xcopy.exe PID 268 wrote to memory of 1112 268 cmd.exe cscript.exe PID 268 wrote to memory of 1112 268 cmd.exe cscript.exe PID 268 wrote to memory of 1112 268 cmd.exe cscript.exe PID 1532 wrote to memory of 852 1532 java.exe xcopy.exe PID 1532 wrote to memory of 852 1532 java.exe xcopy.exe PID 1532 wrote to memory of 852 1532 java.exe xcopy.exe PID 1400 wrote to memory of 1860 1400 javaw.exe cmd.exe PID 1400 wrote to memory of 1860 1400 javaw.exe cmd.exe PID 1400 wrote to memory of 1860 1400 javaw.exe cmd.exe PID 1400 wrote to memory of 1312 1400 javaw.exe reg.exe PID 1400 wrote to memory of 1312 1400 javaw.exe reg.exe PID 1400 wrote to memory of 1312 1400 javaw.exe reg.exe PID 1400 wrote to memory of 1524 1400 javaw.exe attrib.exe PID 1400 wrote to memory of 1524 1400 javaw.exe attrib.exe PID 1400 wrote to memory of 1524 1400 javaw.exe attrib.exe PID 1400 wrote to memory of 1920 1400 javaw.exe attrib.exe PID 1400 wrote to memory of 1920 1400 javaw.exe attrib.exe PID 1400 wrote to memory of 1920 1400 javaw.exe attrib.exe PID 1400 wrote to memory of 1072 1400 javaw.exe javaw.exe PID 1400 wrote to memory of 1072 1400 javaw.exe javaw.exe PID 1400 wrote to memory of 1072 1400 javaw.exe javaw.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1524 attrib.exe 1920 attrib.exe
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Payment Swift.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\wscript.exewscript C:\Users\Admin\jkmwpmerza.js2⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\owecdeoqqd.txt"3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.74671067809216818695675441026346267.class4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4094559531361707748.vbs5⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4094559531361707748.vbs6⤵PID:1756
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4127116403960697975.vbs5⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4127116403960697975.vbs6⤵PID:1112
-
C:\Windows\system32\xcopy.exexcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e5⤵PID:852
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5355799146908432959.vbs4⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5355799146908432959.vbs5⤵PID:1156
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3993667689917920958.vbs4⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3993667689917920958.vbs5⤵PID:2028
-
C:\Windows\system32\xcopy.exexcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e4⤵PID:584
-
C:\Windows\system32\cmd.execmd.exe4⤵PID:1860
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v lMpweJSGDjr /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\JVlpBjOuqsQ\.jar.Bttolj\"" /f4⤵
- Adds Run key to start application
- Modifies registry key
PID:1312 -
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\JVlpBjOuqsQ\*.*"4⤵
- Views/modifies file attributes
PID:1524 -
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\JVlpBjOuqsQ"4⤵
- Views/modifies file attributes
PID:1920 -
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exeC:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\JVlpBjOuqsQ\.jar.Bttolj4⤵
- Executes dropped EXE
PID:1072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3385717845-2518323428-350143044-1000\83aa4cc77f591dfc2374580bbd95f6ba_dae2938e-27ce-4a80-bf74-6da89b87415b
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
148KB
MD5ae42860afe3a2843efa9849263bd0c21
SHA11df534b0ee936b8d5446490dc48f326f64547ff6
SHA256f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9
-
Filesize
185KB
MD5846245142683adc04baf77c6e29063db
SHA16a1b06baf85419b7345520d78ee416ce06747473
SHA256c860377e71c0bae6821f9083123f55974a549e2c57ff50cec572d18ed06f2d6c
SHA512e0a7c9d9da3d062245718bb54553170857f647798308e4e28e5b5fbf3ac2a0496cf55bfc7a7663810113cf71807923bb365b27652a12c106e1908a89ec12cbaa
-
Filesize
473KB
MD56737bfe4fcbd42c5c2523f9a2c1e2bd0
SHA12717a70cd27e1efa7a7cc133859c23165c690546
SHA256e7205e4ac04d9429510d0afa66acc703cf20fd608b19b8202e9a211dae6a4214
SHA51262a752a5a5af6dcc9643b29fe72a2f64704d4bf780ab0c80707c82691b6ed8ff762aaf353703402d40d0df0c0966fc5ce3377a17ceafc7a2c7c5eee7051a2209
-
Filesize
473KB
MD56737bfe4fcbd42c5c2523f9a2c1e2bd0
SHA12717a70cd27e1efa7a7cc133859c23165c690546
SHA256e7205e4ac04d9429510d0afa66acc703cf20fd608b19b8202e9a211dae6a4214
SHA51262a752a5a5af6dcc9643b29fe72a2f64704d4bf780ab0c80707c82691b6ed8ff762aaf353703402d40d0df0c0966fc5ce3377a17ceafc7a2c7c5eee7051a2209
-
Filesize
47B
MD56dd9aa31079ea260e1c37a62f4d7c00d
SHA1f96fbe41a6e7029226fb38ebef0ef95bfad5e8bb
SHA2567b8669c4ab91d2fec2232346414437f9d0368fd2741b5ea4ef9480d1ded194c4
SHA5125f510cec58c572839f6cb20e13890e8de29ddc88ce111f02e6c836e014745745cdf61f6d4f94078170dd7f8f2faf0e6a90fcd12f7234ec188e72ded1c920ca8a
-
Filesize
976KB
MD5475d259a768146b6794815b8dbcbbc76
SHA17dc0ecb338d4e0ab37921e72d70a87e7dc7e55b0
SHA2560315d00f0ba6540860aff75b9ef7564cd115c28281a5e2c4db8c3622f411448d
SHA512c8479be0eee6bcdcff336940e4b1eaf482d910ef3afca73432f8ac16c948178082f5a3417d5baaec61e7aac30c67c82f3b79770b34beb4eb3ccd164761d109c2
-
Filesize
148KB
MD5ae42860afe3a2843efa9849263bd0c21
SHA11df534b0ee936b8d5446490dc48f326f64547ff6
SHA256f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9
-
Filesize
148KB
MD5ae42860afe3a2843efa9849263bd0c21
SHA11df534b0ee936b8d5446490dc48f326f64547ff6
SHA256f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9
-
Filesize
148KB
MD5ae42860afe3a2843efa9849263bd0c21
SHA11df534b0ee936b8d5446490dc48f326f64547ff6
SHA256f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9
-
Filesize
148KB
MD5ae42860afe3a2843efa9849263bd0c21
SHA11df534b0ee936b8d5446490dc48f326f64547ff6
SHA256f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9
-
Filesize
185KB
MD5846245142683adc04baf77c6e29063db
SHA16a1b06baf85419b7345520d78ee416ce06747473
SHA256c860377e71c0bae6821f9083123f55974a549e2c57ff50cec572d18ed06f2d6c
SHA512e0a7c9d9da3d062245718bb54553170857f647798308e4e28e5b5fbf3ac2a0496cf55bfc7a7663810113cf71807923bb365b27652a12c106e1908a89ec12cbaa