Analysis
-
max time kernel
32s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2022 07:55
Static task
static1
Behavioral task
behavioral1
Sample
Payment Swift.jar
Resource
win7-20221111-en
General
-
Target
Payment Swift.jar
-
Size
631KB
-
MD5
a610242a0b3b54cab36a82c544194359
-
SHA1
757ad55aca925ae83146400d27468ef2ff1f6bc6
-
SHA256
ebb080655706287f25fa86d155d27265594051b40325fa72bb9bffc89f2ef6d9
-
SHA512
27cbca2372bef04f2f6d4ebbc7e4ff95dccf47fe9aa3fcd7864018ef0143c0a738e148a47da69d8f1320282479165818f082e81a8b75996b6a9cede9789d8a7d
-
SSDEEP
12288:X0vtjud9VUl9NeSMjTG7KGB6jB4S3PnGoDzKFT6Xss/Aq4DIup:X0ljy9VYeSsmKm6N4WnGo/mc/P48A
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
javaw.exejava.exepid process 4824 javaw.exe 2672 java.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
java.exewscript.exejavaw.exejava.execmd.execmd.exedescription pid process target process PID 384 wrote to memory of 4116 384 java.exe wscript.exe PID 384 wrote to memory of 4116 384 java.exe wscript.exe PID 4116 wrote to memory of 4824 4116 wscript.exe javaw.exe PID 4116 wrote to memory of 4824 4116 wscript.exe javaw.exe PID 4824 wrote to memory of 2672 4824 javaw.exe java.exe PID 4824 wrote to memory of 2672 4824 javaw.exe java.exe PID 4824 wrote to memory of 1704 4824 javaw.exe cmd.exe PID 4824 wrote to memory of 1704 4824 javaw.exe cmd.exe PID 2672 wrote to memory of 3604 2672 java.exe cmd.exe PID 2672 wrote to memory of 3604 2672 java.exe cmd.exe PID 1704 wrote to memory of 3672 1704 cmd.exe cscript.exe PID 1704 wrote to memory of 3672 1704 cmd.exe cscript.exe PID 3604 wrote to memory of 1056 3604 cmd.exe cscript.exe PID 3604 wrote to memory of 1056 3604 cmd.exe cscript.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Payment Swift.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\jkmwpmerza.js2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\peujshis.txt"3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.8119525098995279246937475737384455.class4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7698398121170417783.vbs5⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7698398121170417783.vbs6⤵PID:1056
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2166491320017838767.vbs5⤵PID:4836
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2166491320017838767.vbs6⤵PID:5088
-
C:\Windows\SYSTEM32\xcopy.exexcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e5⤵PID:4840
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive631272714350378216.vbs4⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive631272714350378216.vbs5⤵PID:3672
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7617585494597043651.vbs4⤵PID:4008
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7617585494597043651.vbs5⤵PID:4632
-
C:\Windows\SYSTEM32\xcopy.exexcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e4⤵PID:4232
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5e5f5881c85ef9a65ae0be59780ea7528
SHA1ed759312b2823db7095e32359a62b68db2ba9ba7
SHA25631158d58dd1e64c7da782c58caac5977d560846bedc072bf693f456d55007084
SHA51278f5a6c672a326d469bc9d6eac7cb059ec9a868b286a47f597b00bfa8e7a74b832d22737fcf2e2fd2a949aa51c8fd5ce57e0bb12d83f088d2e4d49d542402ad0
-
Filesize
50B
MD596f2ebca8ffdc4ec99089fd349e593ba
SHA16f3c25c67af09f1dba25d944cc76bd88f5eb8d09
SHA256c5e087b5f64b98716a471cb082307e3debac301a4ab76ad924e782b3de609d9d
SHA512ba84a69474cabbdd5e78ca93d52ecd6048a739ab9c1ad7d6f317e079f107bfa77a7a8a17fd074fccb82aa3026239a5c5d3f4e75e4273594da061c06e569fb3b4
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629973501-4017243118-3254762364-1000\83aa4cc77f591dfc2374580bbd95f6ba_e32e1c79-b88e-4709-94fb-81034ca3398e
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
473KB
MD56737bfe4fcbd42c5c2523f9a2c1e2bd0
SHA12717a70cd27e1efa7a7cc133859c23165c690546
SHA256e7205e4ac04d9429510d0afa66acc703cf20fd608b19b8202e9a211dae6a4214
SHA51262a752a5a5af6dcc9643b29fe72a2f64704d4bf780ab0c80707c82691b6ed8ff762aaf353703402d40d0df0c0966fc5ce3377a17ceafc7a2c7c5eee7051a2209
-
Filesize
976KB
MD5475d259a768146b6794815b8dbcbbc76
SHA17dc0ecb338d4e0ab37921e72d70a87e7dc7e55b0
SHA2560315d00f0ba6540860aff75b9ef7564cd115c28281a5e2c4db8c3622f411448d
SHA512c8479be0eee6bcdcff336940e4b1eaf482d910ef3afca73432f8ac16c948178082f5a3417d5baaec61e7aac30c67c82f3b79770b34beb4eb3ccd164761d109c2