413a460fae724b972ab9c52aeab029552245555c7df5b79eb2a6529e1dd7a090

Analysis

max time kernel
145s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2023, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Salwyrr Launcher Installer.exe
Size

46KB
MD5

38633bfef3c1fe505a39a688b5c31828
SHA1

4e053e5ca9e8bfcf372b4331b18c36d637332bbc
SHA256

413a460fae724b972ab9c52aeab029552245555c7df5b79eb2a6529e1dd7a090
SHA512

812ebfa26ff63ade8ab4851230fe47c0ffb797b5a8c48d6ab7ad3293a4995c088bedb8ca7ad6c48a63b3c7f60cdf5b2b318b39dc232ef2096721aba7734ea8f7
SSDEEP

768:PE55gC6d1VepljbMBMxECL67qtjMGF9TtgmAtugTtyKr:svh6dTepljLEf44u4mMuAyKr

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
512	javaw.exe

Modifies Windows Firewall 1 TTPs 12 IoCs

evasion

Modify Existing Service

T1031

pid	Process
808	netsh.exe
2156	netsh.exe
4048	netsh.exe
3460	netsh.exe
1124	netsh.exe
4012	netsh.exe
3856	netsh.exe
1100	netsh.exe
2588	netsh.exe
4844	netsh.exe
4352	netsh.exe
3468	netsh.exe

Loads dropped DLL 6 IoCs

pid	Process
512	javaw.exe
512	javaw.exe
512	javaw.exe
512	javaw.exe
512	javaw.exe
512	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	Salwyrr Launcher Installer.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 808	5040	Salwyrr Launcher Installer.exe	85
PID 5040 wrote to memory of 808	5040	Salwyrr Launcher Installer.exe	85
PID 5040 wrote to memory of 808	5040	Salwyrr Launcher Installer.exe	85
PID 5040 wrote to memory of 2156	5040	Salwyrr Launcher Installer.exe	87
PID 5040 wrote to memory of 2156	5040	Salwyrr Launcher Installer.exe	87
PID 5040 wrote to memory of 2156	5040	Salwyrr Launcher Installer.exe	87
PID 5040 wrote to memory of 4048	5040	Salwyrr Launcher Installer.exe	89
PID 5040 wrote to memory of 4048	5040	Salwyrr Launcher Installer.exe	89
PID 5040 wrote to memory of 4048	5040	Salwyrr Launcher Installer.exe	89
PID 5040 wrote to memory of 1100	5040	Salwyrr Launcher Installer.exe	91
PID 5040 wrote to memory of 1100	5040	Salwyrr Launcher Installer.exe	91
PID 5040 wrote to memory of 1100	5040	Salwyrr Launcher Installer.exe	91
PID 5040 wrote to memory of 2588	5040	Salwyrr Launcher Installer.exe	93
PID 5040 wrote to memory of 2588	5040	Salwyrr Launcher Installer.exe	93
PID 5040 wrote to memory of 2588	5040	Salwyrr Launcher Installer.exe	93
PID 5040 wrote to memory of 3460	5040	Salwyrr Launcher Installer.exe	95
PID 5040 wrote to memory of 3460	5040	Salwyrr Launcher Installer.exe	95
PID 5040 wrote to memory of 3460	5040	Salwyrr Launcher Installer.exe	95
PID 5040 wrote to memory of 1124	5040	Salwyrr Launcher Installer.exe	97
PID 5040 wrote to memory of 1124	5040	Salwyrr Launcher Installer.exe	97
PID 5040 wrote to memory of 1124	5040	Salwyrr Launcher Installer.exe	97
PID 5040 wrote to memory of 4844	5040	Salwyrr Launcher Installer.exe	99
PID 5040 wrote to memory of 4844	5040	Salwyrr Launcher Installer.exe	99
PID 5040 wrote to memory of 4844	5040	Salwyrr Launcher Installer.exe	99
PID 5040 wrote to memory of 4012	5040	Salwyrr Launcher Installer.exe	101
PID 5040 wrote to memory of 4012	5040	Salwyrr Launcher Installer.exe	101
PID 5040 wrote to memory of 4012	5040	Salwyrr Launcher Installer.exe	101
PID 5040 wrote to memory of 3856	5040	Salwyrr Launcher Installer.exe	103
PID 5040 wrote to memory of 3856	5040	Salwyrr Launcher Installer.exe	103
PID 5040 wrote to memory of 3856	5040	Salwyrr Launcher Installer.exe	103
PID 5040 wrote to memory of 4352	5040	Salwyrr Launcher Installer.exe	105
PID 5040 wrote to memory of 4352	5040	Salwyrr Launcher Installer.exe	105
PID 5040 wrote to memory of 4352	5040	Salwyrr Launcher Installer.exe	105
PID 5040 wrote to memory of 3468	5040	Salwyrr Launcher Installer.exe	107
PID 5040 wrote to memory of 3468	5040	Salwyrr Launcher Installer.exe	107
PID 5040 wrote to memory of 3468	5040	Salwyrr Launcher Installer.exe	107
PID 5040 wrote to memory of 512	5040	Salwyrr Launcher Installer.exe	117
PID 5040 wrote to memory of 512	5040	Salwyrr Launcher Installer.exe	117

C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Salwyrr Launcher Installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 1a"
  2⤵
  - Modifies Windows Firewall
  PID:808
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 1a" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe"
  2⤵
  - Modifies Windows Firewall
  PID:2156
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 2a"
  2⤵
  - Modifies Windows Firewall
  PID:4048
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 2a" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\jre\bin\javaw.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1100
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 3a"
  2⤵
  - Modifies Windows Firewall
  PID:2588
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 3a" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\java-runtime-alpha\bin\javaw.exe"
  2⤵
  - Modifies Windows Firewall
  PID:3460
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 1b"
  2⤵
  - Modifies Windows Firewall
  PID:1124
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 1b" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.exe"
  2⤵
  - Modifies Windows Firewall
  PID:4844
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 2b"
  2⤵
  - Modifies Windows Firewall
  PID:4012
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 2b" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\jre\bin\java.exe"
  2⤵
  - Modifies Windows Firewall
  PID:3856
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name="Salwyrr Client Java 3b"
  2⤵
  - Modifies Windows Firewall
  PID:4352
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="Salwyrr Client Java 3b" dir=in action=allow protocol=any localip=any remoteip=any program="C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\java-runtime-alpha\bin\java.exe"
  2⤵
  - Modifies Windows Firewall
  PID:3468
- C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe
  "C:\Users\Admin\AppData\Roaming\.Salwyrr/launcher/bootstrap/jre/bin/javaw.exe" -Xmx1G -jar "launcher/bootstrap/updater.jar"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\java.dll

Filesize
160KB

MD5
0c4673c6d3fbb7b62b9d83b41893ee23

SHA1
516a489686d0fab9f3223414969b347df79b3b64

SHA256
8163acdbca856f15f8cb3d532cf79d906d94b4d58250911b0600fbed8b17fefa

SHA512
0278fe0487a04d12f2c3745305506812e4d8e28c3a2d90f060e417a43129437a28809a081e371978a01499cd932497ef7e1f0c6c9675acb541ea2c5225fe32ba

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\javaw.exe

Filesize
223KB

MD5
68f55ca782ebe9bb2f932e3a3d6ffd8a

SHA1
0f13e8e11ce24123bacf23a8b116bc777a0ac072

SHA256
6e6517ee65b753af161608be59bafc72ba3f670e4c48a8eb7e30170b0f0ef80b

SHA512
f6cc93e8b6f9f9ca72c870f2a1711c41bcba8d7ec7cd5d1003fb96e77f7700b1627738ed83493b863424edaba6e3821818b7977252edad3481bb4404c184c76d

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\msvcp120.dll

Filesize
645KB

MD5
4e38c42ff10a1689cf277eadc895d374

SHA1
6e4934c413ff2943ab535c2f7590fda1f4ecf1c2

SHA256
bdd61f3ec686965716c4c6048aa4ef46088739c63d6f314f37f691ef13fd22c3

SHA512
b7e309e3c69a678793465af1c3041bd66adb88cc8c03362bf4b3941881d9f19905ede7fbb8e2fbc2ce0c05495aeef9af99ae17364f37661d0c635310c1b805bb

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\msvcp120.dll

Filesize
645KB

MD5
4e38c42ff10a1689cf277eadc895d374

SHA1
6e4934c413ff2943ab535c2f7590fda1f4ecf1c2

SHA256
bdd61f3ec686965716c4c6048aa4ef46088739c63d6f314f37f691ef13fd22c3

SHA512
b7e309e3c69a678793465af1c3041bd66adb88cc8c03362bf4b3941881d9f19905ede7fbb8e2fbc2ce0c05495aeef9af99ae17364f37661d0c635310c1b805bb

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\msvcr120.dll

Filesize
944KB

MD5
e9c471b35f7cb4eeccfd7bea873262ac

SHA1
5cd7885b5e81ac9d2fed4015b1080799ead0d384

SHA256
69968e25a8f5554e7b09423a6da659ad6175a2c62725b0ae42a70c99f424cc69

SHA512
1a7351cf3f205f804eb796b57cbcce49b4bcd8c0edc9c62af130df0d3f8b61d56663b51bf1caccce8ea1862dcc1b61d85dda36ab9fd2b6eb42d7d4d550eca2ca

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\msvcr120.dll

Filesize
944KB

MD5
e9c471b35f7cb4eeccfd7bea873262ac

SHA1
5cd7885b5e81ac9d2fed4015b1080799ead0d384

SHA256
69968e25a8f5554e7b09423a6da659ad6175a2c62725b0ae42a70c99f424cc69

SHA512
1a7351cf3f205f804eb796b57cbcce49b4bcd8c0edc9c62af130df0d3f8b61d56663b51bf1caccce8ea1862dcc1b61d85dda36ab9fd2b6eb42d7d4d550eca2ca

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\server\jvm.dll

Filesize
8.4MB

MD5
62fffae8a5d1fc7cf105ae5cf0073ca5

SHA1
bf4fcddf4551a36a211670581897beeeda898f9b

SHA256
1689d8a76fd30487f63a1227a2a47d4f017a8eca0045eb4b04d06a876155e4bf

SHA512
737324142c2c0d53bd7ac4f09552241c770f58051189397b59996688a2751396209df9d8c5f442a60858728b7e31a5885c011d74733f86301b3f52573bec0d86

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\server\jvm.dll

Filesize
8.4MB

MD5
62fffae8a5d1fc7cf105ae5cf0073ca5

SHA1
bf4fcddf4551a36a211670581897beeeda898f9b

SHA256
1689d8a76fd30487f63a1227a2a47d4f017a8eca0045eb4b04d06a876155e4bf

SHA512
737324142c2c0d53bd7ac4f09552241c770f58051189397b59996688a2751396209df9d8c5f442a60858728b7e31a5885c011d74733f86301b3f52573bec0d86

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\verify.dll

Filesize
54KB

MD5
e550fce5ee668230ae0b71bf702fde82

SHA1
8efbe790a626d70ec59f28ba907eabd9f13e7932

SHA256
96cbf775c060744cf158d811b0f45c4abfa9a89d7ff9920ab1bbe05c283e8224

SHA512
7a5a1270391a096a81c868e8c1cd9fe2cbb0dfea53c388c636c7e5c4012b13ebc7eee1b54b563b6def263874784b57c5b131757b393a1e5831958e3f18313106

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\verify.dll

Filesize
54KB

MD5
e550fce5ee668230ae0b71bf702fde82

SHA1
8efbe790a626d70ec59f28ba907eabd9f13e7932

SHA256
96cbf775c060744cf158d811b0f45c4abfa9a89d7ff9920ab1bbe05c283e8224

SHA512
7a5a1270391a096a81c868e8c1cd9fe2cbb0dfea53c388c636c7e5c4012b13ebc7eee1b54b563b6def263874784b57c5b131757b393a1e5831958e3f18313106

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\zip.dll

Filesize
84KB

MD5
14eab665f7878d3de543e381cd6b1c59

SHA1
b8495257225ca855a38edb88111b6a5a6c457e03

SHA256
1ede94dd6c5521fbd22796ce171164c2712604eacaca0179112f5f0b93959c20

SHA512
9058133e890678246bf9249dbfdf7020e3ba069e4c4e0b368e4e2fd06606ce975e6011d3370a95b7ec3527885b53d37fc87b405e7714a77352ea32e6f7a91a2f

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\bin\zip.dll

Filesize
84KB

MD5
14eab665f7878d3de543e381cd6b1c59

SHA1
b8495257225ca855a38edb88111b6a5a6c457e03

SHA256
1ede94dd6c5521fbd22796ce171164c2712604eacaca0179112f5f0b93959c20

SHA512
9058133e890678246bf9249dbfdf7020e3ba069e4c4e0b368e4e2fd06606ce975e6011d3370a95b7ec3527885b53d37fc87b405e7714a77352ea32e6f7a91a2f

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\lib\amd64\jvm.cfg

Filesize
1KB

MD5
c60e77ff5f3887c743971e73e6f0e0b1

SHA1
9b0cfd38ec5b7bd5bd1c364dee2e1b452a063c02

SHA256
23f728cc2bf14e62d454190ea0139f159031b5bd9c3f141ca9237c4c5c96ec1d

SHA512
07aca3de1a03a3b64b691fd41e35e6596760baf24c4f24e86fca87d2acf3a4814b17cd9751adc2dcd0689848f3d582fb3ee01d413e3a61d1d98397d72fe545e9

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\lib\meta-index

Filesize
1KB

MD5
83964354d8e8e69dfc1001f01682bd70

SHA1
1f2012a464683ccc1c284d51b20778811641b2ee

SHA256
dff270e76bd7d851cbcf79702aebd71122c3a9e93836ae4e9f650234a754b5c3

SHA512
4be6e0c8ed2bd2f59286bbfa5041676f352e32731e070d7c26511e1e570bd8d6940ff2cc59b0e1656c9c8b3f86186a34709dbf19c303d80840307dacc39d9956

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\jre\lib\rt.jar

Filesize
8.5MB

MD5
b36e68e9560bb7b4e4c3e2a0284c880d

SHA1
b8b2e4d5b93166fb80edef4d7dd8b0a1bcc8d73d

SHA256
a0942e0c4d654effbb3951b547e4b88338192676b5c3bee91637948cff1cbc84

SHA512
83bdea36db6cfe48fe2e401e16996861ab3aa786d888ad53f7f2840e14e6cd9be509cfb92ce1ad75f3dc7097806a20b2eb477a95fd57e7918158cb7a655a9f9c

Download Submit
C:\Users\Admin\AppData\Roaming\.Salwyrr\launcher\bootstrap\updater.jar

Filesize
807KB

MD5
a616e898ea735980492f41da00f88f39

SHA1
6de46eb8ddc768bb6652d45fe59904371e153c5d

SHA256
f018c09f5f093f5aa02fe54efb36d2c79382da298bdd16731f22a51ad69bf240

SHA512
130337c5738e9cee84dff629c5d4a34f9b2bbf587e7b0eaa518075a76a8086854e7604c9ae23455eca239fbbf36c3c1472b477d306a347a1dba9b1c63c61ee3d

Download Submit
memory/5040-132-0x0000000000D50000-0x0000000000D5E000-memory.dmp

Filesize
56KB

Download
memory/5040-147-0x00000000061F0000-0x00000000061FA000-memory.dmp

Filesize
40KB

Download
memory/5040-148-0x0000000006A80000-0x0000000006A92000-memory.dmp

Filesize
72KB

Download
memory/5040-150-0x0000000006DF0000-0x0000000006E0E000-memory.dmp

Filesize
120KB

Download
memory/5040-149-0x0000000006D40000-0x0000000006DB6000-memory.dmp

Filesize
472KB

Download
memory/5040-134-0x000000000CBC0000-0x000000000CBCE000-memory.dmp

Filesize
56KB

Download
memory/5040-133-0x000000000CBE0000-0x000000000CC18000-memory.dmp

Filesize
224KB

Download