Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
27-06-2023 10:36
Static task
static1
Behavioral task
behavioral1
Sample
Payment 06-27.jar
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
Payment 06-27.jar
Resource
win10v2004-20230621-en
General
-
Target
Payment 06-27.jar
-
Size
70KB
-
MD5
0a257f1b297660ebf8f981550c5bfcfe
-
SHA1
7b65e7feb8dde2b10c2ba4978df6951cd2c40225
-
SHA256
10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
-
SHA512
789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130
-
SSDEEP
768:sfZEarPi5ZQ7IT1yhV9JO8BUIm5UljMSfUZ0vTHFjpnfGu6n5rbEaH33kH/:P0Iq77hVc5ojMPZYlj9GPn5d33e/
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
java.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment 06-27.jar java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
java.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment 06-27 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment 06-27.jar\"" java.exe Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Windows\CurrentVersion\Run\Payment 06-27 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment 06-27.jar\"" java.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
java.execmd.exedescription pid Process procid_target PID 1240 wrote to memory of 952 1240 java.exe 29 PID 1240 wrote to memory of 952 1240 java.exe 29 PID 1240 wrote to memory of 952 1240 java.exe 29 PID 1240 wrote to memory of 1152 1240 java.exe 30 PID 1240 wrote to memory of 1152 1240 java.exe 30 PID 1240 wrote to memory of 1152 1240 java.exe 30 PID 952 wrote to memory of 1144 952 cmd.exe 31 PID 952 wrote to memory of 1144 952 cmd.exe 31 PID 952 wrote to memory of 1144 952 cmd.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Payment 06-27.jar"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment 06-27.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment 06-27.jar"3⤵
- Creates scheduled task(s)
PID:1144
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Payment 06-27.jar"2⤵PID:1152
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD50a257f1b297660ebf8f981550c5bfcfe
SHA17b65e7feb8dde2b10c2ba4978df6951cd2c40225
SHA25610eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
SHA512789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130
-
Filesize
70KB
MD50a257f1b297660ebf8f981550c5bfcfe
SHA17b65e7feb8dde2b10c2ba4978df6951cd2c40225
SHA25610eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
SHA512789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130