Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2023 10:36
Static task
static1
Behavioral task
behavioral1
Sample
Payment 06-27.jar
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
Payment 06-27.jar
Resource
win10v2004-20230621-en
General
-
Target
Payment 06-27.jar
-
Size
70KB
-
MD5
0a257f1b297660ebf8f981550c5bfcfe
-
SHA1
7b65e7feb8dde2b10c2ba4978df6951cd2c40225
-
SHA256
10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
-
SHA512
789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130
-
SSDEEP
768:sfZEarPi5ZQ7IT1yhV9JO8BUIm5UljMSfUZ0vTHFjpnfGu6n5rbEaH33kH/:P0Iq77hVc5ojMPZYlj9GPn5d33e/
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
java.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment 06-27.jar java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
java.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment 06-27 = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment 06-27.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment 06-27 = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment 06-27.jar\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2788 WMIC.exe Token: SeSecurityPrivilege 2788 WMIC.exe Token: SeTakeOwnershipPrivilege 2788 WMIC.exe Token: SeLoadDriverPrivilege 2788 WMIC.exe Token: SeSystemProfilePrivilege 2788 WMIC.exe Token: SeSystemtimePrivilege 2788 WMIC.exe Token: SeProfSingleProcessPrivilege 2788 WMIC.exe Token: SeIncBasePriorityPrivilege 2788 WMIC.exe Token: SeCreatePagefilePrivilege 2788 WMIC.exe Token: SeBackupPrivilege 2788 WMIC.exe Token: SeRestorePrivilege 2788 WMIC.exe Token: SeShutdownPrivilege 2788 WMIC.exe Token: SeDebugPrivilege 2788 WMIC.exe Token: SeSystemEnvironmentPrivilege 2788 WMIC.exe Token: SeRemoteShutdownPrivilege 2788 WMIC.exe Token: SeUndockPrivilege 2788 WMIC.exe Token: SeManageVolumePrivilege 2788 WMIC.exe Token: 33 2788 WMIC.exe Token: 34 2788 WMIC.exe Token: 35 2788 WMIC.exe Token: 36 2788 WMIC.exe Token: SeIncreaseQuotaPrivilege 2788 WMIC.exe Token: SeSecurityPrivilege 2788 WMIC.exe Token: SeTakeOwnershipPrivilege 2788 WMIC.exe Token: SeLoadDriverPrivilege 2788 WMIC.exe Token: SeSystemProfilePrivilege 2788 WMIC.exe Token: SeSystemtimePrivilege 2788 WMIC.exe Token: SeProfSingleProcessPrivilege 2788 WMIC.exe Token: SeIncBasePriorityPrivilege 2788 WMIC.exe Token: SeCreatePagefilePrivilege 2788 WMIC.exe Token: SeBackupPrivilege 2788 WMIC.exe Token: SeRestorePrivilege 2788 WMIC.exe Token: SeShutdownPrivilege 2788 WMIC.exe Token: SeDebugPrivilege 2788 WMIC.exe Token: SeSystemEnvironmentPrivilege 2788 WMIC.exe Token: SeRemoteShutdownPrivilege 2788 WMIC.exe Token: SeUndockPrivilege 2788 WMIC.exe Token: SeManageVolumePrivilege 2788 WMIC.exe Token: 33 2788 WMIC.exe Token: 34 2788 WMIC.exe Token: 35 2788 WMIC.exe Token: 36 2788 WMIC.exe Token: SeIncreaseQuotaPrivilege 1888 WMIC.exe Token: SeSecurityPrivilege 1888 WMIC.exe Token: SeTakeOwnershipPrivilege 1888 WMIC.exe Token: SeLoadDriverPrivilege 1888 WMIC.exe Token: SeSystemProfilePrivilege 1888 WMIC.exe Token: SeSystemtimePrivilege 1888 WMIC.exe Token: SeProfSingleProcessPrivilege 1888 WMIC.exe Token: SeIncBasePriorityPrivilege 1888 WMIC.exe Token: SeCreatePagefilePrivilege 1888 WMIC.exe Token: SeBackupPrivilege 1888 WMIC.exe Token: SeRestorePrivilege 1888 WMIC.exe Token: SeShutdownPrivilege 1888 WMIC.exe Token: SeDebugPrivilege 1888 WMIC.exe Token: SeSystemEnvironmentPrivilege 1888 WMIC.exe Token: SeRemoteShutdownPrivilege 1888 WMIC.exe Token: SeUndockPrivilege 1888 WMIC.exe Token: SeManageVolumePrivilege 1888 WMIC.exe Token: 33 1888 WMIC.exe Token: 34 1888 WMIC.exe Token: 35 1888 WMIC.exe Token: 36 1888 WMIC.exe Token: SeIncreaseQuotaPrivilege 1888 WMIC.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
java.execmd.exejava.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 396 wrote to memory of 1756 396 java.exe 85 PID 396 wrote to memory of 1756 396 java.exe 85 PID 396 wrote to memory of 2948 396 java.exe 87 PID 396 wrote to memory of 2948 396 java.exe 87 PID 1756 wrote to memory of 232 1756 cmd.exe 89 PID 1756 wrote to memory of 232 1756 cmd.exe 89 PID 2948 wrote to memory of 5012 2948 java.exe 90 PID 2948 wrote to memory of 5012 2948 java.exe 90 PID 5012 wrote to memory of 2788 5012 cmd.exe 92 PID 5012 wrote to memory of 2788 5012 cmd.exe 92 PID 2948 wrote to memory of 784 2948 java.exe 93 PID 2948 wrote to memory of 784 2948 java.exe 93 PID 784 wrote to memory of 1888 784 cmd.exe 95 PID 784 wrote to memory of 1888 784 cmd.exe 95 PID 2948 wrote to memory of 4504 2948 java.exe 96 PID 2948 wrote to memory of 4504 2948 java.exe 96 PID 4504 wrote to memory of 3136 4504 cmd.exe 98 PID 4504 wrote to memory of 3136 4504 cmd.exe 98 PID 2948 wrote to memory of 4228 2948 java.exe 99 PID 2948 wrote to memory of 4228 2948 java.exe 99 PID 4228 wrote to memory of 2456 4228 cmd.exe 101 PID 4228 wrote to memory of 2456 4228 cmd.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Payment 06-27.jar"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment 06-27.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment 06-27.jar"3⤵
- Creates scheduled task(s)
PID:232
-
-
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Payment 06-27.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list4⤵PID:3136
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list4⤵PID:2456
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD50a257f1b297660ebf8f981550c5bfcfe
SHA17b65e7feb8dde2b10c2ba4978df6951cd2c40225
SHA25610eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
SHA512789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130
-
Filesize
50B
MD51472160094d511a400aa00b6a259acd1
SHA1dd8adf4b67e9fde7fac75e73dbcdd468973db8d0
SHA256935e01cdee3579189122544451892d45a89a248eb3936818cef223822d17a342
SHA512ee1ae7f186a225cd32b5fdb04bfbe58d91bcfa58f3b716984086886a2c5bfb6549b9fb524ee82520b05b5bb394f3c54d3ac8730cade303978a254330b5198171
-
Filesize
70KB
MD50a257f1b297660ebf8f981550c5bfcfe
SHA17b65e7feb8dde2b10c2ba4978df6951cd2c40225
SHA25610eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
SHA512789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130