Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
27-06-2023 14:20
Static task
static1
Behavioral task
behavioral1
Sample
Payment0627jar.jar
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
Payment0627jar.jar
Resource
win10v2004-20230621-en
General
-
Target
Payment0627jar.jar
-
Size
70KB
-
MD5
0a257f1b297660ebf8f981550c5bfcfe
-
SHA1
7b65e7feb8dde2b10c2ba4978df6951cd2c40225
-
SHA256
10eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
-
SHA512
789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130
-
SSDEEP
768:sfZEarPi5ZQ7IT1yhV9JO8BUIm5UljMSfUZ0vTHFjpnfGu6n5rbEaH33kH/:P0Iq77hVc5ojMPZYlj9GPn5d33e/
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
java.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment0627jar.jar java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
java.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Payment0627jar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment0627jar.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Payment0627jar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Payment0627jar.jar\"" java.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
java.execmd.exedescription pid Process procid_target PID 2032 wrote to memory of 1416 2032 java.exe 29 PID 2032 wrote to memory of 1416 2032 java.exe 29 PID 2032 wrote to memory of 1416 2032 java.exe 29 PID 2032 wrote to memory of 2008 2032 java.exe 30 PID 2032 wrote to memory of 2008 2032 java.exe 30 PID 2032 wrote to memory of 2008 2032 java.exe 30 PID 1416 wrote to memory of 904 1416 cmd.exe 31 PID 1416 wrote to memory of 904 1416 cmd.exe 31 PID 1416 wrote to memory of 904 1416 cmd.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\Payment0627jar.jar1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment0627jar.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Payment0627jar.jar"3⤵
- Creates scheduled task(s)
PID:904
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Payment0627jar.jar"2⤵PID:2008
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD50a257f1b297660ebf8f981550c5bfcfe
SHA17b65e7feb8dde2b10c2ba4978df6951cd2c40225
SHA25610eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
SHA512789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130
-
Filesize
70KB
MD50a257f1b297660ebf8f981550c5bfcfe
SHA17b65e7feb8dde2b10c2ba4978df6951cd2c40225
SHA25610eaa98e8643cf303011d5305ea11337e90fa86dd5ce017c970d0f368465c70b
SHA512789bd5cef389d75db29f699c72aebefa4dcd6ab5ea91fee208a1890beb076064816c5ea7eef6c9b3892e158799c245ac2245a49b7b36b9ca3d88a408908ad130