0c069059f9582da450ae00ccd6ba3e3d59eb4b02cb9aabc544e4808b7f94c234

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2023 18:22

Target

overdues-pdf.jar
Size

67KB
MD5

147056ef41389a1f59ba0ff32ddde8b7
SHA1

34d1f67a5a10afb224b8b5e06363a6e44ac5ee3b
SHA256

0c069059f9582da450ae00ccd6ba3e3d59eb4b02cb9aabc544e4808b7f94c234
SHA512

98c6f0b355c2392fcdf2ed6368b1fef249cf53bdd492517914d35b6a7049b161e235accdc919e77718a57107a4383174fb6cadc2d53b2a03f2f94f74486632db
SSDEEP

768:ewL3z9DFCYOW9HfcmZmV93KKr8K/dC3cfKYRsOanopEt3OfoAiVK/f7SWPs+D5le:n7RQYF9Ume3K7KNdEGoNVKnb5z5s6oH

Score

7^/10

discovery

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2808 icacls.exe

pid	process
2808	icacls.exe

Drops file in Program Files directory 12 IoCs

Processes:

java.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 4016 wrote to memory of 2808 4016 java.exe icacls.exe
PID 4016 wrote to memory of 2808 4016 java.exe icacls.exe

description	pid	process	target process
PID 4016 wrote to memory of 2808	4016	java.exe	icacls.exe
PID 4016 wrote to memory of 2808	4016	java.exe	icacls.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\overdues-pdf.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:2808

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
3dda390d4efcbf0c5b33dc3d349bd535

SHA1
e8e487f8bfa87c72ceb00606849785861ed36311

SHA256
8d189e4603d380383944d17757671e42e345cd97be9a07e0cc6a4d0603d0c757

SHA512
2adf59d122ec30c6bb16f0ae59e493dc23b3c9b716f15ab9c72dfe97dc3ee98a597c9a87362195784182c3722776b44a543e4bb803d1b9a4581ff0c23329b000

Download Submit
memory/4016-4-0x0000020AD4CA0000-0x0000020AD5CA0000-memory.dmp

Filesize
16.0MB

Download
memory/4016-12-0x0000020AD33E0000-0x0000020AD33E1000-memory.dmp

Filesize
4KB

Download