af27b34c05c79b6f15ee180530fa8e7956d976d6410df17a0d7e20c21352361a

Analysis

max time kernel
195s
max time network
226s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f3dd1651102ede8e5701ecdf1d7dbacbcb559b9fec5115295539b18c17b6221.jar
Size

184KB
MD5

1e0b1b66ed579403b6953b326a6112be
SHA1

2e3e96ebbb3d9bab1ecab68bf8220dafa9aa7c7b
SHA256

0f3dd1651102ede8e5701ecdf1d7dbacbcb559b9fec5115295539b18c17b6221
SHA512

8bb490ca1c7e7c74ba0aa55e86ae80522d3ac66bd135cee4875dcea39daee79a9bd9f57d7dcd9da9a5d5855612c5e6c3af8432470947c9089f2f3c8db014a1fa
SSDEEP

3072:XITVQMNnfAxP0k6w8H+9DzTHJQ/2kBu6gMlyXT0bS/vRFCrf9C3gH51DAYTaFEvt:uBnIl0k6/EKekB7pbAZFCrfBHYYTIeVn

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2780	icacls.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	780	wmic.exe
Token: SeSecurityPrivilege	780	wmic.exe
Token: SeTakeOwnershipPrivilege	780	wmic.exe
Token: SeLoadDriverPrivilege	780	wmic.exe
Token: SeSystemProfilePrivilege	780	wmic.exe
Token: SeSystemtimePrivilege	780	wmic.exe
Token: SeProfSingleProcessPrivilege	780	wmic.exe
Token: SeIncBasePriorityPrivilege	780	wmic.exe
Token: SeCreatePagefilePrivilege	780	wmic.exe
Token: SeBackupPrivilege	780	wmic.exe
Token: SeRestorePrivilege	780	wmic.exe
Token: SeShutdownPrivilege	780	wmic.exe
Token: SeDebugPrivilege	780	wmic.exe
Token: SeSystemEnvironmentPrivilege	780	wmic.exe
Token: SeRemoteShutdownPrivilege	780	wmic.exe
Token: SeUndockPrivilege	780	wmic.exe
Token: SeManageVolumePrivilege	780	wmic.exe
Token: 33	780	wmic.exe
Token: 34	780	wmic.exe
Token: 35	780	wmic.exe
Token: 36	780	wmic.exe
Token: SeIncreaseQuotaPrivilege	780	wmic.exe
Token: SeSecurityPrivilege	780	wmic.exe
Token: SeTakeOwnershipPrivilege	780	wmic.exe
Token: SeLoadDriverPrivilege	780	wmic.exe
Token: SeSystemProfilePrivilege	780	wmic.exe
Token: SeSystemtimePrivilege	780	wmic.exe
Token: SeProfSingleProcessPrivilege	780	wmic.exe
Token: SeIncBasePriorityPrivilege	780	wmic.exe
Token: SeCreatePagefilePrivilege	780	wmic.exe
Token: SeBackupPrivilege	780	wmic.exe
Token: SeRestorePrivilege	780	wmic.exe
Token: SeShutdownPrivilege	780	wmic.exe
Token: SeDebugPrivilege	780	wmic.exe
Token: SeSystemEnvironmentPrivilege	780	wmic.exe
Token: SeRemoteShutdownPrivilege	780	wmic.exe
Token: SeUndockPrivilege	780	wmic.exe
Token: SeManageVolumePrivilege	780	wmic.exe
Token: 33	780	wmic.exe
Token: 34	780	wmic.exe
Token: 35	780	wmic.exe
Token: 36	780	wmic.exe
Token: SeIncreaseQuotaPrivilege	4092	wmic.exe
Token: SeSecurityPrivilege	4092	wmic.exe
Token: SeTakeOwnershipPrivilege	4092	wmic.exe
Token: SeLoadDriverPrivilege	4092	wmic.exe
Token: SeSystemProfilePrivilege	4092	wmic.exe
Token: SeSystemtimePrivilege	4092	wmic.exe
Token: SeProfSingleProcessPrivilege	4092	wmic.exe
Token: SeIncBasePriorityPrivilege	4092	wmic.exe
Token: SeCreatePagefilePrivilege	4092	wmic.exe
Token: SeBackupPrivilege	4092	wmic.exe
Token: SeRestorePrivilege	4092	wmic.exe
Token: SeShutdownPrivilege	4092	wmic.exe
Token: SeDebugPrivilege	4092	wmic.exe
Token: SeSystemEnvironmentPrivilege	4092	wmic.exe
Token: SeRemoteShutdownPrivilege	4092	wmic.exe
Token: SeUndockPrivilege	4092	wmic.exe
Token: SeManageVolumePrivilege	4092	wmic.exe
Token: 33	4092	wmic.exe
Token: 34	4092	wmic.exe
Token: 35	4092	wmic.exe
Token: 36	4092	wmic.exe
Token: SeIncreaseQuotaPrivilege	4092	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4280	java.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 2780	4280	java.exe	93
PID 4280 wrote to memory of 2780	4280	java.exe	93
PID 4280 wrote to memory of 780	4280	java.exe	95
PID 4280 wrote to memory of 780	4280	java.exe	95
PID 4280 wrote to memory of 4092	4280	java.exe	97
PID 4280 wrote to memory of 4092	4280	java.exe	97
PID 4280 wrote to memory of 3092	4280	java.exe	99
PID 4280 wrote to memory of 3092	4280	java.exe	99
PID 4280 wrote to memory of 872	4280	java.exe	101
PID 4280 wrote to memory of 872	4280	java.exe	101

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\0f3dd1651102ede8e5701ecdf1d7dbacbcb559b9fec5115295539b18c17b6221.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:2780
- C:\Windows\System32\Wbem\wmic.exe
  wmic CPU get ProcessorId
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\System32\Wbem\wmic.exe
  wmic bios get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4092
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get name
  2⤵
  PID:3092
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
2d06ea1c5c6e02b6b316fdae8cd7bd4c

SHA1
08fbb9fc85e234f9d51004317bbea0128e588361

SHA256
c96f0a6016aaeb33d4d91f7363bbcbc176eda454ccf5a27c83169f3d2e4d692a

SHA512
cab237281009df7c04f744305d139938529e35e2b6e4af9aa72ca9b3acc81f81e2aa4c978365b8bb8136875b688aca55994ad0b3d93baf4af6829c8d4ed7ad6e

Download Submit
memory/4280-4-0x00000200C8A00000-0x00000200C9A00000-memory.dmp

Filesize
16.0MB

Download
memory/4280-12-0x00000200C89E0000-0x00000200C89E1000-memory.dmp

Filesize
4KB

Download
memory/4280-16-0x00000200C89E0000-0x00000200C89E1000-memory.dmp

Filesize
4KB

Download
memory/4280-18-0x00000200C8A00000-0x00000200C9A00000-memory.dmp

Filesize
16.0MB

Download
memory/4280-24-0x00000200C89E0000-0x00000200C89E1000-memory.dmp

Filesize
4KB

Download