Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
02/01/2024, 00:42
Static task
static1
Behavioral task
behavioral1
Sample
fabric-installer-0.11.2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fabric-installer-0.11.2.exe
Resource
win10v2004-20231222-en
General
-
Target
fabric-installer-0.11.2.exe
-
Size
399KB
-
MD5
0604fd84edc6059d39a631eb0ce5a546
-
SHA1
9ecd7d7df70a25d5ba0ff81e7ad6b59280f71bb6
-
SHA256
3c1029d521ba448c4150d58bd75fd1646f54d72d95d0f91f5dd60656f55eff9a
-
SHA512
68e727ea4515ac385e4d757a5e6cff3005ccf50b54e7b5ee1bbb100f18afc09cd814138d31b9e4237a3170bbb3e4a9554e1b4294ec866cd6f63b6e461da8db09
-
SSDEEP
6144:XbOTF9+lw27APRw3zeFAO8X+KAWCXgy/kJ1o2ww5OxLRfSA4syabpAq:L+z+u9ZF6uKAWCQy/c1HwnBBfL
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4576 icacls.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb javaw.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3904 3068 WerFault.exe 73 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 696 javaw.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3068 wrote to memory of 396 3068 fabric-installer-0.11.2.exe 88 PID 3068 wrote to memory of 396 3068 fabric-installer-0.11.2.exe 88 PID 396 wrote to memory of 4576 396 javaw.exe 89 PID 396 wrote to memory of 4576 396 javaw.exe 89 PID 3068 wrote to memory of 696 3068 fabric-installer-0.11.2.exe 91 PID 3068 wrote to memory of 696 3068 fabric-installer-0.11.2.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\fabric-installer-0.11.2.exe"C:\Users\Admin\AppData\Local\Temp\fabric-installer-0.11.2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe"javaw.exe" "-version"2⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
PID:4576
-
-
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe"javaw.exe" "-jar" "C:\Users\Admin\AppData\Local\Temp\fabric-installer-0.11.2.exe" "-fabricInstallerBootstrap" "true"2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:696
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 3002⤵
- Program crash
PID:3904
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3068 -ip 30681⤵PID:4892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5868a460f21567d5b46a8b86ac6df8150
SHA13eefd45bd842daed6807966300a108642c382d6b
SHA256b394a8345de6e7555a610d0e3990d000bbee916031ec7ede2a20ddee5476331c
SHA512756ab4cf8e57b33bc16132cf90cb77fc82a0065fe5a4d41cd8853e516134bf4645d2e1879bb1db5c8a8476dfa51ae9bfe5ddaf2e4055aa4963fd22aa79fe3c1e