1ec0a2a6f9f318919a5e3e811c39632cbfd130d7ce6d4001a02d645e8366ecd9

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2024 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GameExtractor.bat
Size

122B
MD5

17cee035c0b13f24afeea212d6ffe9bf
SHA1

672ded3b549f4238a223e34a90da46707b7ca53a
SHA256

e4a574b0766eaa32519d5f54f5d2b6500efd7217dd88e3dc388db3d91c959de3
SHA512

082a7b17bf47a04b2e3ece09746d13aa737d2a0af5962aac94d4f48ae18e37a57da774efecaea5935b4f5ad87dc31407eae881999195336334722b01550d04ca

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3292	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	java.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
324	java.exe
324	java.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 324	4544	cmd.exe	93
PID 4544 wrote to memory of 324	4544	cmd.exe	93
PID 324 wrote to memory of 3292	324	java.exe	94
PID 324 wrote to memory of 3292	324	java.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\GameExtractor.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java -Xmx1024m -jar GameExtractor.jar
  2⤵
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
8711fadb48749c1d3a920400fd8e65ff

SHA1
1c48b0d70d38e58d719da3e96011620e2eb47def

SHA256
6737e46d8ccb3a3965ae6891cf8a14d2ad49e7315b60c683518fd94172b74bb3

SHA512
8cc1d7e83f6cf95d55194569c27fc0e9664d4454d77c73d49e75e97c71654183722bc0decff1dda80c32d6a0d085c6df4c249738f85b7089d483aa30282f6584

Download Submit
memory/324-4-0x000002843BCF0000-0x000002843CCF0000-memory.dmp

Filesize
16.0MB

Download
memory/324-15-0x000002843A430000-0x000002843A431000-memory.dmp

Filesize
4KB

Download
memory/324-24-0x000002843BCF0000-0x000002843CCF0000-memory.dmp

Filesize
16.0MB

Download
memory/324-30-0x000002843BCF0000-0x000002843CCF0000-memory.dmp

Filesize
16.0MB

Download
memory/324-31-0x000002843BCF0000-0x000002843CCF0000-memory.dmp

Filesize
16.0MB

Download