d0e05d14d752a572c57ccc42b3d79c8ea55c93062c2a3b73bf2e128f77678396

Resubmissions

01-02-2024 21:27

240201-1at8kaggbk 7

01-02-2024 21:16

240201-z4xecaece3 7

01-02-2024 21:11

240201-z1185ageem 7

11-04-2023 18:10

230411-wr28aafg6y 10

Analysis

max time kernel
425s
max time network
1138s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

McFree.exe
Size

3.9MB
MD5

fbb8b46f249d59713c89ce8f4d802a2b
SHA1

5aaaeb71083e189b07bcc30134689e326b42806d
SHA256

d0e05d14d752a572c57ccc42b3d79c8ea55c93062c2a3b73bf2e128f77678396
SHA512

d81b7aa5eea4bb46aaa2aec5cb5b39304ec864cc9be3ebf48bdce80c9b43d24dc61d11b290ae23330292f2babef329d2f892d9cb2f755b55b0619fb5fc293392
SSDEEP

98304:7ws/7iR7W3TBrHJWGs2NyqeoNE/7SRYY8CU:7wY0W3TVHJack+KCU

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2100	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 4112	1832	McFree.exe	83
PID 1832 wrote to memory of 4112	1832	McFree.exe	83
PID 4112 wrote to memory of 2100	4112	javaw.exe	86
PID 4112 wrote to memory of 2100	4112	javaw.exe	86

C:\Users\Admin\AppData\Local\Temp\McFree.exe
"C:\Users\Admin\AppData\Local\Temp\McFree.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\McFree.exe" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
fd0541503a7df0fc2c1e813555ed9d1d

SHA1
555b66505ddf13416b11d709f8129bdb0dbb3742

SHA256
cb35e8078d0776ad48a7d07b808efcd7eb712b73251759022f8d63faa4cb0895

SHA512
5e2d38bdc3595823ebe6cca2120e5b8cfacba86974a16e47194c32c46d633617cdbfc36197f69a40a608f5d0ca70032685e735437b2116facf6302c5e3a12e3b

Download Submit
memory/1832-1-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1832-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4112-29-0x0000023515220000-0x0000023516220000-memory.dmp

Filesize
16.0MB

Download
memory/4112-38-0x0000023515220000-0x0000023516220000-memory.dmp

Filesize
16.0MB

Download
memory/4112-23-0x0000023515220000-0x0000023516220000-memory.dmp

Filesize
16.0MB

Download
memory/4112-25-0x0000023515220000-0x0000023516220000-memory.dmp

Filesize
16.0MB

Download
memory/4112-28-0x0000023515220000-0x0000023516220000-memory.dmp

Filesize
16.0MB

Download
memory/4112-4-0x0000023515220000-0x0000023516220000-memory.dmp

Filesize
16.0MB

Download
memory/4112-34-0x0000023515220000-0x0000023516220000-memory.dmp

Filesize
16.0MB

Download
memory/4112-14-0x0000023513940000-0x0000023513941000-memory.dmp

Filesize
4KB

Download
memory/4112-44-0x0000023513940000-0x0000023513941000-memory.dmp

Filesize
4KB

Download
memory/4112-51-0x0000023515220000-0x0000023516220000-memory.dmp

Filesize
16.0MB

Download
memory/4112-54-0x00000235154E0000-0x00000235154F0000-memory.dmp

Filesize
64KB

Download
memory/4112-55-0x0000023515510000-0x0000023515520000-memory.dmp

Filesize
64KB

Download
memory/4112-56-0x0000023515530000-0x0000023515540000-memory.dmp

Filesize
64KB

Download
memory/4112-57-0x0000023515520000-0x0000023515530000-memory.dmp

Filesize
64KB

Download
memory/4112-58-0x0000023515220000-0x0000023516220000-memory.dmp

Filesize
16.0MB

Download
memory/4112-59-0x0000023515220000-0x0000023516220000-memory.dmp

Filesize
16.0MB

Download