de1522a546abbff8b5cdde813b89e754ab0da6894e25bba0243a7a79e26a99d5

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 03:54

Target

SB COPY6827366180.PDF.jar
Size

40KB
MD5

0ec695117cb3bf0f1a8cef9a77f7675a
SHA1

e1152ed31dad5535bbeb5b63d61491d5fadd4787
SHA256

243a5315c031347617620bb5c8b694b3308932530519abc04e00c7c4fd7f7c62
SHA512

b9b27c10a0363fc38a219e8c9b795e284003e94b5851c30e30907b766bba88aa2e81701edd222461a5379a4daca0f094527f2fdca3da132aafede02d27bc8bf7
SSDEEP

768:qzXFN70ZIv326vOAZT1S0dNMAkuyC9iS7hKouufPN7c:qzXj7eYNJkchvN4

Score

7^/10

discovery

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4708 icacls.exe

pid	process
4708	icacls.exe

Drops file in Program Files directory 12 IoCs

Processes:

java.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 4524 wrote to memory of 4708 4524 java.exe icacls.exe
PID 4524 wrote to memory of 4708 4524 java.exe icacls.exe

description	pid	process	target process
PID 4524 wrote to memory of 4708	4524	java.exe	icacls.exe
PID 4524 wrote to memory of 4708	4524	java.exe	icacls.exe

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:4708

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
31db826bd42448097dd8d06dbf74a60d

SHA1
c4e4ff8e4732bb86e6452be553cd34b3ccae18ea

SHA256
4dd693c18de1403464952b369098b7c052ab2412338184b89fb27f08d96ea59e

SHA512
f7605bb8fc7828d520ff7d175dbc670b6352696d53beb06f2057e9813eaff56bdd69fd8fd09dee6d6ccdb5c7b99d025b03bad3245543700fc9f1e8d513e8e31d

Download Submit
memory/4524-4-0x000001B5AD160000-0x000001B5AE160000-memory.dmp

Filesize
16.0MB

Download