d0e05d14d752a572c57ccc42b3d79c8ea55c93062c2a3b73bf2e128f77678396

Resubmissions

01-02-2024 21:27

240201-1at8kaggbk 7

01-02-2024 21:16

240201-z4xecaece3 7

01-02-2024 21:11

240201-z1185ageem 7

11-04-2023 18:10

230411-wr28aafg6y 10

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

McFree.exe
Size

3.9MB
MD5

fbb8b46f249d59713c89ce8f4d802a2b
SHA1

5aaaeb71083e189b07bcc30134689e326b42806d
SHA256

d0e05d14d752a572c57ccc42b3d79c8ea55c93062c2a3b73bf2e128f77678396
SHA512

d81b7aa5eea4bb46aaa2aec5cb5b39304ec864cc9be3ebf48bdce80c9b43d24dc61d11b290ae23330292f2babef329d2f892d9cb2f755b55b0619fb5fc293392
SSDEEP

98304:7ws/7iR7W3TBrHJWGs2NyqeoNE/7SRYY8CU:7wY0W3TVHJack+KCU

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2488	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1204	1620	McFree.exe	83
PID 1620 wrote to memory of 1204	1620	McFree.exe	83
PID 1204 wrote to memory of 2488	1204	javaw.exe	84
PID 1204 wrote to memory of 2488	1204	javaw.exe	84

C:\Users\Admin\AppData\Local\Temp\McFree.exe
"C:\Users\Admin\AppData\Local\Temp\McFree.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\McFree.exe" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
cff4429d7bee0d52a02b99b1f7523779

SHA1
70e1214f26b80e07e07964a5113d455cd8d2a766

SHA256
702b42bc8780f162052582cc8631934098b83dbee98e63549bdd721329c6a3da

SHA512
ea02a1b188e2ae10febb385622015e90c0d11f173ece52f2092b59eb5647f669221d5f7fcc2002ab96f181b9c683ea10034e730f87a6fd9474e8ab1ff2e50d07

Download Submit
memory/1204-6-0x000002308AF20000-0x000002308BF20000-memory.dmp

Filesize
16.0MB

Download
memory/1204-14-0x00000230896E0000-0x00000230896E1000-memory.dmp

Filesize
4KB

Download
memory/1204-20-0x000002308AF20000-0x000002308BF20000-memory.dmp

Filesize
16.0MB

Download
memory/1204-21-0x000002308B1A0000-0x000002308B1B0000-memory.dmp

Filesize
64KB

Download
memory/1204-22-0x000002308AF20000-0x000002308BF20000-memory.dmp

Filesize
16.0MB

Download
memory/1620-1-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download