0352732011c82ddbc89c86f732bd0c3acb9a9c6caf7bdbcb99bb08b68a9db1db

Analysis

max time kernel
140s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/02/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00293828403xlspdf.jar
Size

125KB
MD5

acdf87548c106b4271d86ad9e5afb859
SHA1

0c4108f5b00a0d72d42050757b1fb8d144b44a96
SHA256

0352732011c82ddbc89c86f732bd0c3acb9a9c6caf7bdbcb99bb08b68a9db1db
SHA512

5b6268cf0d7cbac10d015f237b3c86b8dddc9ccb82d47e3aa975feeeed09e4a5315522ae177584a63a6f8562ca3bb5df5bb328f63d24f2e661584bf8d0939477
SSDEEP

3072:ZvPwf6XB5qfvyaKJUbyp4VIVG72WpVErn+kysWOZE2Dt8:Fw8Sij6bWSIVS2WfEEstI

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2044	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2044	1452	java.exe	85
PID 1452 wrote to memory of 2044	1452	java.exe	85

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\00293828403xlspdf.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
bb1f8ace8a3fce0accf9bd2e15079354

SHA1
ec0482bfef9ec13e651243db656f21af27d2d936

SHA256
cc702f412d32442b549665dd0e3537c6e8c501556c70b8cdbbc174447be1644b

SHA512
24ab89328072ecd007842fe0d69584b8f7ec3ac05a9d11fcadfaac990805930cd0c134e8d404e2428c92c66610b85634670e42405828ff2aaa9431986b6a756a

Download Submit
memory/1452-4-0x000001FA01410000-0x000001FA02410000-memory.dmp

Filesize
16.0MB

Download
memory/1452-15-0x000001FA7E8D0000-0x000001FA7E8D1000-memory.dmp

Filesize
4KB

Download
memory/1452-18-0x000001FA01410000-0x000001FA02410000-memory.dmp

Filesize
16.0MB

Download
memory/1452-20-0x000001FA01410000-0x000001FA02410000-memory.dmp

Filesize
16.0MB

Download
memory/1452-22-0x000001FA01690000-0x000001FA016A0000-memory.dmp

Filesize
64KB

Download