5bacd470aae61821c09162380318c6f9df4250534b7347f326e04e2b67585cc7

Analysis

max time kernel
91s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wurst-Client-v7.39.1-MC1.20.1.jar
Size

1.6MB
MD5

a733830d08415b6f8a9184ac5dde2fb2
SHA1

fdcdae43e71e46fbfca3fadaba2faddc2467c6af
SHA256

5bacd470aae61821c09162380318c6f9df4250534b7347f326e04e2b67585cc7
SHA512

9c7b7d533abf1d199c4875fe08de4fcf6ade6c6fb3b8c2341909fb75c261179e841a4b413d151ebe436c3394cc0011eb0e32091893b7e1915eabf1714169614e
SSDEEP

24576:fVq9Hu5uIV30IemgmAH1fnTps+x+PB/eMvNQVha79U3H6zN4zxnzC8JSssC2b0:m+lV30IfW17pJYXQVhMq3a2zxFFsBb0

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

5044 icacls.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 1128 wrote to memory of 5044 1128 java.exe icacls.exe
PID 1128 wrote to memory of 5044 1128 java.exe icacls.exe

pid	process
5044	icacls.exe

description	pid	process	target process
PID 1128 wrote to memory of 5044	1128	java.exe	icacls.exe
PID 1128 wrote to memory of 5044	1128	java.exe	icacls.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Wurst-Client-v7.39.1-MC1.20.1.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
6007b5455429e7632b738879bcdf7c20

SHA1
b696bcc88eb7be05649e28b0432535af7369ba61

SHA256
6b7ea4c560033f2825651c138638d6939a3bbf7ae48fa98536f3296fd8795f27

SHA512
83216cb19957ba6c81a148516d6afbcf36c9700c6c7f248b9aeeed5e070a5048e06acd40f93d9111fc4ad23bae23a5e7686b7c5e9ab070e1891c1a6802e9480d

Download Submit
memory/1128-4-0x00000247BF210000-0x00000247C0210000-memory.dmp

Filesize
16.0MB

Download
memory/1128-12-0x00000247BD950000-0x00000247BD951000-memory.dmp

Filesize
4KB

Download