6b9dd7cc574ff046cebc9887ce2ef8cf20c5cc075d8c6bb91f415c1ce247355a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51ffa503e65ad126b9d9ae20a9ef3b1ec4f2f65e.exe
Size

1.4MB
MD5

92ce24ce5e4c59c88d22ec72b58a8874
SHA1

51ffa503e65ad126b9d9ae20a9ef3b1ec4f2f65e
SHA256

6b9dd7cc574ff046cebc9887ce2ef8cf20c5cc075d8c6bb91f415c1ce247355a
SHA512

658a7ede1a1c91056c18947f4098fdbb8400179234709023e2685662f46418209646e073a17e3ad56ba67b165b2a3e4de9dab218fd72f3c05efd7412525a87e1
SSDEEP

24576:rOuf9Qc9RD0lxVxa0L2W4V2sx5CDBsdXNzMbCuE1BkWU/ngN+zeABd:r7/Il740CW4VX/CDBsh9GCd7tU/lzTd

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4732 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4732	icacls.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

51ffa503e65ad126b9d9ae20a9ef3b1ec4f2f65e.exejava.exe

description	pid	process	target process
PID 3668 wrote to memory of 1936	3668	51ffa503e65ad126b9d9ae20a9ef3b1ec4f2f65e.exe	java.exe
PID 3668 wrote to memory of 1936	3668	51ffa503e65ad126b9d9ae20a9ef3b1ec4f2f65e.exe	java.exe
PID 1936 wrote to memory of 4732	1936	java.exe	icacls.exe
PID 1936 wrote to memory of 4732	1936	java.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\51ffa503e65ad126b9d9ae20a9ef3b1ec4f2f65e.exe
"C:\Users\Admin\AppData\Local\Temp\51ffa503e65ad126b9d9ae20a9ef3b1ec4f2f65e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3668

\??\c:\PROGRA~1\java\jre-1.8\bin\java.exe
c:\PROGRA~1\java\jre-1.8\bin\java.exe -version
2⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
3⤵
- Modifies file permissions
PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
10ece20df47ad838d949beda94b2b6ef

SHA1
8c70ab97c87d67d8ddd9ecbd244eded59c679c4f

SHA256
9a6dce16f1e842d5bb72e76f46b430600eb7191100b03a01b1f138d7979ffa5d

SHA512
83706f0445bccefc0b6c6c5bff69c1933492baffb3e140f8fda28580ea946ca79f968380379c2f64226c246b0cabfd93ab2d951ffbe2192d92a7aaf9940b76f4

Download Submit
memory/1936-8-0x0000017E5E8A0000-0x0000017E5F8A0000-memory.dmp

Filesize
16.0MB

Download
memory/1936-16-0x0000017E5E880000-0x0000017E5E881000-memory.dmp

Filesize
4KB

Download
memory/3668-249-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/3668-25-0x0000000002280000-0x0000000003280000-memory.dmp

Filesize
16.0MB

Download
memory/3668-34-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/3668-127-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/3668-177-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/3668-3-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3668-279-0x0000000002280000-0x0000000003280000-memory.dmp

Filesize
16.0MB

Download
memory/3668-478-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/3668-614-0x0000000002280000-0x0000000003280000-memory.dmp

Filesize
16.0MB

Download
memory/3668-654-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/3668-656-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/3668-660-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/3668-658-0x0000000002280000-0x0000000003280000-memory.dmp

Filesize
16.0MB

Download
memory/3668-669-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/3668-668-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/3668-671-0x0000000002280000-0x0000000003280000-memory.dmp

Filesize
16.0MB

Download