Analysis Overview
SHA256
f65843b805aff75c7f314dbac12645bf53acad1930815abeb9bef526509d89d3
Threat Level: Shows suspicious behavior
The file ftb-teams-fabric-2001.1.4.jar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies file permissions
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 17:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 17:38
Reported
2024-02-22 17:40
Platform
win11-20240221-en
Max time kernel
112s
Max time network
93s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5112 wrote to memory of 2376 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 5112 wrote to memory of 2376 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\ftb-teams-fabric-2001.1.4.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/5112-4-0x000001D72CB20000-0x000001D72DB20000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | c4370ad5cab03580e142627fe5fea613 |
| SHA1 | 449370a35464b272de641435a5a51122af782632 |
| SHA256 | b3ac105399cd97d5278746f5bf0af2b2750c1d358a1f6aceabaca77c40a85e53 |
| SHA512 | 8c76e1dbda113ffd91b866189b04d5096281cd46305c8ae3d30c0ef502bd4aa6f5f97f2f79cf6fdbaeebc80cffbefa81e243a770b0862e3d844a85d142501320 |
memory/5112-12-0x000001D72CB00000-0x000001D72CB01000-memory.dmp
memory/2344-13-0x000001FCFE0A0000-0x000001FCFE0A1000-memory.dmp
memory/2344-14-0x000001FCFE0A0000-0x000001FCFE0A1000-memory.dmp
memory/2344-15-0x000001FCFE0A0000-0x000001FCFE0A1000-memory.dmp
memory/2344-19-0x000001FCFE0A0000-0x000001FCFE0A1000-memory.dmp
memory/2344-21-0x000001FCFE0A0000-0x000001FCFE0A1000-memory.dmp
memory/2344-20-0x000001FCFE0A0000-0x000001FCFE0A1000-memory.dmp
memory/2344-22-0x000001FCFE0A0000-0x000001FCFE0A1000-memory.dmp
memory/2344-24-0x000001FCFE0A0000-0x000001FCFE0A1000-memory.dmp
memory/2344-23-0x000001FCFE0A0000-0x000001FCFE0A1000-memory.dmp
memory/2344-25-0x000001FCFE0A0000-0x000001FCFE0A1000-memory.dmp