Analysis
-
max time kernel
25s -
max time network
30s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/02/2024, 18:54
Static task
static1
Behavioral task
behavioral1
Sample
Setup_v_43.3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Setup_v_43.3.exe
Resource
win10v2004-20240221-en
General
-
Target
Setup_v_43.3.exe
-
Size
108KB
-
MD5
d827cf4f08d8e932f67bdb8bde5f92cf
-
SHA1
771f875fb10090e2ab2537d8787bb3d1a4fb7b8b
-
SHA256
33871c084b06e67d2fb8cc19c672ed27ce604c17ec8519bc44c85a2b1765475e
-
SHA512
e2692fd15974db7cc459c8d2755268d39bb2d819858ac30c42d986284f553cd0e07926434c6550a43e9bc108b1cc35b1cf7e813adbfd885c1ef5a9e028d4abe0
-
SSDEEP
768:F7Zw33FNUf6Nhd/fQ1l+0vM0iT9vIS1Kadjp3S0VYcFodSzSZ27lftcE2ryRIoM0:VZ2FWSNhd/4131iWS1Kax9SxcvqMrIri
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3916 icacls.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1876 wrote to memory of 3720 1876 Setup_v_43.3.exe 85 PID 1876 wrote to memory of 3720 1876 Setup_v_43.3.exe 85 PID 3720 wrote to memory of 3916 3720 javaw.exe 87 PID 3720 wrote to memory of 3916 3720 javaw.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup_v_43.3.exe"C:\Users\Admin\AppData\Local\Temp\Setup_v_43.3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath " org.develnext.jphp.ext.javafx.FXLauncher2⤵
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
PID:3916
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5dffe1e5285db31a952ddd0f0b886c73c
SHA180c2719af0d5361f359d79ae5e21cc49322db813
SHA256fa99e83d620380efcc8112bd135b899b1baaee0f297862268ddf96160f54e342
SHA512a5ee6d8cb6e77a78308ac6aef3aa384a92a64907b2f0f32d2aa414e0f0f53e7f41855cefae92f7e622b4f624fa83e9fcd5d5ffd5b3d8049d084421a6d05c881a