Analysis Overview
SHA256
28148908befb0382c4c3f629c1a5f9a4f93b09855968e444de78d95c6dad86a4
Threat Level: Shows suspicious behavior
The file Minecraft Launcher.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies file permissions
Drops file in Program Files directory
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 20:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 20:49
Reported
2024-02-22 20:55
Platform
win7-20240221-en
Max time kernel
134s
Max time network
127s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre7\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre7\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre7\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre7\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2828 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
| PID 2828 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
| PID 2828 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
| PID 2828 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher.exe"
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -Xms256m -Xmx512m -jar "C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | titanindex.net | udp |
| US | 13.248.169.48:80 | titanindex.net | tcp |
| US | 8.8.8.8:53 | dl.dropbox.com | udp |
| GB | 162.125.64.15:443 | dl.dropbox.com | tcp |
| US | 8.8.8.8:53 | s3.amazonaws.com | udp |
| US | 54.231.197.136:443 | s3.amazonaws.com | tcp |
Files
memory/2828-0-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2660-10-0x0000000002810000-0x0000000005810000-memory.dmp
memory/2660-11-0x0000000001B70000-0x0000000001B71000-memory.dmp
memory/2660-21-0x0000000001B70000-0x0000000001B71000-memory.dmp
memory/2660-24-0x0000000001B70000-0x0000000001B71000-memory.dmp
memory/2660-26-0x0000000001B70000-0x0000000001B71000-memory.dmp
memory/2660-28-0x0000000001B70000-0x0000000001B71000-memory.dmp
memory/2660-30-0x0000000001CE0000-0x0000000001CEA000-memory.dmp
memory/2660-31-0x0000000001CE0000-0x0000000001CEA000-memory.dmp
memory/2660-34-0x0000000001B70000-0x0000000001B71000-memory.dmp
memory/2660-62-0x0000000001B70000-0x0000000001B71000-memory.dmp
memory/2660-103-0x0000000002080000-0x000000000208A000-memory.dmp
memory/2660-104-0x0000000002080000-0x000000000208A000-memory.dmp
memory/2660-105-0x0000000002080000-0x000000000208A000-memory.dmp
memory/2660-176-0x0000000002810000-0x0000000005810000-memory.dmp
memory/2660-179-0x0000000001CE0000-0x0000000001CEA000-memory.dmp
memory/2660-181-0x0000000001CE0000-0x0000000001CEA000-memory.dmp
memory/2660-183-0x0000000002080000-0x000000000208A000-memory.dmp
memory/2660-185-0x0000000002080000-0x000000000208A000-memory.dmp
memory/2660-250-0x0000000002080000-0x000000000208A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\imageio6947493915902510601.tmp
| MD5 | d141cc8e71a3351f1aacb88a74b45fa4 |
| SHA1 | 323cb27d8b7772b4b928a00706d4efe3b1104f52 |
| SHA256 | 2788675e062e1111ead50a9a05971a7c11fe6246a89f571cf9f59ed68c72bb17 |
| SHA512 | 315dfcf01f450b907f2cdfc9661db728789ec2440dd6985d914d024bd3c0798e602f7e230e60a8ffee8f39c95de68477d3b4def580a292e263d48bc23babae09 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-22 20:49
Reported
2024-02-22 20:55
Platform
win10v2004-20240221-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ntdll.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jvm.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5112 wrote to memory of 1400 | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher.exe | C:\Program Files\Java\jre-1.8\bin\javaw.exe |
| PID 5112 wrote to memory of 1400 | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher.exe | C:\Program Files\Java\jre-1.8\bin\javaw.exe |
| PID 1400 wrote to memory of 1144 | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Windows\system32\icacls.exe |
| PID 1400 wrote to memory of 1144 | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher.exe"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xms256m -Xmx512m -jar "C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher.exe"
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 192.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/5112-0-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1400-3-0x00000173073E0000-0x00000173083E0000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | f32df0c4e54c588304997d449a783ffd |
| SHA1 | f23155799d908e85f296868067ac556e715f8d28 |
| SHA256 | 37941c33139ca3a299700de330f001e4f7aa49ecd5f1be90b417338ac683fbf1 |
| SHA512 | 8efbc22b358b28cfc6b55440e7cbee1fd1c1a01f13b4b394e8305b29ab74bff4d9a52f7b8cf11378f438589fdecbfd2decfeab3b37e0c0587d8c750fb0f2b8cb |
memory/1400-13-0x00000173073C0000-0x00000173073C1000-memory.dmp
memory/1400-27-0x00000173073E0000-0x00000173083E0000-memory.dmp
memory/1400-33-0x00000173073E0000-0x00000173083E0000-memory.dmp
memory/1400-39-0x00000173073E0000-0x00000173083E0000-memory.dmp
memory/1400-41-0x0000017307660000-0x0000017307670000-memory.dmp
memory/1400-42-0x00000173076A0000-0x00000173076B0000-memory.dmp
memory/1400-43-0x00000173076F0000-0x0000017307700000-memory.dmp
memory/1400-44-0x0000017307730000-0x0000017307740000-memory.dmp
memory/1400-45-0x0000017307690000-0x00000173076A0000-memory.dmp
memory/1400-46-0x00000173076C0000-0x00000173076D0000-memory.dmp
memory/1400-47-0x00000173076D0000-0x00000173076E0000-memory.dmp
memory/1400-48-0x00000173076E0000-0x00000173076F0000-memory.dmp
memory/1400-50-0x00000173073E0000-0x00000173083E0000-memory.dmp
memory/1400-49-0x0000017307700000-0x0000017307710000-memory.dmp
memory/1400-51-0x0000017307710000-0x0000017307720000-memory.dmp
memory/1400-52-0x0000017307720000-0x0000017307730000-memory.dmp
memory/1400-53-0x0000017307740000-0x0000017307750000-memory.dmp
memory/1400-54-0x0000017307750000-0x0000017307760000-memory.dmp
memory/1400-55-0x00000173073E0000-0x00000173083E0000-memory.dmp