cd95317ffcd0cf91eb2ce9fa6a0d062a9a1dab9fd278654b85172445873e5fcb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2024 09:03

Target

cd95317ffcd0cf91eb2ce9fa6a0d062a9a1dab9fd278654b85172445873e5fcb.jar
Size

209KB
MD5

1f1f27ded1ea733d6be70e13bb1ecd60
SHA1

d03405a17b31e3f58ab90d4cb1ee08f9ba0cf131
SHA256

cd95317ffcd0cf91eb2ce9fa6a0d062a9a1dab9fd278654b85172445873e5fcb
SHA512

e8f50c947fb25b286185bbeda4ba70b2efbb545584e8f7ab018752f7dec84b1ea3aa13f052620b8e7f2d635d4e480cd3657af71cc29c524512b4cd35879a88c4
SSDEEP

3072:jVhrFK2o50lj/H9OtNodDZawwcSHpHA1QNPmnztEHb7yR7MBprhF19AyGZV4etuc:jp7jx1fwcCg1QNPmzmKdMBnF/c42

Score

7^/10

discovery

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1184 icacls.exe

pid	process
1184	icacls.exe

Drops file in Program Files directory 12 IoCs

Processes:

java.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 5348 wrote to memory of 1184 5348 java.exe icacls.exe
PID 5348 wrote to memory of 1184 5348 java.exe icacls.exe

description	pid	process	target process
PID 5348 wrote to memory of 1184	5348	java.exe	icacls.exe
PID 5348 wrote to memory of 1184	5348	java.exe	icacls.exe

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:1184

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
aa9c910d73d99f9d35cb32ac44db1308

SHA1
2bf80e2d4c11d8a780e1e132b849afc11d8549d1

SHA256
616b3ea379341c21f70104e5781d72f4be5a596b1cc27bafb70588de6f89d74b

SHA512
2c029c7350dae1e2c846003b945f17c1b4667de532df2723611ec251d0810545a8ea0f6f9b06f4e910996680d9c97f3dffbe941209ee210fadfa395c57fbfe4e

Download Submit
memory/5348-4-0x000001F12E3F0000-0x000001F12F3F0000-memory.dmp

Filesize
16.0MB

Download
memory/5348-12-0x000001F12E3D0000-0x000001F12E3D1000-memory.dmp

Filesize
4KB

Download