fe05fed36a2b6c2118716120f085ebc72a3baad8e3372942e57926731c8919ab

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 12:16

Target

shipping bill.jar
Size

126KB
MD5

31ac77837bcf9eab9de823001a548afe
SHA1

06925f6d41bf7d2a04989095feb9a641e069ae17
SHA256

fe05fed36a2b6c2118716120f085ebc72a3baad8e3372942e57926731c8919ab
SHA512

15d6cf4d1740302258dbf690b88dce0ba9fcf5d36f57244d688d5009952c182a8db71d0e10925f15d2c9ff2201057dcc910a4e2abc2400971b5c9f267f828f11
SSDEEP

3072:bQskmZaPlSPkevgkUlMyr9VhMQknMaxDKLc5QHN8Qbf:7UdYvgj2iMMalBCNj7

Score

7^/10

discovery

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4092 icacls.exe

pid	process
4092	icacls.exe

Drops file in Program Files directory 12 IoCs

Processes:

java.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 4972 wrote to memory of 4092 4972 java.exe icacls.exe
PID 4972 wrote to memory of 4092 4972 java.exe icacls.exe

description	pid	process	target process
PID 4972 wrote to memory of 4092	4972	java.exe	icacls.exe
PID 4972 wrote to memory of 4092	4972	java.exe	icacls.exe

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:4092

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
1d2cd464019be4f69043d505b7e56772

SHA1
39ec5298db777770a3fc40a0677d971d1cae215f

SHA256
c9360fef82ed917335bd5ac1a11ef10102e21f71091c1a3e0cef9003f133ae39

SHA512
d05821b96ae9b9356f20eeaeb8145a0a5e57b4b271c047874b0390c5187a3dc29f6798e66d3aa0c6c5f5c6ad2cf4d08af527465ecd2022d56d4b2e64ba6e29f2

Download Submit
memory/4972-4-0x000001C280000000-0x000001C281000000-memory.dmp

Filesize
16.0MB

Download
memory/4972-15-0x000001C280000000-0x000001C281000000-memory.dmp

Filesize
16.0MB

Download
memory/4972-16-0x000001C280000000-0x000001C281000000-memory.dmp

Filesize
16.0MB

Download