79098273db492173009ed9fdd408224f010bb6222a09f4f93fcc6de5bf324acc

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2024 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79098273db492173009ed9fdd408224f010bb6222a09f4f93fcc6de5bf324acc.jar
Size

209KB
MD5

b6211e0aea888d1d1502812dc2a6e26c
SHA1

8f0e44f2128b2451dd681f7c807ecdba1283f0c4
SHA256

79098273db492173009ed9fdd408224f010bb6222a09f4f93fcc6de5bf324acc
SHA512

0021749654fe4d56163fda85a975e7335820becaa8889dec59a7b35d3faa97dc67f0516b77257a7881c45b5c4cc66829ba8b4d830cf3c0160af79ddda460770b
SSDEEP

6144:J2j85JHHl/6C1kOQzyaRfiVO6w0UuwPdVmyKw:J2Y59VHXQVqO6w02PKw

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

652 icacls.exe

pid	process
652	icacls.exe

Drops file in Program Files directory 12 IoCs

Processes:

java.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 3992 wrote to memory of 652 3992 java.exe icacls.exe
PID 3992 wrote to memory of 652 3992 java.exe icacls.exe

description	pid	process	target process
PID 3992 wrote to memory of 652	3992	java.exe	icacls.exe
PID 3992 wrote to memory of 652	3992	java.exe	icacls.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\79098273db492173009ed9fdd408224f010bb6222a09f4f93fcc6de5bf324acc.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
cc9b4cc574a7c0be1f41ed824dbe0695

SHA1
30917aa1c45af73149ea1f15dc67235f8a250d0c

SHA256
b5223b555920d39950b5a65bda9a0335fe788e6281e5ee73f9068e365a2c4bd0

SHA512
6494eac2d71c14bfa28f78eafec25150d45ef81b548b2cce5e0a64d687270b367547a2f0af87e459b5a3a5d0797ea70b8a02b1a01ee57d6791b8f08c33d4dcd7

Download Submit
memory/3992-42-0x000001B0020F0000-0x000001B002100000-memory.dmp

Filesize
64KB

Download
memory/3992-51-0x000001B001E20000-0x000001B002E20000-memory.dmp

Filesize
16.0MB

Download
memory/3992-41-0x000001B0020D0000-0x000001B0020E0000-memory.dmp

Filesize
64KB

Download
memory/3992-24-0x000001B001E20000-0x000001B002E20000-memory.dmp

Filesize
16.0MB

Download
memory/3992-36-0x000001B001E20000-0x000001B002E20000-memory.dmp

Filesize
16.0MB

Download
memory/3992-38-0x000001B0020B0000-0x000001B0020C0000-memory.dmp

Filesize
64KB

Download
memory/3992-39-0x000001B002110000-0x000001B002120000-memory.dmp

Filesize
64KB

Download
memory/3992-40-0x000001B002180000-0x000001B002190000-memory.dmp

Filesize
64KB

Download
memory/3992-22-0x000001B0005C0000-0x000001B0005C1000-memory.dmp

Filesize
4KB

Download
memory/3992-16-0x000001B001E20000-0x000001B002E20000-memory.dmp

Filesize
16.0MB

Download
memory/3992-43-0x000001B002100000-0x000001B002110000-memory.dmp

Filesize
64KB

Download
memory/3992-44-0x000001B001E20000-0x000001B002E20000-memory.dmp

Filesize
16.0MB

Download
memory/3992-45-0x000001B002120000-0x000001B002130000-memory.dmp

Filesize
64KB

Download
memory/3992-46-0x000001B002130000-0x000001B002140000-memory.dmp

Filesize
64KB

Download
memory/3992-47-0x000001B002150000-0x000001B002160000-memory.dmp

Filesize
64KB

Download
memory/3992-48-0x000001B001E20000-0x000001B002E20000-memory.dmp

Filesize
16.0MB

Download
memory/3992-49-0x000001B002170000-0x000001B002180000-memory.dmp

Filesize
64KB

Download
memory/3992-50-0x000001B001E20000-0x000001B002E20000-memory.dmp

Filesize
16.0MB

Download
memory/3992-4-0x000001B001E20000-0x000001B002E20000-memory.dmp

Filesize
16.0MB

Download