c496a406536d17e5f8ab08b94b8fa187af12cba398ee9a92cd9ef000d356f904

Analysis

max time kernel
122s
max time network
186s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
07/03/2024, 20:30 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_32_/lib/antlr4-runtime-4.1.jar
Size

246KB
MD5

670009558e7c71d9bbb92e329b45cc59
SHA1

3f42a2396857e4b7d088a63ec265fd7817b14d7a
SHA256

a80a47161618c3a1f318df924ba6ed26ff5420c8e2e806d50459171c8eb8d512
SHA512

e46f8cade2cc00e5b37fab6f63b4688d054562a73b0201dcf93e2e0a115409258fc43b19e7e20d3bef0ff5daa8be32b44cdcd3cb82368b940fe175f1ccf1ccc8
SSDEEP

6144:P3Lfnzk/3IxSolLWSYs6iLEs5hfACKUazyLHyXC:P7fzJL/6iLhojUazyLp

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1176	icacls.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 1176	4380	java.exe	80
PID 4380 wrote to memory of 1176	4380	java.exe	80

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\$_32_\lib\antlr4-runtime-4.1.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:1176

Network

DNS

71.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

182.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.178.17.96.in-addr.arpa

IN PTR

Response

182.178.17.96.in-addr.arpa

IN PTR

a96-17-178-182deploystaticakamaitechnologiescom
DNS

182.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.178.17.96.in-addr.arpa

IN PTR
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

nexusrules.officeapps.live.com

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.243.31
DNS

nexusrules.officeapps.live.com

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

204.79.197.200:443

tse1.mm.bing.net

tls

2.0kB
8.5kB
19
16
204.79.197.200:443

tse1.mm.bing.net

tls

2.0kB
8.5kB
20
17
204.79.197.200:443

tse1.mm.bing.net

tls

94.3kB
2.7MB
1967
1961
204.79.197.200:443

tse1.mm.bing.net

tls

2.0kB
8.5kB
19
16
204.79.197.200:443

tse1.mm.bing.net

tls

2.0kB
8.5kB
19
16

8.8.8.8:53

71.31.126.40.in-addr.arpa

dns

349 B
625 B
5
4

DNS Request

71.31.126.40.in-addr.arpa

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

DNS Request

31.243.111.52.in-addr.arpa

DNS Request

182.178.17.96.in-addr.arpa

DNS Request

182.178.17.96.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

224 B
299 B
3
2

DNS Request

88.156.103.20.in-addr.arpa

DNS Request

nexusrules.officeapps.live.com

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.243.31

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
e79228261acf99bd8bef9981d908529c

SHA1
90b47824726901d781941c4a4704d3a275de290d

SHA256
74b013990a2e7a545e0ce63c038fa14f6006574a2c4c3de6837ed2416286c47a

SHA512
c633dcf0fe2bc934c2c6a7d06d8680ddab630ef702ad954aa4a00540c75c318ac4aebc3f7883d0acbaf5119646a14378d4537e23a5c46045fab07a8ad68f9806

Download Submit
memory/4380-8-0x000002BCE3270000-0x000002BCE4270000-memory.dmp

Filesize
16.0MB

Download
memory/4380-12-0x000002BCE3250000-0x000002BCE3251000-memory.dmp

Filesize
4KB

Download
memory/4380-13-0x000002BCE3270000-0x000002BCE4270000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.