3863f9491bdc39a5f036c56fba310757779b616bdfb9b13e0748af2a4937a143

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 11:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fabric-installer-1.0.0 (1).exe
Size

437KB
MD5

861e96fa83437f147809f4fafbb07f86
SHA1

7a6dbd8c6f5300fe89a481832d3bb7244eb253eb
SHA256

3863f9491bdc39a5f036c56fba310757779b616bdfb9b13e0748af2a4937a143
SHA512

aac75fddcce15c9a2564112f1ea71ae616bea24a15593b0ce522def6a289dd6b2ddc4f2d23c323a9d71456918283fec97a7bb8a2bfe6f5794209f3cbdf691d81
SSDEEP

6144:1AqhQt8C1lu3lRrszNnDthJNV/6KC5TfcAXok5OWgIhvpxH1K4syabpAM:48C1lu3TynwKC5TEAXRvhvpxHOfv

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4960	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1860	javaw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1016	3012	fabric-installer-1.0.0 (1).exe	89
PID 3012 wrote to memory of 1016	3012	fabric-installer-1.0.0 (1).exe	89
PID 1016 wrote to memory of 4960	1016	javaw.exe	91
PID 1016 wrote to memory of 4960	1016	javaw.exe	91
PID 3012 wrote to memory of 1860	3012	fabric-installer-1.0.0 (1).exe	93
PID 3012 wrote to memory of 1860	3012	fabric-installer-1.0.0 (1).exe	93

C:\Users\Admin\AppData\Local\Temp\fabric-installer-1.0.0 (1).exe
"C:\Users\Admin\AppData\Local\Temp\fabric-installer-1.0.0 (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
  "javaw.exe" "-version"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:4960
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
  "javaw.exe" "-jar" "C:\Users\Admin\AppData\Local\Temp\fabric-installer-1.0.0 (1).exe" "-fabricInstallerBootstrap" "true"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
3810c73d6bb3697ba6514d27cb10c49e

SHA1
b772c2b4a6e52552fb664a2fd8782c72ba486baa

SHA256
f0a2e07af60f264f9a87027467a1c70f6a4eeaf855f800572a7d09da03b39fa2

SHA512
62fe3f7b34184da8f2e54bc89a02886c809d1bb643b6c2b3acb123cf90659c80f20d9a08292cbfa097fa62f3e6e981fa252123681f11c85833f6196b3c36377f

Download Submit
memory/1016-4-0x000002123FDA0000-0x0000021240DA0000-memory.dmp

Filesize
16.0MB

Download
memory/1016-12-0x000002123FD80000-0x000002123FD81000-memory.dmp

Filesize
4KB

Download
memory/1860-51-0x000001F681C10000-0x000001F681C20000-memory.dmp

Filesize
64KB

Download
memory/1860-53-0x000001F681990000-0x000001F682990000-memory.dmp

Filesize
16.0MB

Download
memory/1860-29-0x000001F6801C0000-0x000001F6801C1000-memory.dmp

Filesize
4KB

Download
memory/1860-35-0x000001F681990000-0x000001F682990000-memory.dmp

Filesize
16.0MB

Download
memory/1860-42-0x000001F681990000-0x000001F682990000-memory.dmp

Filesize
16.0MB

Download
memory/1860-47-0x000001F681990000-0x000001F682990000-memory.dmp

Filesize
16.0MB

Download
memory/1860-52-0x000001F681C80000-0x000001F681C90000-memory.dmp

Filesize
64KB

Download
memory/1860-22-0x000001F681990000-0x000001F682990000-memory.dmp

Filesize
16.0MB

Download
memory/1860-54-0x000001F681CD0000-0x000001F681CE0000-memory.dmp

Filesize
64KB

Download
memory/1860-25-0x000001F6801C0000-0x000001F6801C1000-memory.dmp

Filesize
4KB

Download
memory/1860-56-0x000001F681C70000-0x000001F681C80000-memory.dmp

Filesize
64KB

Download
memory/1860-55-0x000001F681C60000-0x000001F681C70000-memory.dmp

Filesize
64KB

Download
memory/1860-57-0x000001F681C90000-0x000001F681CA0000-memory.dmp

Filesize
64KB

Download
memory/1860-60-0x000001F681CB0000-0x000001F681CC0000-memory.dmp

Filesize
64KB

Download
memory/1860-59-0x000001F681CA0000-0x000001F681CB0000-memory.dmp

Filesize
64KB

Download
memory/1860-58-0x000001F681990000-0x000001F682990000-memory.dmp

Filesize
16.0MB

Download
memory/1860-61-0x000001F681990000-0x000001F682990000-memory.dmp

Filesize
16.0MB

Download
memory/1860-63-0x000001F681990000-0x000001F682990000-memory.dmp

Filesize
16.0MB

Download