009033a7c6762dfd9f4aceab9eba3241b50491d0d3cff02ca8f6991a0814d4c8

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7adcd12631227ed62d6ab3c995eff01.jar
Size

102KB
MD5

c7adcd12631227ed62d6ab3c995eff01
SHA1

bfe1d108798004af37f8b1d8dcbc4711634cfbab
SHA256

009033a7c6762dfd9f4aceab9eba3241b50491d0d3cff02ca8f6991a0814d4c8
SHA512

61889433fbf01bdd71e587444ac3ca149ef0afdca1f4aa87dd97e1bb071accfa729cfa13d2c087bfbe357257f030a0ebf62dbe008183475b797f2d14d7d13a13
SSDEEP

3072:u5oRowGq8d2X2BW68jzQ8qxwXccO309FWj7:lqnqVmBL8jQm1OE90j7

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2392	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 2392	5060	java.exe	91
PID 5060 wrote to memory of 2392	5060	java.exe	91

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\c7adcd12631227ed62d6ab3c995eff01.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
08c38da07254d086c2dca87660b55711

SHA1
a918da86132496e48d6c3ead6e56282dc67d151c

SHA256
f30f07420722a34cb3ef0a9abe8323931df07a947c59c0770c0acbaae0e9e14e

SHA512
11e00a6db05af01a91cc2cdaf986d25e5c56d070b0042230f4e087d5f922e06bc0836d48d70d1bf01b286b0fb806dd127808713b410a6c37c0fb13f11f7b8c20

Download Submit
memory/5060-4-0x000001A3AB9F0000-0x000001A3AC9F0000-memory.dmp

Filesize
16.0MB

Download
memory/5060-15-0x000001A3AB9F0000-0x000001A3AC9F0000-memory.dmp

Filesize
16.0MB

Download
memory/5060-19-0x000001A3ABC70000-0x000001A3ABC80000-memory.dmp

Filesize
64KB

Download
memory/5060-20-0x000001A3ABC80000-0x000001A3ABC90000-memory.dmp

Filesize
64KB

Download
memory/5060-21-0x000001A3ABC90000-0x000001A3ABCA0000-memory.dmp

Filesize
64KB

Download