007370ef1802f2d3466f84a38829747402ce9b4c60e2a6ecd0afb315b04e5b10

Analysis

max time kernel
1486s
max time network
1512s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
14-03-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mods/optifabric-1.13.25.jar
Size

456KB
MD5

e349c1f11e654f65daf72b808f078b20
SHA1

3a38607cd0a7dd73dc5596cf4a822ce29d08c4ea
SHA256

6656e6f53dc1bf740a4e63e6354c72dd3fa24c528da24b446bb0bfe02637d888
SHA512

00883e4816ecaa061a885b72a65c9c8cfb4062004a1a3f6efbb912535c010675b90e04e513b327ec9fae66c8a9ce6e38e57b2fb09915a72165076d94506f53c6
SSDEEP

6144:AyGdBmIiHwbuDGeE3ol9TcBoNgKaPkCaAfP9rpH8nGDYYe8YrWClU2S1QTo+yU+0:AyVJt/E4TTcjjnNBhrqrWcUdaSm10u

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1260	icacls.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 1260	4744	java.exe	82
PID 4744 wrote to memory of 1260	4744	java.exe	82

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\mods\optifabric-1.13.25.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
c04207bee895072faeeadb23e44de518

SHA1
47752d9b8be43d7a38eca16aac319aa03cf44313

SHA256
a27390b52fab73e14141ba3ee90cec0aa097d98370047f3fc5cc2fa3ba17da71

SHA512
67f1a78efa5e0a519cddfa62a09077c46e0bb1f118b40403552ee7199d37cde90a00821aee2140e0449947c740ca5bc6838d10219395b74fe5b217b869b09fce

Download Submit
memory/4744-4-0x000002AA3E440000-0x000002AA3F440000-memory.dmp

Filesize
16.0MB

Download
memory/4744-11-0x000002AA3CBD0000-0x000002AA3CBD1000-memory.dmp

Filesize
4KB

Download
memory/4744-13-0x000002AA3E440000-0x000002AA3F440000-memory.dmp

Filesize
16.0MB

Download