007370ef1802f2d3466f84a38829747402ce9b4c60e2a6ecd0afb315b04e5b10

Analysis

max time kernel
1473s
max time network
1490s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
14-03-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mods/OptiFine_1.20.1_HD_U_I6.jar
Size

6.8MB
MD5

7a7982ac06b89dd8c1721ea53a33b768
SHA1

227914ab1037762eae44a2e66a568b87d7a02365
SHA256

0b67cb670aedf2e55a982f3d52b6d53e46791a0c984aa1d2ee58100fc9bfc650
SHA512

b368f969e32ce4d0c098794b3f65738d20ce53c25948197fbea2722b0ba931a1cb5eed46079211821bbfd2cda585991d3bebc17bb9e49db941649f9481fc06d9
SSDEEP

98304:LemJw2XkBc2MWrcm6CcJ9uQBxWj1okVfsd/+0M/teRQMO90b:DKikBcircJfJ9uPot/67Meg

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
592	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3532	java.exe
3532	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 592	3532	java.exe	82
PID 3532 wrote to memory of 592	3532	java.exe	82

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\mods\OptiFine_1.20.1_HD_U_I6.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
3ba1010798243f66e6612d6d05ddfcbb

SHA1
a95b122fce4b5e18201edd3ff41a5b98206ab96e

SHA256
827d09051355191cda6c1fa00846947d3ab858925caf832822225e9ebe93b34d

SHA512
eeb99baa7fe0cb59d2591021615caa9ab0b3671fcd5b1db3120e4a54dc50909f70a6333114d8fba1cd2d9bbb7faba12474357caf1a6930797624c6a629744f15

Download Submit
memory/3532-96-0x00000150A8DB0000-0x00000150A9DB0000-memory.dmp

Filesize
16.0MB

Download
memory/3532-31-0x00000150A7520000-0x00000150A7521000-memory.dmp

Filesize
4KB

Download
memory/3532-102-0x00000150A8DB0000-0x00000150A9DB0000-memory.dmp

Filesize
16.0MB

Download
memory/3532-25-0x00000150A7520000-0x00000150A7521000-memory.dmp

Filesize
4KB

Download
memory/3532-105-0x00000150A8DB0000-0x00000150A9DB0000-memory.dmp

Filesize
16.0MB

Download
memory/3532-90-0x00000150A8DB0000-0x00000150A9DB0000-memory.dmp

Filesize
16.0MB

Download
memory/3532-93-0x00000150A8DB0000-0x00000150A9DB0000-memory.dmp

Filesize
16.0MB

Download
memory/3532-107-0x00000150A8DB0000-0x00000150A9DB0000-memory.dmp

Filesize
16.0MB

Download
memory/3532-18-0x00000150A7520000-0x00000150A7521000-memory.dmp

Filesize
4KB

Download
memory/3532-15-0x00000150A7520000-0x00000150A7521000-memory.dmp

Filesize
4KB

Download
memory/3532-4-0x00000150A8DB0000-0x00000150A9DB0000-memory.dmp

Filesize
16.0MB

Download
memory/3532-110-0x00000150A8DB0000-0x00000150A9DB0000-memory.dmp

Filesize
16.0MB

Download
memory/3532-112-0x00000150A9040000-0x00000150A9050000-memory.dmp

Filesize
64KB

Download
memory/3532-113-0x00000150A90A0000-0x00000150A90B0000-memory.dmp

Filesize
64KB

Download
memory/3532-114-0x00000150A90B0000-0x00000150A90C0000-memory.dmp

Filesize
64KB

Download
memory/3532-115-0x00000150A8DB0000-0x00000150A9DB0000-memory.dmp

Filesize
16.0MB

Download
memory/3532-116-0x00000150A8DB0000-0x00000150A9DB0000-memory.dmp

Filesize
16.0MB

Download