007370ef1802f2d3466f84a38829747402ce9b4c60e2a6ecd0afb315b04e5b10

Analysis

max time kernel
1352s
max time network
1156s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
14-03-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mods/cloth-config-11.1.118-fabric.jar
Size

1.1MB
MD5

eb13a834db10ee7e8c5e6a6d4b037fbd
SHA1

f669f899d707b9e9acf1c239b0ae6b2c8be95361
SHA256

1a5b6bfc5abb0516b2aa883f99ddff11af2faa5cebdf33beb52cd4e3cd37bb75
SHA512

848aeaf9c218e39452a2efced1872c2f7275c8fd2504fc2cbd63b159faf4eed96481144b7e1dc4fa27296727f54803907ae2e477e66a803c07a2fd51f831eb07
SSDEEP

24576:I+zIYpIfVOLJYoywxtnDvBdEAzNZzD+0R42C1/mwVbCo5ODdaVXRv:6BOF15Zj4/m0ONpaVN

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1628	icacls.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 1628	484	java.exe	82
PID 484 wrote to memory of 1628	484	java.exe	82

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\mods\cloth-config-11.1.118-fabric.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
f16f19d30315ed1a7010a3d22018992c

SHA1
c984a928fde433fd9123a724a76e5d4aed3e5e4c

SHA256
3eeb63422630a2595c6da26cd1df0e68103a7a710c4c36102a47122f35b48f6f

SHA512
fb7c2635f04057813d453a64d879272285546f1cb9323eee15a48453e5fe16f611b0f6b7e1f3572e732ee1cadd082b0de4f97981dc0b644ae19aa1684506f112

Download Submit
memory/484-4-0x000001FE80000000-0x000001FE81000000-memory.dmp

Filesize
16.0MB

Download
memory/484-12-0x000001FEFB2F0000-0x000001FEFB2F1000-memory.dmp

Filesize
4KB

Download