3863f9491bdc39a5f036c56fba310757779b616bdfb9b13e0748af2a4937a143

Analysis

max time kernel
696s
max time network
729s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2024, 01:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fabric-installer-1.0.0.exe
Size

437KB
MD5

861e96fa83437f147809f4fafbb07f86
SHA1

7a6dbd8c6f5300fe89a481832d3bb7244eb253eb
SHA256

3863f9491bdc39a5f036c56fba310757779b616bdfb9b13e0748af2a4937a143
SHA512

aac75fddcce15c9a2564112f1ea71ae616bea24a15593b0ce522def6a289dd6b2ddc4f2d23c323a9d71456918283fec97a7bb8a2bfe6f5794209f3cbdf691d81
SSDEEP

6144:1AqhQt8C1lu3lRrszNnDthJNV/6KC5TfcAXok5OWgIhvpxH1K4syabpAM:48C1lu3TynwKC5TEAXRvhvpxHOfv

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4148	icacls.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2944	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4792	javaw.exe
4792	javaw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 4008	792	fabric-installer-1.0.0.exe	87
PID 792 wrote to memory of 4008	792	fabric-installer-1.0.0.exe	87
PID 4008 wrote to memory of 4148	4008	javaw.exe	91
PID 4008 wrote to memory of 4148	4008	javaw.exe	91
PID 792 wrote to memory of 4792	792	fabric-installer-1.0.0.exe	93
PID 792 wrote to memory of 4792	792	fabric-installer-1.0.0.exe	93

C:\Users\Admin\AppData\Local\Temp\fabric-installer-1.0.0.exe
"C:\Users\Admin\AppData\Local\Temp\fabric-installer-1.0.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:792
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
  "javaw.exe" "-version"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:4148
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
  "javaw.exe" "-jar" "C:\Users\Admin\AppData\Local\Temp\fabric-installer-1.0.0.exe" "-fabricInstallerBootstrap" "true"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4792

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
aa6b12a35a01ade5eb66540e075d068b

SHA1
9be3597b923c7a79f176d8b28f393fabace6da9b

SHA256
d1420b79a7d5558d84449b6c94b883542113ad5b9db5e3f9844a4c48171bc1e7

SHA512
3e0c1d898bbb35dee6b367e08c08b6d03a26ebf60742af1f6c776dd3bbf239deb2612cee460b4e65492a56b2bbc7ee6aef5a4d91b4d68ddad521f4da1fa442b4

Download Submit
memory/4008-2-0x0000029330D70000-0x0000029331D70000-memory.dmp

Filesize
16.0MB

Download
memory/4008-13-0x0000029330D50000-0x0000029330D51000-memory.dmp

Filesize
4KB

Download
memory/4792-95-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-92-0x000001DE473E0000-0x000001DE473E1000-memory.dmp

Filesize
4KB

Download
memory/4792-30-0x000001DE473E0000-0x000001DE473E1000-memory.dmp

Filesize
4KB

Download
memory/4792-31-0x000001DE473E0000-0x000001DE473E1000-memory.dmp

Filesize
4KB

Download
memory/4792-43-0x000001DE473E0000-0x000001DE473E1000-memory.dmp

Filesize
4KB

Download
memory/4792-49-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-55-0x000001DE473E0000-0x000001DE473E1000-memory.dmp

Filesize
4KB

Download
memory/4792-56-0x000001DE473E0000-0x000001DE473E1000-memory.dmp

Filesize
4KB

Download
memory/4792-58-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-59-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-60-0x000001DE473E0000-0x000001DE473E1000-memory.dmp

Filesize
4KB

Download
memory/4792-61-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-63-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-88-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-103-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-93-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-94-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-19-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-25-0x000001DE473E0000-0x000001DE473E1000-memory.dmp

Filesize
4KB

Download
memory/4792-96-0x000001DE473E0000-0x000001DE473E1000-memory.dmp

Filesize
4KB

Download
memory/4792-115-0x000001DE473E0000-0x000001DE473E1000-memory.dmp

Filesize
4KB

Download
memory/4792-107-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-108-0x000001DE473E0000-0x000001DE473E1000-memory.dmp

Filesize
4KB

Download
memory/4792-111-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-116-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-104-0x000001DE473E0000-0x000001DE473E1000-memory.dmp

Filesize
4KB

Download
memory/4792-118-0x000001DE473E0000-0x000001DE473E1000-memory.dmp

Filesize
4KB

Download
memory/4792-123-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-132-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-136-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-145-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-151-0x000001DE473E0000-0x000001DE473E1000-memory.dmp

Filesize
4KB

Download
memory/4792-173-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-179-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-181-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-190-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-194-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-198-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-232-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download
memory/4792-257-0x000001DE48DB0000-0x000001DE49DB0000-memory.dmp

Filesize
16.0MB

Download