2c3c7bb834448fb264ee307b45877b28eacfb51c97c1733fb0f5f12e172a2d66

Analysis

max time kernel
130s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2024 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c3c7bb834448fb264ee307b45877b28eacfb51c97c1733fb0f5f12e172a2d66.jar
Size

182KB
MD5

6931358f3fc8605f88a913672cd3bb2f
SHA1

05058b97361814763d3921808b3058cb7347f1aa
SHA256

2c3c7bb834448fb264ee307b45877b28eacfb51c97c1733fb0f5f12e172a2d66
SHA512

27f2d7d3bdc89292e364a301f5a4263fa4c36588418333c16f6ce0812b038f71300c7242c489e502a9e17d08943aa7b602535944459e4624ad2595c035188e10
SSDEEP

3072:WLiKdwQJ6IIGhKxO9SNr36eE6HaZZhWS26j5I1pemu4Gnxs5z7Up:8lwZPOKxO9wsM69z3Pnxyfg

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3484 icacls.exe

pid	process
3484	icacls.exe

Drops file in Program Files directory 12 IoCs

Processes:

java.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 1148 wrote to memory of 3484 1148 java.exe icacls.exe
PID 1148 wrote to memory of 3484 1148 java.exe icacls.exe

description	pid	process	target process
PID 1148 wrote to memory of 3484	1148	java.exe	icacls.exe
PID 1148 wrote to memory of 3484	1148	java.exe	icacls.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\2c3c7bb834448fb264ee307b45877b28eacfb51c97c1733fb0f5f12e172a2d66.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=2240,i,16875000905773190493,11379096115878622792,262144 --variations-seed-version /prefetch:8
1⤵
PID:4084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
c52f02c012997525d116f02586654f05

SHA1
b857b7a3e749bcb312f4d3ddc69e694d66864922

SHA256
66edd87d7dcb093a74ad72d397c4c938ce4a5b9c0c67198af5bc3f3c5d8af19c

SHA512
959bad285198bd61d21297ae52969f34ad543d361af750d77f77eca3cf558d78f7c5c29cda86cdb1f7870e32a7f0236cb7601493840e6bda3ad685dc8a7cd04c

Download Submit
memory/1148-44-0x000001BA391E0000-0x000001BA391F0000-memory.dmp

Filesize
64KB

Download
memory/1148-53-0x000001BA38F20000-0x000001BA39F20000-memory.dmp

Filesize
16.0MB

Download
memory/1148-43-0x000001BA391D0000-0x000001BA391E0000-memory.dmp

Filesize
64KB

Download
memory/1148-30-0x000001BA37660000-0x000001BA37661000-memory.dmp

Filesize
4KB

Download
memory/1148-34-0x000001BA38F20000-0x000001BA39F20000-memory.dmp

Filesize
16.0MB

Download
memory/1148-40-0x000001BA37660000-0x000001BA37661000-memory.dmp

Filesize
4KB

Download
memory/1148-41-0x000001BA391A0000-0x000001BA391B0000-memory.dmp

Filesize
64KB

Download
memory/1148-42-0x000001BA39210000-0x000001BA39220000-memory.dmp

Filesize
64KB

Download
memory/1148-21-0x000001BA38F20000-0x000001BA39F20000-memory.dmp

Filesize
16.0MB

Download
memory/1148-12-0x000001BA37660000-0x000001BA37661000-memory.dmp

Filesize
4KB

Download
memory/1148-46-0x000001BA39200000-0x000001BA39210000-memory.dmp

Filesize
64KB

Download
memory/1148-45-0x000001BA391F0000-0x000001BA39200000-memory.dmp

Filesize
64KB

Download
memory/1148-47-0x000001BA38F20000-0x000001BA39F20000-memory.dmp

Filesize
16.0MB

Download
memory/1148-48-0x000001BA39220000-0x000001BA39230000-memory.dmp

Filesize
64KB

Download
memory/1148-49-0x000001BA39230000-0x000001BA39240000-memory.dmp

Filesize
64KB

Download
memory/1148-50-0x000001BA39250000-0x000001BA39260000-memory.dmp

Filesize
64KB

Download
memory/1148-51-0x000001BA39260000-0x000001BA39270000-memory.dmp

Filesize
64KB

Download
memory/1148-52-0x000001BA38F20000-0x000001BA39F20000-memory.dmp

Filesize
16.0MB

Download
memory/1148-4-0x000001BA38F20000-0x000001BA39F20000-memory.dmp

Filesize
16.0MB

Download