b1b3403d8ae2871c50f7a5cdb7f9d83634a83c23072468fe71d0538c912bbad8

Analysis

max time kernel
92s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2024 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AMENDED PO-120004445-4100126520.jar
Size

172KB
MD5

fb8a3018ade8d911f0c205d832c3279d
SHA1

16e480ffe0238e85318ad5ddd370ce55f296dd2d
SHA256

b1b3403d8ae2871c50f7a5cdb7f9d83634a83c23072468fe71d0538c912bbad8
SHA512

2a25900dc96f50e04ccd9a1dfc4dc202b7ae8dfa63c099058cd9f237aaddde2a669b9ba4e7f822f71b7b01027cc4923703760ed7c4ea168b2fe9462b475833cd
SSDEEP

3072:JwtgWCeR01ZvdgOpw8CNc45gOI5IM7hSIhesNMqeD9mcvyJGJ5fjjh1:qtgWkppuc4Fy7UIhes2548fv/

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4780 icacls.exe

pid	process
4780	icacls.exe

Drops file in Program Files directory 12 IoCs

Processes:

java.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 3724 wrote to memory of 4780 3724 java.exe icacls.exe
PID 3724 wrote to memory of 4780 3724 java.exe icacls.exe

description	pid	process	target process
PID 3724 wrote to memory of 4780	3724	java.exe	icacls.exe
PID 3724 wrote to memory of 4780	3724	java.exe	icacls.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\AMENDED PO-120004445-4100126520.jar"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:4780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
9c5817f81472a9bc56a9a34cdfc2856c

SHA1
8d59db49a70f3b4b65742005231947f7f258537d

SHA256
801103a218d4b6bf00b87643da36924366832afe929bb7aec6c26d1165b562d7

SHA512
5b1bd3ace64e3f05ec787bbf3b8da60cda1f72cb4670f76ce50dc9884ffe3f4130465226739a7c77bde1ebbdae422752f4904049857f4eeb75dc5d6bf45cd82f

Download Submit
memory/3724-64-0x000001E5EBBD0000-0x000001E5EBBD1000-memory.dmp

Filesize
4KB

Download
memory/3724-81-0x000001E5ED4A0000-0x000001E5EE4A0000-memory.dmp

Filesize
16.0MB

Download
memory/3724-17-0x000001E5ED4A0000-0x000001E5EE4A0000-memory.dmp

Filesize
16.0MB

Download
memory/3724-28-0x000001E5ED4A0000-0x000001E5EE4A0000-memory.dmp

Filesize
16.0MB

Download
memory/3724-38-0x000001E5ED4A0000-0x000001E5EE4A0000-memory.dmp

Filesize
16.0MB

Download
memory/3724-42-0x000001E5EBBD0000-0x000001E5EBBD1000-memory.dmp

Filesize
4KB

Download
memory/3724-43-0x000001E5ED4A0000-0x000001E5EE4A0000-memory.dmp

Filesize
16.0MB

Download
memory/3724-67-0x000001E5EBBD0000-0x000001E5EBBD1000-memory.dmp

Filesize
4KB

Download
memory/3724-89-0x000001E5ED4A0000-0x000001E5EE4A0000-memory.dmp

Filesize
16.0MB

Download
memory/3724-12-0x000001E5EBBD0000-0x000001E5EBBD1000-memory.dmp

Filesize
4KB

Download
memory/3724-48-0x000001E5ED4A0000-0x000001E5EE4A0000-memory.dmp

Filesize
16.0MB

Download
memory/3724-68-0x000001E5EBBD0000-0x000001E5EBBD1000-memory.dmp

Filesize
4KB

Download
memory/3724-69-0x000001E5ED4A0000-0x000001E5EE4A0000-memory.dmp

Filesize
16.0MB

Download
memory/3724-73-0x000001E5ED4A0000-0x000001E5EE4A0000-memory.dmp

Filesize
16.0MB

Download
memory/3724-75-0x000001E5EBBD0000-0x000001E5EBBD1000-memory.dmp

Filesize
4KB

Download
memory/3724-79-0x000001E5ED4A0000-0x000001E5EE4A0000-memory.dmp

Filesize
16.0MB

Download
memory/3724-80-0x000001E5ED4A0000-0x000001E5EE4A0000-memory.dmp

Filesize
16.0MB

Download
memory/3724-4-0x000001E5ED4A0000-0x000001E5EE4A0000-memory.dmp

Filesize
16.0MB

Download
memory/3724-82-0x000001E5ED4A0000-0x000001E5EE4A0000-memory.dmp

Filesize
16.0MB

Download
memory/3724-62-0x000001E5EBBD0000-0x000001E5EBBD1000-memory.dmp

Filesize
4KB

Download