611b014d7e6d599b972852d88e055a1b83d78f94a4eb6ba0901c966b5b6cb40e

Analysis

max time kernel
1182s
max time network
1204s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

v4.6.0/groovy/modules/ext/groovy-3.0.8.jar
Size

7.6MB
MD5

adb6080ad937294752daa7b89534d74a
SHA1

43a7ecf3b8a9d7dd9fc8d468ae96b97cff4616df
SHA256

fa498879e6f46c63d4c37341f6f539a9d0c5be1153b60eba75b4929263549b04
SHA512

fd900a61d16663fcd52bd13377c4e3c00c6a0effad90564474761a6c6ddb38a8adc446936080ab03176eff9173457f9032e3252956a646342e28070c7a9bddd3
SSDEEP

196608:o7+NRWjPVlBANt6K5fIw7yzVVVVVVVV5k08PtoI:y+N4WttVIw+StN

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1820	icacls.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 1820	4764	java.exe	103
PID 4764 wrote to memory of 1820	4764	java.exe	103

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\v4.6.0\groovy\modules\ext\groovy-3.0.8.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2700,i,14629483171127516024,12350888228055326066,262144 --variations-seed-version /prefetch:8
1⤵
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3448 --field-trial-handle=2700,i,14629483171127516024,12350888228055326066,262144 --variations-seed-version /prefetch:8
1⤵
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
dfb7404ba28de80ffde09628a402fa72

SHA1
f47fe3d64193f2dc26e490513f27c536435e644d

SHA256
49d1eab7ce6ae2390d3eb0a6c2a9691de5dfc371611e01ce0644a10c3f5f6c43

SHA512
91dc32922b9b085366e9abd7591d4656c9130c394a758b8bead7ec985a8eba789aac0be427a2b5ffca142daddfa21a1f4c4a30422a21b25189812543bc31a115

Download Submit
memory/4764-4-0x00000237BF450000-0x00000237C0450000-memory.dmp

Filesize
16.0MB

Download
memory/4764-11-0x00000237BDA80000-0x00000237BDA81000-memory.dmp

Filesize
4KB

Download
memory/4764-19-0x00000237BDA80000-0x00000237BDA81000-memory.dmp

Filesize
4KB

Download
memory/4764-20-0x00000237BF450000-0x00000237C0450000-memory.dmp

Filesize
16.0MB

Download
memory/4764-21-0x00000237BF6E0000-0x00000237BF6F0000-memory.dmp

Filesize
64KB

Download
memory/4764-22-0x00000237BF6D0000-0x00000237BF6E0000-memory.dmp

Filesize
64KB

Download
memory/4764-23-0x00000237BF450000-0x00000237C0450000-memory.dmp

Filesize
16.0MB

Download