2d840a08d60d89aa2a0b07cec1e4c940e5d6b59bddbea43465f46086508caf51

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mods/sodium-fabric-mc1.18.2-0.4.1+build.15.jar
Size

1.3MB
MD5

601f5c1d8b2b6e3c08a1216000099508
SHA1

f839863a6be7014b8d80058ea1f361521148d049
SHA256

776fb3cd8c8ddee898eb1d9dc88a72d899aaa8792f21914b39ad990cea253784
SHA512

86eb4db8fdb9f0bb06274c4f150b55273b5b770ffc89e0ba68011152a231b79ebe0b1adda0dd194f92cdcb386f7a60863d9fee5d15c1c3547ffa22a19083a1ee
SSDEEP

24576:oERs8iAe/ygK4xNNpvAwo/WgwYQWZ/ZtfoTvzSoa/P5zw1PaJRgq:okOt/HxdAwo/w0Z/ZtAc/B2q

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3672	icacls.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 3672	4248	java.exe	95
PID 4248 wrote to memory of 3672	4248	java.exe	95

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\mods\sodium-fabric-mc1.18.2-0.4.1+build.15.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:3672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2228,i,8155065313278028490,17854605419281052753,262144 --variations-seed-version /prefetch:8
1⤵
PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
3288a769aeab770154aacdbb08f125c1

SHA1
229b683245c0dd031bad701cb9f29923b1cc8fac

SHA256
b689b6dde34cdcadff586e8c06fdfc9d67bba3fb4f9fe967d1374f8cd64868fd

SHA512
2037d24dffc9af2defb3bfe3f7d48d6a73f57cb7e6a26951685312ecf15a2d4417476d7424c3d2690158f743259acddf86d993105f29c65b82acf27e37bb8567

Download Submit
memory/4248-4-0x000001B567890000-0x000001B568890000-memory.dmp

Filesize
16.0MB

Download
memory/4248-12-0x000001B567870000-0x000001B567871000-memory.dmp

Filesize
4KB

Download
memory/4248-13-0x000001B567890000-0x000001B568890000-memory.dmp

Filesize
16.0MB

Download