1f4f8ce7d5a44276381e8d5326caded7f2d37f9f4a6c8a9c21545a078e809e24

Analysis

max time kernel
92s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

minelaunched.exe
Size

4.3MB
MD5

e7d67b13853205aee8d795d312fcf7b9
SHA1

765ba1505b30aa5892246b7ec3b329047ccd6009
SHA256

1f4f8ce7d5a44276381e8d5326caded7f2d37f9f4a6c8a9c21545a078e809e24
SHA512

fc3095d760f3a56e1370cc71d4ca9100145fa99006c65154e010c46e3e51b63f15107ea8ee155ed77202803d7c8e1b28d14009967514c48c09650402d5149bb5
SSDEEP

98304:yE8BxgYeVw9gF/vjhtuN5Mzp4mnfavCxCtOgyraXkL:qByYeu9gdvjnuS8C0pkL

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4536	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 2032	3160	minelaunched.exe	85
PID 3160 wrote to memory of 2032	3160	minelaunched.exe	85
PID 2032 wrote to memory of 4536	2032	javaw.exe	86
PID 2032 wrote to memory of 4536	2032	javaw.exe	86

C:\Users\Admin\AppData\Local\Temp\minelaunched.exe
"C:\Users\Admin\AppData\Local\Temp\minelaunched.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\minelaunched.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:4536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
4afd37ea118cf0632bf9900a72200134

SHA1
d89e0126ae0404e51191870b5e6046f8a874eece

SHA256
9aa960416c9639e55e40eae1ab50df7aad8579884f7ebea5b85a5a557f27c00c

SHA512
86a0f2324f22bcd747255dbe70ae3b893cc559ba4a999e3c57a3ff9882ed75e573b65ce6a4321680d50a8b03dda91e33c45030d804629218dedc54e8676b73e6

Download Submit
memory/2032-5-0x000001BA485A0000-0x000001BA495A0000-memory.dmp

Filesize
16.0MB

Download
memory/2032-13-0x000001BA46CC0000-0x000001BA46CC1000-memory.dmp

Filesize
4KB

Download
memory/2032-22-0x000001BA48820000-0x000001BA48830000-memory.dmp

Filesize
64KB

Download
memory/2032-23-0x000001BA485A0000-0x000001BA495A0000-memory.dmp

Filesize
16.0MB

Download
memory/2032-24-0x000001BA485A0000-0x000001BA495A0000-memory.dmp

Filesize
16.0MB

Download
memory/3160-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download