ca438598c383fab834c5e52369032e30c657f8f70cbb095f181ea7779d34bba1

Analysis

max time kernel
126s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C-RD1.jar
Size

395KB
MD5

81e621517a407ae36da0a767b960c88c
SHA1

421f3489d10b803e2dd64d0b47ce619da2da448a
SHA256

ca438598c383fab834c5e52369032e30c657f8f70cbb095f181ea7779d34bba1
SHA512

cd0510723447c5ace63f4ec9eb1aa0aa7d9d56b70f08b16c92c71b9825351122e59c1b5173e1e7288f59a8d732be122e90be397521f80e71328d743ad172788c
SSDEEP

192:WtZ3hAJtjmbwOqaI55LEOkOYiDiMkCjvDhvLlSIz3v4M3LwsUE+1MB7hikCOrPiH:cZ3hOOJvsEOWGWCjvSmwM7wsTvQMC

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1532 icacls.exe

pid	process
1532	icacls.exe

Drops file in Program Files directory 12 IoCs

Processes:

java.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 3700 wrote to memory of 1532 3700 java.exe icacls.exe
PID 3700 wrote to memory of 1532 3700 java.exe icacls.exe

description	pid	process	target process
PID 3700 wrote to memory of 1532	3700	java.exe	icacls.exe
PID 3700 wrote to memory of 1532	3700	java.exe	icacls.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\C-RD1.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3660 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8
1⤵
PID:2752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
5f0220380be2ee3f8febbfdd12807a61

SHA1
5b704c2befa1266425817a6bdd716cbc6274c68d

SHA256
efefea63ffe712255a6ed9d007d4eb65239e71fd373da03dc68b944a386d2a06

SHA512
dbb9a0496d60b0e5a2e6bcc61f484f05fb08f318e7c4a366386bae7c3b796766326738a4ed112a11c70b69aa10138496b33842a7bcf746dda371c5ef9ee66cce

Download Submit
memory/3700-27-0x000001DE9D750000-0x000001DE9D760000-memory.dmp

Filesize
64KB

Download
memory/3700-12-0x000001DE9BBF0000-0x000001DE9BBF1000-memory.dmp

Filesize
4KB

Download
memory/3700-19-0x000001DE9D4D0000-0x000001DE9E4D0000-memory.dmp

Filesize
16.0MB

Download
memory/3700-24-0x000001DE9BBF0000-0x000001DE9BBF1000-memory.dmp

Filesize
4KB

Download
memory/3700-26-0x000001DE9D4D0000-0x000001DE9E4D0000-memory.dmp

Filesize
16.0MB

Download
memory/3700-4-0x000001DE9D4D0000-0x000001DE9E4D0000-memory.dmp

Filesize
16.0MB

Download
memory/3700-28-0x000001DE9D770000-0x000001DE9D780000-memory.dmp

Filesize
64KB

Download
memory/3700-29-0x000001DE9D780000-0x000001DE9D790000-memory.dmp

Filesize
64KB

Download
memory/3700-31-0x000001DE9D7A0000-0x000001DE9D7B0000-memory.dmp

Filesize
64KB

Download
memory/3700-30-0x000001DE9D790000-0x000001DE9D7A0000-memory.dmp

Filesize
64KB

Download
memory/3700-32-0x000001DE9D7B0000-0x000001DE9D7C0000-memory.dmp

Filesize
64KB

Download
memory/3700-33-0x000001DE9D4D0000-0x000001DE9E4D0000-memory.dmp

Filesize
16.0MB

Download