86e3168768b4dded4c22653c5a5cfad62deef7f247ccdf010507e6a1ef84ad66

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

forge-1.15.2-31.1.37-installer.jar
Size

6.1MB
MD5

b84cb0c455cc948390ec86afd0857926
SHA1

47e7b739b8937417db086703241489e0677e5d91
SHA256

86e3168768b4dded4c22653c5a5cfad62deef7f247ccdf010507e6a1ef84ad66
SHA512

21038cb47be675c72042d75c89137bc9e286456b058773452f76a8f78a2dfdb2867d8514570cb68e00a2da09052b37b6257bafe0a0051589764acf18b13bea92
SSDEEP

196608:mq+vOOftbabhj/yeiiSLVzsTMHYa7LLafSPf:mFvOOflatqekhgTjaDaf0

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

636 icacls.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

java.exe

pid process

4824 java.exe
4824 java.exe
4824 java.exe
4824 java.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 4824 wrote to memory of 636 4824 java.exe icacls.exe
PID 4824 wrote to memory of 636 4824 java.exe icacls.exe

pid	process
636	icacls.exe

pid	process
4824	java.exe
4824	java.exe
4824	java.exe
4824	java.exe

description	pid	process	target process
PID 4824 wrote to memory of 636	4824	java.exe	icacls.exe
PID 4824 wrote to memory of 636	4824	java.exe	icacls.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\forge-1.15.2-31.1.37-installer.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
4a9adabedb57d3ade5c909dd71491602

SHA1
09fde158c512d31b99bce32ec944575da6f28170

SHA256
44a3d1989cf313f2b42dbcc14da41551671cdf3e64c4f016537e94b0447c9000

SHA512
1e66306e131a265eeda9ced9f9671a5a31c4f63612e6d100e9c00a8d2673f1954a3fee6c46d52969ccb2715d66255b833b32cc3a3ab9ebaefd7d2e2bf15510c4

Download Submit
memory/4824-36-0x0000024D5F3F0000-0x0000024D603F0000-memory.dmp

Filesize
16.0MB

Download
memory/4824-15-0x0000024D5DC20000-0x0000024D5DC21000-memory.dmp

Filesize
4KB

Download
memory/4824-19-0x0000024D5F3F0000-0x0000024D603F0000-memory.dmp

Filesize
16.0MB

Download
memory/4824-24-0x0000024D5F3F0000-0x0000024D603F0000-memory.dmp

Filesize
16.0MB

Download
memory/4824-35-0x0000024D5DC20000-0x0000024D5DC21000-memory.dmp

Filesize
4KB

Download
memory/4824-4-0x0000024D5F3F0000-0x0000024D603F0000-memory.dmp

Filesize
16.0MB

Download
memory/4824-43-0x0000024D5F3F0000-0x0000024D603F0000-memory.dmp

Filesize
16.0MB

Download
memory/4824-44-0x0000024D5DC20000-0x0000024D5DC21000-memory.dmp

Filesize
4KB

Download
memory/4824-47-0x0000024D5F3F0000-0x0000024D603F0000-memory.dmp

Filesize
16.0MB

Download
memory/4824-65-0x0000024D5DC20000-0x0000024D5DC21000-memory.dmp

Filesize
4KB

Download
memory/4824-76-0x0000024D5DC20000-0x0000024D5DC21000-memory.dmp

Filesize
4KB

Download
memory/4824-93-0x0000024D5F3F0000-0x0000024D603F0000-memory.dmp

Filesize
16.0MB

Download
memory/4824-96-0x0000024D5F3F0000-0x0000024D603F0000-memory.dmp

Filesize
16.0MB

Download