5cd03f588d47cf564be795d1a114c9812b702e7858704094d959ad97df7f7ca8

General

Target

380c08c3471775e3eccdcd3c755074457e7cdafc02e92e7b9ceaad8b500ea8a6.jar
Size

643KB
MD5

df2d12625998b7c51a4eab26d3a42e7e
SHA1

3d0403ab389c056beae99b7e71cca51ad521c870
SHA256

380c08c3471775e3eccdcd3c755074457e7cdafc02e92e7b9ceaad8b500ea8a6
SHA512

af1ead62e893127323e6b86abad37ad804928bd96e9dbaac618cc737490efa0e61329d8dfb636fa9fd215596721ad04f3e63a2c04a909e895af8c08d02f1e75d
SSDEEP

12288:R/eAo7rK7tfAKc6Mr+DpxFGs/HfTeg1jPZc+AR6AptwyoFGVKBzG1KpUfsRxrq40:no7rKJcPr+wIHfzxcbTLwyoFuKBAURx4

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3340 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3340	icacls.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

java.exe

description	pid	process	target process
PID 4248 wrote to memory of 3340	4248	java.exe	icacls.exe
PID 4248 wrote to memory of 3340	4248	java.exe	icacls.exe
PID 4248 wrote to memory of 5108	4248	java.exe	wscript.exe
PID 4248 wrote to memory of 5108	4248	java.exe	wscript.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\380c08c3471775e3eccdcd3c755074457e7cdafc02e92e7b9ceaad8b500ea8a6.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:3340

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\gcahfpmhcn.js
2⤵
PID:5108

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\uinwlmrr.txt"
3⤵
PID:1872

C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.14362475715525573973622678894914574.class
4⤵
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3632 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:3168

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
59f263abfb3fcb038ba102695d60a489

SHA1
19d574fc7673fa69318373586a4cec5a575fa4d6

SHA256
e1db66df917d200f4f63e7122e87c0199a125fa89eb38258085e1e7cc828b423

SHA512
63d058d32b0489cb844a9f92aec68c4bdc9110c63574f80f17da1109e02e2428a44f3144536857804d393174642ab486c3140ad775dfbeabf246dac7fa6cbd00

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
895044d0ea563db3ec1d221a8a65841e

SHA1
b4920013be4ca41002eb151327733a8f91c79943

SHA256
ef214f46f5ef61ae3c5e9a2b643892ea4c9f484c4fabe2b395691a49bb8b8a54

SHA512
4e2d9a56f89d33a468321242c8834315a3555b6bdac499a302dda885c4a1b6ca9d26acbb79094faabf1730d666194d9a53d8f1ef3712b10abb3eedd062cdce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.14362475715525573973622678894914574.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\83aa4cc77f591dfc2374580bbd95f6ba_2397ee06-28fe-4eaa-8777-f7014368c353
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\uinwlmrr.txt
Filesize
479KB

MD5
d7d1131452a0427e78a2710d280537b5

SHA1
279b601cb79c5d1790910c839125a45b2f43101d

SHA256
4c81c42509988b29c4d77288ed55849de919676fbca4a938bf773f893f2e547e

SHA512
483d03f5dcf0011679463a68f233cb50796c056d1045cc6eeaccae41ffbe51e562a186f6cd6196b0c3b63631553a7d780d6d77648117903e4d58238b2ef8d198

Download Submit
C:\Users\Admin\gcahfpmhcn.js
Filesize
1006KB

MD5
5bca887380e1881f351c22574d257e41

SHA1
987634d53966aa6e84c72ad366bb78e619cb674a

SHA256
5f4b5467cccbbc2f2c5771d9547e7fca350df341d154f4d83a4442b7a44cdf06

SHA512
26c9da1464668a4d084095c4425f3e51c9c875e57315b8356081ab2ef032e5bfb28cbbef99d915dc626267c3abc9f8c134cae6778b5679e828fd55558946b92d

Download Submit
memory/1872-80-0x000001E2DE1B0000-0x000001E2DF1B0000-memory.dmp

Filesize
16.0MB

Download
memory/1872-58-0x000001E2DE190000-0x000001E2DE191000-memory.dmp

Filesize
4KB

Download
memory/1872-97-0x000001E2DE190000-0x000001E2DE191000-memory.dmp

Filesize
4KB

Download
memory/1872-22-0x000001E2DE1B0000-0x000001E2DF1B0000-memory.dmp

Filesize
16.0MB

Download
memory/1872-29-0x000001E2DE190000-0x000001E2DE191000-memory.dmp

Filesize
4KB

Download
memory/1872-72-0x000001E2DE1B0000-0x000001E2DF1B0000-memory.dmp

Filesize
16.0MB

Download
memory/3052-86-0x0000019BE3DE0000-0x0000019BE4DE0000-memory.dmp

Filesize
16.0MB

Download
memory/3052-50-0x0000019BE3DC0000-0x0000019BE3DC1000-memory.dmp

Filesize
4KB

Download
memory/3052-48-0x0000019BE3DC0000-0x0000019BE3DC1000-memory.dmp

Filesize
4KB

Download
memory/3052-98-0x0000019BE3DC0000-0x0000019BE3DC1000-memory.dmp

Filesize
4KB

Download
memory/3052-39-0x0000019BE3DE0000-0x0000019BE4DE0000-memory.dmp

Filesize
16.0MB

Download
memory/3052-108-0x0000019BE3DC0000-0x0000019BE3DC1000-memory.dmp

Filesize
4KB

Download
memory/4248-14-0x0000017824010000-0x0000017824011000-memory.dmp

Filesize
4KB

Download
memory/4248-2-0x0000017825860000-0x0000017826860000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing