8bc4d422624113b2af547b64fa7df842b821f189ca4d7bad6e75767fec4a9e59

Analysis

max time kernel
133s
max time network
138s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
20-04-2024 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lib/lIIllIIlIlllIlIlllIlIIlIIIlllllIIlIlIIllIllIlIlllIlIIlIlIlIIllIlIIIIIllIIlIIlIIlIIllIIIlIIllIlIIIIlIlIIlIIlIllIIlIIlIlIl.jar
Size

50KB
MD5

d093f94c050d5900795de8149cb84817
SHA1

54058dda5c9e66a22074590072c8a48559bba1fb
SHA256

4bec0794a0d69debe2f955bf495ea7c0858ad84cb0d2d549cacb82e70c060cba
SHA512

3faaa415fba5745298981014d0042e8e01850fccaac22f92469765fd8c56b920da877ff3138a629242d9c52e270e7e2ce89e7c69f6902859f48ea0359842e2fb
SSDEEP

1536:1shuTqhiMtf/2PXkXgjYcO1556i/canPH1y3F95grf5CjdKBfn602ZhqsNgsSJ+y:nw1pywCjUfnX

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1256 icacls.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 1884 wrote to memory of 1256 1884 java.exe icacls.exe
PID 1884 wrote to memory of 1256 1884 java.exe icacls.exe

pid	process
1256	icacls.exe

description	pid	process	target process
PID 1884 wrote to memory of 1256	1884	java.exe	icacls.exe
PID 1884 wrote to memory of 1256	1884	java.exe	icacls.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\lib\lIIllIIlIlllIlIlllIlIIlIIIlllllIIlIlIIllIllIlIlllIlIIlIlIlIIllIlIIIIIllIIlIIlIIlIIllIIIlIIllIlIIIIlIlIIlIIlIllIIlIIlIlIl.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:1256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
39328f7c1fb60b9ac0609b634393aaaf

SHA1
82d86301f52b60ee0a03792ccbd4e7345763715c

SHA256
ac59e58b9b3eb56729032c8d5c54c1e6ded098ab388baf44662976010e9b79c4

SHA512
331ea39b5256bfd2788ce8145db63d872fd6580df3b289d8a5f07f9043e8341dac99779074f983284ac5357ebe539cd08ce445aa26ba9592b1c71cf575c9c449

Download Submit
memory/1884-4-0x00000189214D0000-0x00000189224D0000-memory.dmp

Filesize
16.0MB

Download
memory/1884-11-0x000001891FB10000-0x000001891FB11000-memory.dmp

Filesize
4KB

Download
memory/1884-13-0x00000189214D0000-0x00000189224D0000-memory.dmp

Filesize
16.0MB

Download