d60e8867b05482e8538c1675ad130cc256d045b6f83abea49c18723e0ff0050b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 12:52

Target

PokeRandoZX.jar
Size

1.2MB
MD5

b8fea1991d9947fc4c06a8f67efb9e83
SHA1

1ee4f888680527071ca844e29704fcb72115d319
SHA256

4796fd7535fa6cd18ea426afed67408fdf5dff6ab27cb4366c32a6091cd11cb4
SHA512

ae6bb30d17b4d39127fe5eb634a6fbcbc3f032d6915ee08ebc9e2f7c95b9f6ec467c98ca1a7e7375017f62be7f242ba234119c67bb0f9ae68eb3c7803f9b2e70
SSDEEP

24576:tTaasu6r0TqFLLlsYusMHHLAtjetKyfu53Es+Yc/z4QBQacP+GDRhUnXk4:tTanu68qFLn/MnLAtjnmuOs+Yc/EQB1B

Score

7^/10

discovery

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4108 icacls.exe

pid	process
4108	icacls.exe

Drops file in Program Files directory 12 IoCs

Processes:

java.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	java.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid process

912 java.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 912 wrote to memory of 4108 912 java.exe icacls.exe
PID 912 wrote to memory of 4108 912 java.exe icacls.exe

pid	process
912	java.exe

description	pid	process	target process
PID 912 wrote to memory of 4108	912	java.exe	icacls.exe
PID 912 wrote to memory of 4108	912	java.exe	icacls.exe

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:4108

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
ea84c4e1ea8ecd58851d2609cccc9c65

SHA1
eb323e4aadc1a4cbb6b671816ac97e5bc2000c7d

SHA256
83f114cf1758eda9b42092a48912e11962973db6249f32a0064d4f34ddb087f0

SHA512
722c518e389b7c30117d9a8c5f4c9fd3bf1966dae63811dbb43d4f68b663f9ba9a80a5e3c2814a2a07cc4dca7851d99bbe4aabaf637a685dfac59446fba7a050

Download Submit
memory/912-4-0x000001A265170000-0x000001A266170000-memory.dmp

Filesize
16.0MB

Download
memory/912-12-0x000001A265150000-0x000001A265151000-memory.dmp

Filesize
4KB

Download
memory/912-18-0x000001A265150000-0x000001A265151000-memory.dmp

Filesize
4KB

Download
memory/912-24-0x000001A265170000-0x000001A266170000-memory.dmp

Filesize
16.0MB

Download
memory/912-25-0x000001A2653F0000-0x000001A265400000-memory.dmp

Filesize
64KB

Download
memory/912-26-0x000001A265170000-0x000001A266170000-memory.dmp

Filesize
16.0MB

Download