d8270349b467d0755c01a11c74ea8886190eb8df48574795705928c633516e49

General

Target

d8270349b467d0755c01a11c74ea8886190eb8df48574795705928c633516e49.exe
Size

1.4MB
MD5

f896da566264cddb1b663a8b95095336
SHA1

d07d833ebca01f45765273394f182e2d12229610
SHA256

d8270349b467d0755c01a11c74ea8886190eb8df48574795705928c633516e49
SHA512

7efcc663f72ca1a0e9435c31049ab3471c3888f938588fd94a8459e4f2bc0b5c460b616f8e351f2e45f2cf0ec9f21a9228ca9fd2dea4a4bdc0fcbff78ac716e5
SSDEEP

24576:GIeBdQNZswnFSG68kvoJ4cdVEDdmArE27ipsC/vfVm7E/vazaFN:AQNiwnFRkvoJ4cdqc/xpN/4E/vazaFN

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2072	java.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4808	icacls.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\RNDKEY904684024064784438	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	java.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rndkey904684024064784438	java.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2072	java.exe
2072	java.exe
2072	java.exe
2072	java.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 2884	3608	d8270349b467d0755c01a11c74ea8886190eb8df48574795705928c633516e49.exe	85
PID 3608 wrote to memory of 2884	3608	d8270349b467d0755c01a11c74ea8886190eb8df48574795705928c633516e49.exe	85
PID 2884 wrote to memory of 4808	2884	java.exe	88
PID 2884 wrote to memory of 4808	2884	java.exe	88
PID 3608 wrote to memory of 2072	3608	d8270349b467d0755c01a11c74ea8886190eb8df48574795705928c633516e49.exe	92
PID 3608 wrote to memory of 2072	3608	d8270349b467d0755c01a11c74ea8886190eb8df48574795705928c633516e49.exe	92

C:\Users\Admin\AppData\Local\Temp\d8270349b467d0755c01a11c74ea8886190eb8df48574795705928c633516e49.exe
"C:\Users\Admin\AppData\Local\Temp\d8270349b467d0755c01a11c74ea8886190eb8df48574795705928c633516e49.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -classpath C:\Users\Admin\AppData\Local\Temp\\NBI65173.tmp TestJDK
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:4808
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -Djava.io.tmpdir=C:\Users\Admin\AppData\Local\Temp\ -Xmx256m -Xms64m -Dnbi.local.directory.path=C:\Users\Administrator\.offlinetool-installer -classpath C:\Users\Admin\AppData\Local\Temp\\NBI65173.tmp\uninstall.jar org.netbeans.installer.Installer --target offlinetool 1.0.0.0.0 --force-uninstall
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
a097068c1ef56c46f462ffcc9996bbe7

SHA1
a050abcff98f0ff51f5bc61ca903a71c78e17fa1

SHA256
ceb09a6db78c320d2e28ed9f0db4ab1dfa19a93a92c23ee17cf7361399bf0933

SHA512
e64af0b722e5367c70675ead4a621a1ae9bddbe072872a323a2628b571d5d594e2abe826423f93cca5fb67f8c94fa8158523e431e56a50b98c60fdf601ae6b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\NBI65173.tmp\TestJDK.class

Filesize
612B

MD5
5a870d05a477bd508476c1addce46e52

SHA1
d601bb6b81b7367db8a55462a4da3e8dd5f13ba7

SHA256
8923583fcf65117a43ba50c979b4185821b0b9f8bbd95dccb58a307a00a9b38b

SHA512
f7d079105c9c7d736e9b0f880118e0729bd29f36ce9e9440905595fb90208bbd62f71e0bf0413668fb6c01e4d2168dfff6026beeec6032c2c146a3c752849e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\NBI65173.tmp\uninstall.jar

Filesize
1.0MB

MD5
7dba3d0220c7e993b43a8bc0905e0e5f

SHA1
b118edfa2f3a86326ff632dd7fe6a19bae890812

SHA256
92da45af16c4bfb9d97739fc6c315c96d642b6d6b4945c033c747066c8827354

SHA512
98cfd9659d9643aaa3f854d4fb0ef6bdf782cf93b89506e174afb1be9c9a9f32df530a44291cb6356edcc9b7bb560ef337215a3f4c0cbde99bb329851dfc4361

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbi-1721525189858522736.tmp

Filesize
19KB

MD5
1c56b6264905ad1e1a04d1c2bb445c77

SHA1
fc15d4cfaf9b0b0a508543d22a3c9cab5a37cd14

SHA256
e20654928a84c5b61bde154e33bdd845fac1ae8c852c1152d5608c5a15edd83a

SHA512
74196770c0f487edef73a728ae65394bea9a1a30bdfad1ee690549ebcea407794be7aa4b646d5e963cf1ff4a0ceef383f4dcd3ad14967f5ef5d54a87343cb6de

Download Submit
memory/2072-60-0x000002AE98CC0000-0x000002AE98CC1000-memory.dmp

Filesize
4KB

Download
memory/2072-61-0x000002AE9A8C0000-0x000002AE9A8D0000-memory.dmp

Filesize
64KB

Download
memory/2072-158-0x000002AE9A8C0000-0x000002AE9A8D0000-memory.dmp

Filesize
64KB

Download
memory/2072-155-0x000002AE9A8B0000-0x000002AE9A8C0000-memory.dmp

Filesize
64KB

Download
memory/2072-45-0x000002AE9A870000-0x000002AE9A880000-memory.dmp

Filesize
64KB

Download
memory/2072-46-0x000002AE9A880000-0x000002AE9A890000-memory.dmp

Filesize
64KB

Download
memory/2072-51-0x000002AE9A890000-0x000002AE9A8A0000-memory.dmp

Filesize
64KB

Download
memory/2072-54-0x000002AE9A8A0000-0x000002AE9A8B0000-memory.dmp

Filesize
64KB

Download
memory/2072-55-0x000002AE98CC0000-0x000002AE98CC1000-memory.dmp

Filesize
4KB

Download
memory/2072-57-0x000002AE9A8B0000-0x000002AE9A8C0000-memory.dmp

Filesize
64KB

Download
memory/2072-152-0x000002AE9A8A0000-0x000002AE9A8B0000-memory.dmp

Filesize
64KB

Download
memory/2072-20-0x000002AE9A600000-0x000002AE9A870000-memory.dmp

Filesize
2.4MB

Download
memory/2072-71-0x000002AE98CC0000-0x000002AE98CC1000-memory.dmp

Filesize
4KB

Download
memory/2072-87-0x000002AE98CC0000-0x000002AE98CC1000-memory.dmp

Filesize
4KB

Download
memory/2072-104-0x000002AE98CC0000-0x000002AE98CC1000-memory.dmp

Filesize
4KB

Download
memory/2072-111-0x000002AE98CC0000-0x000002AE98CC1000-memory.dmp

Filesize
4KB

Download
memory/2072-123-0x000002AE98CC0000-0x000002AE98CC1000-memory.dmp

Filesize
4KB

Download
memory/2072-136-0x000002AE9A600000-0x000002AE9A870000-memory.dmp

Filesize
2.4MB

Download
memory/2072-143-0x000002AE9A870000-0x000002AE9A880000-memory.dmp

Filesize
64KB

Download
memory/2072-144-0x000002AE9A880000-0x000002AE9A890000-memory.dmp

Filesize
64KB

Download
memory/2072-147-0x000002AE9A890000-0x000002AE9A8A0000-memory.dmp

Filesize
64KB

Download
memory/2884-3-0x000002B58C340000-0x000002B58C5B0000-memory.dmp

Filesize
2.4MB

Download
memory/2884-14-0x000002B58AA80000-0x000002B58AA81000-memory.dmp

Filesize
4KB

Download
memory/2884-16-0x000002B58C340000-0x000002B58C5B0000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing