ff7335a7afc9c65a24e53fc4f0d8b16bc0323fbb31f556d4318e2a720c0388f4

General

Target

minecraft_alpha_1.2.1.exe
Size

227KB
MD5

d14ba7be37e9a859c35027fbc48156e3
SHA1

7c8edcd841e8be4cfc1c03277e70e44e563d7d10
SHA256

ff7335a7afc9c65a24e53fc4f0d8b16bc0323fbb31f556d4318e2a720c0388f4
SHA512

706069d04fa28920d263d37e27bd88280620ab659680a795714c15e78b31d5e6007bba88295747c92257d33669d830e5804add558f25e10ab69cfe8daf263105
SSDEEP

1536:dGtgHEjS2MkDvXR/TMZtQkZpcHHHkLL/LL/LL/LLkNHRv879NHpovcfNwV7cNHzt:ALjSeDvhoZK4mpYpccpWIzMjNCxpdl

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

5036 icacls.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

3068 OpenWith.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

javaw.exeOpenWith.exe

pid process

4580 javaw.exe
4580 javaw.exe
3068 OpenWith.exe

pid	process
5036	icacls.exe

pid	process
3068	OpenWith.exe

pid	process
4580	javaw.exe
4580	javaw.exe
3068	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

minecraft_alpha_1.2.1.exejavaw.exe

description	pid	process	target process
PID 388 wrote to memory of 4580	388	minecraft_alpha_1.2.1.exe	javaw.exe
PID 388 wrote to memory of 4580	388	minecraft_alpha_1.2.1.exe	javaw.exe
PID 4580 wrote to memory of 5036	4580	javaw.exe	icacls.exe
PID 4580 wrote to memory of 5036	4580	javaw.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\minecraft_alpha_1.2.1.exe
"C:\Users\Admin\AppData\Local\Temp\minecraft_alpha_1.2.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:388
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xms512m -Xmx1024m -jar "C:\Users\Admin\AppData\Local\Temp\minecraft_alpha_1.2.1.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:5036

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
adb50dfa4d963de46daad882c6dbbb76

SHA1
4e713ab6245bea9bc4bd92d50f77f363e80b4e2d

SHA256
7d0683962d523ea74f4b56165470411f5ef976ad5de01713281a504041d88ad6

SHA512
b0455168b7bcb1cdcf9da0ae1d22d67652f55974fb10098630b0af96d453fb1e2e7c7af8a2f043548db4516b96b17b7f083cbdf28a7dd370c6f044be3bf391ca

Download Submit
memory/388-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4580-52-0x000001FBE4500000-0x000001FBE4510000-memory.dmp

Filesize
64KB

Download
memory/4580-24-0x000001FBE4450000-0x000001FBE4460000-memory.dmp

Filesize
64KB

Download
memory/4580-55-0x000001FBE4510000-0x000001FBE4520000-memory.dmp

Filesize
64KB

Download
memory/4580-25-0x000001FBE4460000-0x000001FBE4470000-memory.dmp

Filesize
64KB

Download
memory/4580-28-0x000001FBE4470000-0x000001FBE4480000-memory.dmp

Filesize
64KB

Download
memory/4580-32-0x000001FBE4490000-0x000001FBE44A0000-memory.dmp

Filesize
64KB

Download
memory/4580-34-0x000001FBE44A0000-0x000001FBE44B0000-memory.dmp

Filesize
64KB

Download
memory/4580-31-0x000001FBE4480000-0x000001FBE4490000-memory.dmp

Filesize
64KB

Download
memory/4580-35-0x000001FBE44B0000-0x000001FBE44C0000-memory.dmp

Filesize
64KB

Download
memory/4580-39-0x000001FBE44D0000-0x000001FBE44E0000-memory.dmp

Filesize
64KB

Download
memory/4580-38-0x000001FBE44C0000-0x000001FBE44D0000-memory.dmp

Filesize
64KB

Download
memory/4580-41-0x000001FBE44E0000-0x000001FBE44F0000-memory.dmp

Filesize
64KB

Download
memory/4580-44-0x000001FBE44F0000-0x000001FBE4500000-memory.dmp

Filesize
64KB

Download
memory/4580-45-0x000001FBE2970000-0x000001FBE2971000-memory.dmp

Filesize
4KB

Download
memory/4580-71-0x000001FBE44F0000-0x000001FBE4500000-memory.dmp

Filesize
64KB

Download
memory/4580-22-0x000001FBE2970000-0x000001FBE2971000-memory.dmp

Filesize
4KB

Download
memory/4580-58-0x000001FBE4520000-0x000001FBE4530000-memory.dmp

Filesize
64KB

Download
memory/4580-57-0x000001FBE41E0000-0x000001FBE4450000-memory.dmp

Filesize
2.4MB

Download
memory/4580-59-0x000001FBE2970000-0x000001FBE2971000-memory.dmp

Filesize
4KB

Download
memory/4580-60-0x000001FBE4450000-0x000001FBE4460000-memory.dmp

Filesize
64KB

Download
memory/4580-61-0x000001FBE4460000-0x000001FBE4470000-memory.dmp

Filesize
64KB

Download
memory/4580-63-0x000001FBE4470000-0x000001FBE4480000-memory.dmp

Filesize
64KB

Download
memory/4580-64-0x000001FBE4480000-0x000001FBE4490000-memory.dmp

Filesize
64KB

Download
memory/4580-65-0x000001FBE4490000-0x000001FBE44A0000-memory.dmp

Filesize
64KB

Download
memory/4580-66-0x000001FBE44A0000-0x000001FBE44B0000-memory.dmp

Filesize
64KB

Download
memory/4580-67-0x000001FBE44B0000-0x000001FBE44C0000-memory.dmp

Filesize
64KB

Download
memory/4580-68-0x000001FBE44C0000-0x000001FBE44D0000-memory.dmp

Filesize
64KB

Download
memory/4580-69-0x000001FBE44D0000-0x000001FBE44E0000-memory.dmp

Filesize
64KB

Download
memory/4580-70-0x000001FBE44E0000-0x000001FBE44F0000-memory.dmp

Filesize
64KB

Download
memory/4580-3-0x000001FBE41E0000-0x000001FBE4450000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing