99fbae6c058b88942180276547978801158197e3fc7b044b87482c628e63a85f

Analysis

max time kernel
92s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
23-05-2024 05:27

Target

LEAK.zip
Size

2.4MB
MD5

1b03fb2fff99a30c3117f154b38977e2
SHA1

584be67f611ad99e0f9e64e7ea2de5853afd983a
SHA256

99fbae6c058b88942180276547978801158197e3fc7b044b87482c628e63a85f
SHA512

79db186076d06150956d7a549e05116da739b0556ad64cc921c4f53580d4f578bc45f66b0a5b89454ae5012f70e97e528c4e2a6e28a19e76da99fcc3ae580f8a
SSDEEP

49152:hd7P7P81OkcmASUhp0/zwvcNjqd/nWFJ0m5YtROINyTO:hdjb81OkxGFcNvFJXeO/y

Score

7^/10

discovery

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2420 icacls.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

900 NOTEPAD.EXE

pid	process
2420	icacls.exe

pid	process
900	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.exejava.exe

description	pid	process	target process
PID 3260 wrote to memory of 2616	3260	cmd.exe	java.exe
PID 3260 wrote to memory of 2616	3260	cmd.exe	java.exe
PID 2616 wrote to memory of 2420	2616	java.exe	icacls.exe
PID 2616 wrote to memory of 2420	2616	java.exe	icacls.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\LEAK.zip
1⤵
PID:1572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\start.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3260

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar Discord-Token-Checker.jar
2⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
3⤵
- Modifies file permissions
PID:2420

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\tokens.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:900

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
bdca4eb1096a34cb03b73b91606d628b

SHA1
33262e4b246ed9133551136e6ec2ff43398e3501

SHA256
a2da6b2602f26102ff33d49402bb74e048c63bf292bd672a296c7f97c6bd24ac

SHA512
6714a52684f21bf216f3a17a3ea77fd1e2134a9c6a32e497a8cbd32558bd1c5aff612f2914568ace310693ca7dbcf2e83929fbcfb7ed87377af2809c8a7f6d00

Download Submit
memory/2616-2-0x000002954D8A0000-0x000002954DB10000-memory.dmp

Filesize
2.4MB

Download
memory/2616-13-0x000002954D880000-0x000002954D881000-memory.dmp

Filesize
4KB

Download
memory/2616-14-0x000002954D8A0000-0x000002954DB10000-memory.dmp

Filesize
2.4MB

Download