ec069915e5fa8d167ee6967140d5fbbcb59f0d0befa5f6d0cae899fd71ee5da9

Analysis

max time kernel
15s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

minecraft.exe
Size

22.1MB
MD5

86dc20f843bfa46275568d0a4d5e1d2d
SHA1

01d0e36b281f4fff62378d97398cd7b688201197
SHA256

ec069915e5fa8d167ee6967140d5fbbcb59f0d0befa5f6d0cae899fd71ee5da9
SHA512

28e9a7860ef4c146d34952a38c6380bc36452f3c8bdf54d6aecd98fd3ad3c758765de46eebd411abd647022afcc65b6119ebeb84f3af6425deefa58800181404
SSDEEP

393216:pOqGolKT5VhfpjWUjw1O484xLUJO78Tlxf12Fovy4:wqGvVhfpjWE43GO7a1H

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000233b5-43.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
4416	javaw.exe
4416	javaw.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4308	icacls.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000233b5-43.dat	upx

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4416	javaw.exe
4416	javaw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 5052	992	minecraft.exe	89
PID 992 wrote to memory of 5052	992	minecraft.exe	89
PID 5052 wrote to memory of 4416	5052	cmd.exe	91
PID 5052 wrote to memory of 4416	5052	cmd.exe	91
PID 4416 wrote to memory of 4308	4416	javaw.exe	93
PID 4416 wrote to memory of 4308	4416	javaw.exe	93

C:\Users\Admin\AppData\Local\Temp\minecraft.exe
"C:\Users\Admin\AppData\Local\Temp\minecraft.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c javaw -Dhttp.proxyHost=betacraft.pl -jar natives/error437.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    javaw -Dhttp.proxyHost=betacraft.pl -jar natives/error437.dll
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      4⤵
      Modifies file permissions
      PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
42490979fc5d07879ba634a4672a70b6

SHA1
c8b1763a12bd69fc845593d75ef4ec557f2762cc

SHA256
ac0c8b7361d78be4c96c631836e065407880b83d74b1ea584f887110525c2d72

SHA512
9e96b14b15ffb47681de03beedf545b79676cf15c5ccf110e40f241133926daa4e1d2e86750865f27526152547283c137405bbe819c57e70f9e6b59616b050ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\consoleLib-x64.dll

Filesize
14KB

MD5
9fd4366231018993914ec6546e3e6083

SHA1
ca8a03e81aefeccbbaf766b91b116da4bb53c34d

SHA256
d7cd5122b1ae19a8b95ec9e5db5c3055e3936a546bc22c4f1c7911c3629ab021

SHA512
9b2b013747593f540874adb9c6e9cc64a2985e0975af2ef86dbb63682d967fce028cab43aa2211e76a1fc5ecc037b6dcc4a80503ca55421fd85166dcbda95364

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\err0r437.dll

Filesize
648KB

MD5
1930033c78ef88a4fb03de9db6042f0d

SHA1
ea2437dc06aae3ae434baf271d5d0d0df9835e58

SHA256
4560cf70d22705561e40bce528b6a74bff83630ea91a5b14e0560a114b31dfe0

SHA512
ab881e4eac21268d3693536b6bb3b3b4b6f8bdc8662240b91befe192f72e34dc64998cc4ed9fa1873f2ba637c62af7102adf066ea6ec29ce8fbe86b663224fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\error437.dll

Filesize
19.7MB

MD5
306dbeef2315bb0dcdc886fa9bf028ae

SHA1
eacf875684ed2b924a0ce3d54ea241b514d95c06

SHA256
6ea6d3fb87e4d6e848eb7f76e9008ebf7f54dcc9a9f7e88eae7d4fa159992137

SHA512
b0b0e87bd0706e9ee6480d017d443e2c54af6493eccfc77f52965fe89c68d4ec581323e1ab792ad5f0457c5cc2a3f877658ac3932b09249f1e96e4971c673ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives\lwjgl64.dll

Filesize
303KB

MD5
3fcf8b1bd4c9066ff815d887a4192456

SHA1
d8bc4e20accb989fe9d774ede6c198781c2067c7

SHA256
19ddc120c3f382cebc249da69f7cec7d71f7a665054f8d6f5c6f5bde6cfd2297

SHA512
56ead9bdcd9e83e2651ba22ea2224e83ae205644bf6823776af5b7afee40aba4b355b9cfc0cbf22521236b441899b77904b5ce49b120b3ad717f04d5b8da6d87

Download Submit
memory/992-87-0x0000000000400000-0x0000000001A28000-memory.dmp

Filesize
22.2MB

Download
memory/4416-47-0x000001EC8E7C0000-0x000001EC8E7C1000-memory.dmp

Filesize
4KB

Download
memory/4416-51-0x000001EC8E7C0000-0x000001EC8E7C1000-memory.dmp

Filesize
4KB

Download
memory/4416-39-0x000001EC8E7C0000-0x000001EC8E7C1000-memory.dmp

Filesize
4KB

Download
memory/4416-65-0x000001EC8E7C0000-0x000001EC8E7C1000-memory.dmp

Filesize
4KB

Download
memory/4416-78-0x000001EC8E7C0000-0x000001EC8E7C1000-memory.dmp

Filesize
4KB

Download
memory/4416-85-0x000001EC8E7C0000-0x000001EC8E7C1000-memory.dmp

Filesize
4KB

Download
memory/4416-29-0x000001EC8E7E0000-0x000001EC8EA50000-memory.dmp

Filesize
2.4MB

Download
memory/4416-90-0x0000000062240000-0x000000006224D000-memory.dmp

Filesize
52KB

Download