6bc8fff6f8185e5996dfccf8e5643c0b2c3a2aeaaeac3a5caf480b41bd49120d

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MPSA.jar
Size

125KB
MD5

d3f85921783738f20db81b7fff95af70
SHA1

8276c95dfaa2538a7bd732c07035fb99846253f5
SHA256

6bc8fff6f8185e5996dfccf8e5643c0b2c3a2aeaaeac3a5caf480b41bd49120d
SHA512

4b73e09d7541650ac9b463395a5d6d4f48226bec50f5961288cd233536c8a578b9027ff420cdd352d070022a4645aee1d3a1ce0fcb3b43f999931c918ec21808
SSDEEP

1536:LEP3OPAewz85arkUeGbo0ovNizyqqR719pdhZuBLhylRygXX3OxllNcvgH1U+0Xp:LBIfF9o0qMS3+dIKgullNcvq0Xp

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2452	icacls.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2452	2700	java.exe	83
PID 2700 wrote to memory of 2452	2700	java.exe	83

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\MPSA.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
f202b6d9df5ea32ca5db4cf060796da2

SHA1
18959b1832a4bd1114fa3e9818069a583b033e3f

SHA256
14b80c669c5ec6041a546554843db84d3eb0ea838f28d2d283efdf219baa028a

SHA512
3bf6bdebfcdbc51c1f26de782b4deb1a0ec483ccaf236701e7d9b9aee58648bbda04ec05169043f592f8093c6cf01685ed64f1db2776ddfff04160a3796a8139

Download Submit
memory/2700-2-0x000001C4081D0000-0x000001C408440000-memory.dmp

Filesize
2.4MB

Download
memory/2700-12-0x000001C406A00000-0x000001C406A01000-memory.dmp

Filesize
4KB

Download
memory/2700-13-0x000001C4081D0000-0x000001C408440000-memory.dmp

Filesize
2.4MB

Download