01b6b1fef127398f9aae43f9dabc1cf8ddf5a4e50981347a6f26b4c9d6291b54

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bin/shutdown.bat
Size

265B
MD5

ce9f268c1bbdeaac25d2e57d031b702f
SHA1

61c36889463c8ad334e610c9f806483097fea4fd
SHA256

71c0ff0cb2f9fd3ec0e6a65eb242f6b499c9832ceb3f403f0f5f680a02f882aa
SHA512

daf7d6c9e8f264824cb05ca51ea78a89c7d781ae757e0b2b1704107bca07bb6fca2145f555993a612c71f2c19e02d8fe7b9bfe2122c7a1a3c96ed85998703e9e

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2440	icacls.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 2640	4984	cmd.exe	85
PID 4984 wrote to memory of 2640	4984	cmd.exe	85
PID 2640 wrote to memory of 2440	2640	java.exe	86
PID 2640 wrote to memory of 2440	2640	java.exe	86
PID 2640 wrote to memory of 2020	2640	java.exe	88
PID 2640 wrote to memory of 2020	2640	java.exe	88

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\shutdown.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java -cp "C:\Users\Admin\AppData\Local\Temp"\nxd.jar;"C:\Users\Admin\AppData\Local\Temp"\lib\*; nxd.NxAdmin shutdown
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:2440
- - C:\Windows\SYSTEM32\hostname.exe
    hostname
    3⤵
    PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
fb896ef8a8ba978c234f609562f4eb9f

SHA1
43f58a8678d3ca23b53f06f3f3aa9456107f6296

SHA256
43bc5af56c4da8d886e43ebe3f78c8acbf923799a3e5273802ffd0e82ddcae92

SHA512
747f837827395aad0d26f9eceec37b11acaae4af86cb7ca354f24262db75ad23107d4429f091353097582161a013244c81db4da030104a602772e1faa459715e

Download Submit
memory/2640-2-0x0000018B80000000-0x0000018B80270000-memory.dmp

Filesize
2.4MB

Download
memory/2640-16-0x0000018BFAFE0000-0x0000018BFAFE1000-memory.dmp

Filesize
4KB

Download
memory/2640-18-0x0000018BFAFE0000-0x0000018BFAFE1000-memory.dmp

Filesize
4KB

Download
memory/2640-19-0x0000018B80000000-0x0000018B80270000-memory.dmp

Filesize
2.4MB

Download