c4a15b140901b8b13a467e0a502ea7a7198fc54d280f0f39968b7a9ea9bfa408

Resubmissions

15/06/2024, 09:19

240615-k97d6svgkd 7

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[1.8.9] BetterKeystrokes V-1.2.jar
Size

2.8MB
MD5

34e2a4702b809273d426f5fab2f98990
SHA1

d95a260cd94372badbca469067819ff3cf2dfe15
SHA256

c4a15b140901b8b13a467e0a502ea7a7198fc54d280f0f39968b7a9ea9bfa408
SHA512

a0ec7ca7be126198579f33ea9bd8174a6c422c5a35b4fb42a42b1bd3d6b8106623ae3d0a6a38f4f33073319bc7092956ca5022a5e0cc84db6b61a2c0833cbb67
SSDEEP

49152:RnyvpxKTEC8/a7f/UPCJwz4wTDJO8uXJnkqBycE+9Cea05sBx:JwXKYC4aLUPC2zzAXeyFUXsy

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3876	icacls.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 3876	3024	java.exe	93
PID 3024 wrote to memory of 3876	3024	java.exe	93

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\[1.8.9] BetterKeystrokes V-1.2.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:3876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3440,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
1⤵
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
995f75a92c8266902afc7b053b7a631d

SHA1
2f73ad1876c287c3fad36b2f2dd07e59af6ecdb5

SHA256
42e732e15f85fc0d0717fd74be78ad8477909b9a816e0c2fc5d54d4800b0cdd6

SHA512
124dcf63abbffe774b8a76b57e65831247ee857c3657912725eb8a729546e678c187bbcd96de95f8e5a89ca168c8f757178a9eee61c57799ad09b8d60a1f296e

Download Submit
memory/3024-2-0x000001B255E50000-0x000001B2560C0000-memory.dmp

Filesize
2.4MB

Download
memory/3024-12-0x000001B254680000-0x000001B254681000-memory.dmp

Filesize
4KB

Download
memory/3024-13-0x000001B255E50000-0x000001B2560C0000-memory.dmp

Filesize
2.4MB

Download