f6e3d9034d0dfbb89293fd65389ab7c841de4fe37dc2de3a2f4fd3e0b2f4c0d0

Analysis

max time kernel
450s
max time network
1176s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
25-06-2024 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KwishClient/KwishClient.jar
Size

60.1MB
MD5

1fa329e9876bb9d14e463a4aae3534e4
SHA1

b20480b592e07a2ffbf217c8621b21cfa666290a
SHA256

69aa16e8f240e4411ff3771f69bbb605b20781dea020ecaaf6ffdae6ab43ca3c
SHA512

f20182a5cc8048a2ae446ad0dd2fea83eb3223b4195a893d5350853261f76c9fa3aa6141cfee45ae3d9611b88304fbf4f0e981c8ead806a28c5d2ccfcfdbee83
SSDEEP

1572864:uQTQqzcknx98oxGxZ1Yh6ZTxNU6hwRKcuQns5FXjCv:uQTemx98oxGxZ1LZTBhwRLX0Xo

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1820 icacls.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 4744 wrote to memory of 1820 4744 java.exe icacls.exe
PID 4744 wrote to memory of 1820 4744 java.exe icacls.exe

pid	process
1820	icacls.exe

description	pid	process	target process
PID 4744 wrote to memory of 1820	4744	java.exe	icacls.exe
PID 4744 wrote to memory of 1820	4744	java.exe	icacls.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\KwishClient\KwishClient.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:1820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
577ba09cb014307395f7b616511723a5

SHA1
558007c461a9779476e35f8520c8d44de5bcf15f

SHA256
6f988cac82d04d778d4b4b2526b0cb71d78945fc54c55c111b6df030a0c2f99a

SHA512
007a254454d84811846593b39bbae39bc1c61160ff811bd9c2491ddbdc73988bdd159f83b050e74f0bafc78ba30bbab6aeb36c22d54e8f333d1108df1a11b58b

Download Submit
memory/4744-2-0x0000014EDD900000-0x0000014EDDB70000-memory.dmp

Filesize
2.4MB

Download
memory/4744-12-0x0000014EDC2C0000-0x0000014EDC2C1000-memory.dmp

Filesize
4KB

Download
memory/4744-13-0x0000014EDD900000-0x0000014EDDB70000-memory.dmp

Filesize
2.4MB

Download