4f55f26dbe1f5503b509daa838c63aae8573a37e462d8d15312d9c0b01d2367f

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0785a5dd610e945c0e3faa98e77b854f0a6fc378cddbf3cfadac8168c1942af7.jar
Size

141KB
MD5

a3fa6f3731f8b03addb3fc21cae10c1e
SHA1

77b50a01a6767352cd8598577f15c89cae9cceed
SHA256

0785a5dd610e945c0e3faa98e77b854f0a6fc378cddbf3cfadac8168c1942af7
SHA512

64277b925251f4e51581871b99b5e567b59ab3df0eae485a6283e69406359834908265eff95d72c4bafcc732e67902e7c20888a29ee0b51bf53c3487a0d0d603
SSDEEP

384:4c4T7iQWFfpIGARoV57FYKxeUUfc1Eq+Hcvi:4co7hefdARe57FY2U04

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

java.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\olo.jar java.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

860 icacls.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\olo.jar	java.exe

pid	process
860	icacls.exe

Enumerates processes with tasklist 1 TTPs 21 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
1912	tasklist.exe
1364	tasklist.exe
2016	tasklist.exe
4220	tasklist.exe
664	tasklist.exe
5024	tasklist.exe
4928	tasklist.exe
3492	tasklist.exe
1048	tasklist.exe
4820	tasklist.exe
2452	tasklist.exe
924	tasklist.exe
5072	tasklist.exe
5036	tasklist.exe
4976	tasklist.exe
624	tasklist.exe
1080	tasklist.exe
3788	tasklist.exe
2228	tasklist.exe
4704	tasklist.exe
4556	tasklist.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1364	tasklist.exe
Token: SeDebugPrivilege	4704	tasklist.exe
Token: SeDebugPrivilege	4556	tasklist.exe
Token: SeDebugPrivilege	2016	tasklist.exe
Token: SeDebugPrivilege	5036	tasklist.exe
Token: SeDebugPrivilege	924	tasklist.exe
Token: SeDebugPrivilege	4928	tasklist.exe
Token: SeDebugPrivilege	5072	tasklist.exe
Token: SeDebugPrivilege	4976	tasklist.exe
Token: SeDebugPrivilege	624	tasklist.exe
Token: SeDebugPrivilege	1048	tasklist.exe
Token: SeDebugPrivilege	3492	tasklist.exe
Token: SeDebugPrivilege	1080	tasklist.exe
Token: SeDebugPrivilege	1912	tasklist.exe
Token: SeDebugPrivilege	4220	tasklist.exe
Token: SeDebugPrivilege	4820	tasklist.exe
Token: SeDebugPrivilege	2452	tasklist.exe
Token: SeDebugPrivilege	664	tasklist.exe
Token: SeDebugPrivilege	5024	tasklist.exe
Token: SeDebugPrivilege	3788	tasklist.exe
Token: SeDebugPrivilege	2228	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid process

1776 java.exe

pid	process
1776	java.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

java.exe

description	pid	process	target process
PID 3956 wrote to memory of 860	3956	java.exe	icacls.exe
PID 3956 wrote to memory of 860	3956	java.exe	icacls.exe
PID 3956 wrote to memory of 1364	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 1364	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 4704	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 4704	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 4556	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 4556	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 2016	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 2016	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 5036	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 5036	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 924	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 924	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 4928	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 4928	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 5072	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 5072	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 4976	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 4976	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 624	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 624	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 1048	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 1048	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 3492	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 3492	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 1080	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 1080	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 1912	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 1912	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 4220	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 4220	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 4820	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 4820	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 2452	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 2452	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 664	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 664	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 5024	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 5024	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 3788	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 3788	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 2228	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 2228	3956	java.exe	tasklist.exe
PID 3956 wrote to memory of 1776	3956	java.exe	java.exe
PID 3956 wrote to memory of 1776	3956	java.exe	java.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\0785a5dd610e945c0e3faa98e77b854f0a6fc378cddbf3cfadac8168c1942af7.jar
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:860

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\SYSTEM32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\olo.jar"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
f078ab0f61d68b5109200e8ebd30da79

SHA1
9ce91f011b637df67c37bf6586a186a05546b7e7

SHA256
ebe47b9252f00dc6921871889cfc4be854d3e5ac54e5da47aa632af14616aa5f

SHA512
c0992b8e0a58a72dc4121205ea566037e181c5d8e139d243ae232f73bc96e88962069089e0b661e7a164a8e54b655cc1d24fbff42e57960499e1e477d4be17d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\olo.jar
Filesize
199KB

MD5
acef9b1a1b1ce8721d4d662a9372372b

SHA1
9974f8335bd7d873cf739b10f088fcbe2d3a248e

SHA256
c1983298ecdc326786f1d57bc7d878bd987dd70403799c8cde0f0126782b3d04

SHA512
2635d8c3af8ed20936554d56ca8afc9c9b61f6a47aefb820b5554e7efacb91f39aa44d4ffc1c86bcd7882ee66bf86a6f853279586b83e720af06f76764579532

Download Submit
memory/1776-75-0x0000027DAB810000-0x0000027DAB811000-memory.dmp

Filesize
4KB

Download
memory/1776-87-0x0000027DAB810000-0x0000027DAB811000-memory.dmp

Filesize
4KB

Download
memory/3956-2-0x0000018D9BE20000-0x0000018D9C090000-memory.dmp

Filesize
2.4MB

Download
memory/3956-12-0x0000018D9A650000-0x0000018D9A651000-memory.dmp

Filesize
4KB

Download
memory/3956-54-0x0000018D9A650000-0x0000018D9A651000-memory.dmp

Filesize
4KB

Download
memory/3956-57-0x0000018D9A650000-0x0000018D9A651000-memory.dmp

Filesize
4KB

Download
memory/3956-60-0x0000018D9BE20000-0x0000018D9C090000-memory.dmp

Filesize
2.4MB

Download