e72b0bdfcde42b79c8b9266fc25c37d62a2c536d33c32eb6dcb4e2a17961f2ff

Analysis

max time kernel
0s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
05-07-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

newdcnyash/lib/IllIIIIIIlIIIIIlIllIIIIlIlIIIIlIIllIIllIIlIlllIlIlIlIIIlllllIlllIllIIIlllllIlIlIlIlll.jar
Size

31KB
MD5

6c7ed18ba835a47b32bac14d83c90bc1
SHA1

6a8237ae3f6cccd788aa47b2ecc22f580e810a01
SHA256

7f2f1bbfad38be1382913af2b7c2622470fa3af976fbd1f386c189af8ad136fa
SHA512

9670ede560347dffbbb0761e2de817ddbc426daa0fd97a53b1fd3c8a031dd6d5c2b0c6cebb21d1dffd23b45e504895736634939f75c39c48d580542ccd7ea66c
SSDEEP

768:SfyBHlmRQDPgJPjdIVTCV9+n6cMJw297fjheItTE5oO6lKYW8dvdTWhe62C:SfYT6cMJw2ihy+

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3552 icacls.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 3716 wrote to memory of 3552 3716 java.exe icacls.exe
PID 3716 wrote to memory of 3552 3716 java.exe icacls.exe

pid	process
3552	icacls.exe

description	pid	process	target process
PID 3716 wrote to memory of 3552	3716	java.exe	icacls.exe
PID 3716 wrote to memory of 3552	3716	java.exe	icacls.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\newdcnyash\lib\IllIIIIIIlIIIIIlIllIIIIlIlIIIIlIIllIIllIIlIlllIlIlIlIIIlllllIlllIllIIIlllllIlIlIlIlll.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:3552

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
ff7b5291f516414ae9577305d483b7ea

SHA1
8a556c33bb90ee90a9b211b9d9fd2dbabe6a0528

SHA256
602161882e1883c7f52686822f025e42fbff042c666389eea02b99a9d3a5eb3d

SHA512
f17a2dd5b46701f8b6a38e898eab7858c784df498b81a725aae96a70db289d3fa1b8ace613c57cdb890efd42288955c80aefe60049f63910bb3cde1f8ffe5115

Download Submit
memory/3716-2-0x0000026300000000-0x0000026300270000-memory.dmp

Filesize
2.4MB

Download
memory/3716-12-0x0000026375A80000-0x0000026375A81000-memory.dmp

Filesize
4KB

Download
memory/3716-13-0x0000026300000000-0x0000026300270000-memory.dmp

Filesize
2.4MB

Download