Analysis
-
max time kernel
1201s -
max time network
902s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 05:02
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20230220-en
General
-
Target
setup.exe
-
Size
22.1MB
-
MD5
bf8bffb4ecd1b7fe3290a63c37fd5686
-
SHA1
b8e2287e56cac741cd39a46f45c91e359ab81f7a
-
SHA256
023a41716b8900a56d33d5becadd4b1441a45851d70905866565c872f457da26
-
SHA512
9d61eefe000be3edab81c16f3917d6c27fd9dbfb9d289423a8f8bcf6615a69709c50f6e6a019e7def8d2218c791072f1bf0b1de7e041cfd508077f252cbbed7d
-
SSDEEP
393216:qKnuOQUrMhX1iaZ+lPd/OJWsruCkxiBnuJpIsinmqlpkR0arq6eoH2Jg2TG/:rrkX8KMP0JWmu4Zgpunmqlpi0i1WJgAi
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1420 setup.exe -
Loads dropped DLL 2 IoCs
pid Process 2044 setup.exe 828 java.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 624 wmic.exe Token: SeSecurityPrivilege 624 wmic.exe Token: SeTakeOwnershipPrivilege 624 wmic.exe Token: SeLoadDriverPrivilege 624 wmic.exe Token: SeSystemProfilePrivilege 624 wmic.exe Token: SeSystemtimePrivilege 624 wmic.exe Token: SeProfSingleProcessPrivilege 624 wmic.exe Token: SeIncBasePriorityPrivilege 624 wmic.exe Token: SeCreatePagefilePrivilege 624 wmic.exe Token: SeBackupPrivilege 624 wmic.exe Token: SeRestorePrivilege 624 wmic.exe Token: SeShutdownPrivilege 624 wmic.exe Token: SeDebugPrivilege 624 wmic.exe Token: SeSystemEnvironmentPrivilege 624 wmic.exe Token: SeRemoteShutdownPrivilege 624 wmic.exe Token: SeUndockPrivilege 624 wmic.exe Token: SeManageVolumePrivilege 624 wmic.exe Token: 33 624 wmic.exe Token: 34 624 wmic.exe Token: 35 624 wmic.exe Token: SeIncreaseQuotaPrivilege 624 wmic.exe Token: SeSecurityPrivilege 624 wmic.exe Token: SeTakeOwnershipPrivilege 624 wmic.exe Token: SeLoadDriverPrivilege 624 wmic.exe Token: SeSystemProfilePrivilege 624 wmic.exe Token: SeSystemtimePrivilege 624 wmic.exe Token: SeProfSingleProcessPrivilege 624 wmic.exe Token: SeIncBasePriorityPrivilege 624 wmic.exe Token: SeCreatePagefilePrivilege 624 wmic.exe Token: SeBackupPrivilege 624 wmic.exe Token: SeRestorePrivilege 624 wmic.exe Token: SeShutdownPrivilege 624 wmic.exe Token: SeDebugPrivilege 624 wmic.exe Token: SeSystemEnvironmentPrivilege 624 wmic.exe Token: SeRemoteShutdownPrivilege 624 wmic.exe Token: SeUndockPrivilege 624 wmic.exe Token: SeManageVolumePrivilege 624 wmic.exe Token: 33 624 wmic.exe Token: 34 624 wmic.exe Token: 35 624 wmic.exe Token: SeIncreaseQuotaPrivilege 1884 wmic.exe Token: SeSecurityPrivilege 1884 wmic.exe Token: SeTakeOwnershipPrivilege 1884 wmic.exe Token: SeLoadDriverPrivilege 1884 wmic.exe Token: SeSystemProfilePrivilege 1884 wmic.exe Token: SeSystemtimePrivilege 1884 wmic.exe Token: SeProfSingleProcessPrivilege 1884 wmic.exe Token: SeIncBasePriorityPrivilege 1884 wmic.exe Token: SeCreatePagefilePrivilege 1884 wmic.exe Token: SeBackupPrivilege 1884 wmic.exe Token: SeRestorePrivilege 1884 wmic.exe Token: SeShutdownPrivilege 1884 wmic.exe Token: SeDebugPrivilege 1884 wmic.exe Token: SeSystemEnvironmentPrivilege 1884 wmic.exe Token: SeRemoteShutdownPrivilege 1884 wmic.exe Token: SeUndockPrivilege 1884 wmic.exe Token: SeManageVolumePrivilege 1884 wmic.exe Token: 33 1884 wmic.exe Token: 34 1884 wmic.exe Token: 35 1884 wmic.exe Token: SeIncreaseQuotaPrivilege 1884 wmic.exe Token: SeSecurityPrivilege 1884 wmic.exe Token: SeTakeOwnershipPrivilege 1884 wmic.exe Token: SeLoadDriverPrivilege 1884 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 828 java.exe 828 java.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1420 2044 setup.exe 29 PID 2044 wrote to memory of 1420 2044 setup.exe 29 PID 2044 wrote to memory of 1420 2044 setup.exe 29 PID 2044 wrote to memory of 1420 2044 setup.exe 29 PID 2044 wrote to memory of 1420 2044 setup.exe 29 PID 2044 wrote to memory of 1420 2044 setup.exe 29 PID 2044 wrote to memory of 1420 2044 setup.exe 29 PID 1420 wrote to memory of 828 1420 setup.exe 30 PID 1420 wrote to memory of 828 1420 setup.exe 30 PID 1420 wrote to memory of 828 1420 setup.exe 30 PID 1420 wrote to memory of 828 1420 setup.exe 30 PID 828 wrote to memory of 624 828 java.exe 31 PID 828 wrote to memory of 624 828 java.exe 31 PID 828 wrote to memory of 624 828 java.exe 31 PID 828 wrote to memory of 1884 828 java.exe 33 PID 828 wrote to memory of 1884 828 java.exe 33 PID 828 wrote to memory of 1884 828 java.exe 33 PID 828 wrote to memory of 296 828 java.exe 34 PID 828 wrote to memory of 296 828 java.exe 34 PID 828 wrote to memory of 296 828 java.exe 34 PID 828 wrote to memory of 1484 828 java.exe 35 PID 828 wrote to memory of 1484 828 java.exe 35 PID 828 wrote to memory of 1484 828 java.exe 35 PID 828 wrote to memory of 1384 828 java.exe 36 PID 828 wrote to memory of 1384 828 java.exe 36 PID 828 wrote to memory of 1384 828 java.exe 36 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1384 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\I1683270171\Windows\setup.exeC:\Users\Admin\AppData\Local\Temp\I1683270171\Windows\setup.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\java.exe"C:\Windows\system32\java.exe" -Xms20971520 -classpath "C:\Users\Admin\AppData\Local\Temp\I1683270171\InstallerData\IAClasses.zip;C:\Users\Admin\AppData\Local\Temp\I1683270171\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270171\Windows\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270171\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270171\Windows\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270171\InstallerData;C:\Users\Admin\AppData\Local\Temp\I1683270171\Windows\InstallerData;" com.zerog.lax.LAX "C:/Users/Admin/AppData/Local/Temp/I1683270171/Windows/setup.lax" "C:/Users/Admin/AppData/Local/Temp/lax1102.tmp"3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\System32\Wbem\wmic.exewmic os get name4⤵
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
C:\Windows\System32\Wbem\wmic.exewmic os get name4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
C:\Windows\System32\Wbem\wmic.exewmic os get name4⤵PID:296
-
-
C:\Windows\System32\Wbem\wmic.exewmic os get version4⤵PID:1484
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\InstallAnywhere"4⤵
- Views/modifies file attributes
PID:1384
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18.0MB
MD5fb90e663bce3ba198c01f3be086aedd4
SHA12ed063059cbee8910bd685a678ca46375a5b74c6
SHA2562f3ed7a2f099a2a8b6659b8190f85ba633baff99828bc0e32bef21c441868f21
SHA512de161ba3415fe9baa58a6654d2879797d81088176203c8b203e87f1ff3b7568885c41074469f306bb7eb89d2459d7fdd2ef6ff68085a95a4b04986f2edf91070
-
Filesize
4.7MB
MD51e5280726dd5f67513a751277ab1f99d
SHA16a5ea3874095e285c7311f81719344801e407e78
SHA256e01aa1f3af160de1a81321d0cb9fb9d8bc6b9790d881382da8f07cb95bc0595f
SHA51221f8e75432270b1c6ec6d7569d9dc63d98e2c68e1435e241cd5b52ff65f932afc1c5c88cafc87fe04811c45ac41a1f8b9176c7238a6594465a9f44c8eb8b02b5
-
Filesize
448B
MD59ea1f68278fc08c315a1457237da584a
SHA10387799d27cd1944a1798d82613786fc91ade4c1
SHA256b374be5a723bc5e3fff8c9ad5b9ee1aab09e814b1bed53d569e82e3653af5d9e
SHA512fe02dd56c7f8b2c99e7f9673128c4867b6682c3081452bf0a78420ab910670d3a9866fa0e2ce2f891795bec8a9cc690468441130abef4e3700542f9da2d4c6f4
-
Filesize
130KB
MD529abcd83cadb184d0e2552a6103bad44
SHA1902131c67019b6f27aa02b60db9ce8fae7259f05
SHA25685bf3ff44c3ec0883947ae7f38c152ac4f97350d95a40f0db01f8923192dc617
SHA5125058f15ff99321ecfd1e7054739bd764c0e6da240b485c92326691869ba75e912ff705a90659a882a92a5039e5e7fafa8043629ce83e8b950721d4c1d702daa3
-
Filesize
538KB
MD55f0c61a74ae912c9b37bceb449b8b33e
SHA19d90020032e44e2a8465c77fb85ece57f2a09193
SHA256dede6586c6679f0dbcb242572c4a7a617c7c960a39c9417673574db8ad813997
SHA51253b23ecc33dc91e2de62c9c07ec7feedfbe8093f95496abf836eaee507f9096294dd6d4618a99297ad32b1117eb16a3ff5f9cf387b8d99235cf47659b24981e9
-
Filesize
538KB
MD55f0c61a74ae912c9b37bceb449b8b33e
SHA19d90020032e44e2a8465c77fb85ece57f2a09193
SHA256dede6586c6679f0dbcb242572c4a7a617c7c960a39c9417673574db8ad813997
SHA51253b23ecc33dc91e2de62c9c07ec7feedfbe8093f95496abf836eaee507f9096294dd6d4618a99297ad32b1117eb16a3ff5f9cf387b8d99235cf47659b24981e9
-
Filesize
1KB
MD56775ee9a0c7ec3c4c3518312facea186
SHA1128e666f482d201910a5b620afc595736f18fa78
SHA256c95de3e32edf58eb2f6c0c82a80033a30cd0a4c0e86a7d98ec56a1c5117574bf
SHA512350b0ca1e6ac0a42768b1516049a6cbe0d3c90115e760cf97ac0e19f30af765130990c62de9441d35c49e4f590b6ef1b825c86f71669ed8ae2962af91f8f3f6d
-
Filesize
45B
MD5d8143de7a6779bf01772f9b0565f41f7
SHA1c7556bb074f53750314eb9d8c6614ccfd0f0c93c
SHA256da9d71d6fec28ff5dbcab9094a9310ce83a009d6c7c1538fff5aebf48a461f73
SHA5123b8c55e75b912614ed1738cfe6aefb97c0d2ff29dbb02d5ee0bc795a726e7a176c9549151621aaad39babfa398a917b3c9104c66718c9f78abadcfee14fde6eb
-
Filesize
6KB
MD5a9151a4cbffbcad1cd331f817f9a6f05
SHA1f12cdb213f6b0c803d3c98edb7d466e83fa600a0
SHA2561fba88aba081590f5f40c5479ec17ad82d819fc2af5dbb03495c04e4dc8d4a8a
SHA512fb84b50512c55f5494de7ceff61c01eb2049058e5a78e6b3f3f4d9fc7cd41cb065945d98287098fc5139959cdc48070ebb174bc92c9dbbed40f9e581a21787b8
-
Filesize
130KB
MD529abcd83cadb184d0e2552a6103bad44
SHA1902131c67019b6f27aa02b60db9ce8fae7259f05
SHA25685bf3ff44c3ec0883947ae7f38c152ac4f97350d95a40f0db01f8923192dc617
SHA5125058f15ff99321ecfd1e7054739bd764c0e6da240b485c92326691869ba75e912ff705a90659a882a92a5039e5e7fafa8043629ce83e8b950721d4c1d702daa3
-
Filesize
538KB
MD55f0c61a74ae912c9b37bceb449b8b33e
SHA19d90020032e44e2a8465c77fb85ece57f2a09193
SHA256dede6586c6679f0dbcb242572c4a7a617c7c960a39c9417673574db8ad813997
SHA51253b23ecc33dc91e2de62c9c07ec7feedfbe8093f95496abf836eaee507f9096294dd6d4618a99297ad32b1117eb16a3ff5f9cf387b8d99235cf47659b24981e9