023a41716b8900a56d33d5becadd4b1441a45851d70905866565c872f457da26

Analysis

max time kernel
1201s
max time network
902s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

22.1MB
MD5

bf8bffb4ecd1b7fe3290a63c37fd5686
SHA1

b8e2287e56cac741cd39a46f45c91e359ab81f7a
SHA256

023a41716b8900a56d33d5becadd4b1441a45851d70905866565c872f457da26
SHA512

9d61eefe000be3edab81c16f3917d6c27fd9dbfb9d289423a8f8bcf6615a69709c50f6e6a019e7def8d2218c791072f1bf0b1de7e041cfd508077f252cbbed7d
SSDEEP

393216:qKnuOQUrMhX1iaZ+lPd/OJWsruCkxiBnuJpIsinmqlpkR0arq6eoH2Jg2TG/:rrkX8KMP0JWmu4Zgpunmqlpi0i1WJgAi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1420	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	setup.exe
828	java.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	624	wmic.exe
Token: SeSecurityPrivilege	624	wmic.exe
Token: SeTakeOwnershipPrivilege	624	wmic.exe
Token: SeLoadDriverPrivilege	624	wmic.exe
Token: SeSystemProfilePrivilege	624	wmic.exe
Token: SeSystemtimePrivilege	624	wmic.exe
Token: SeProfSingleProcessPrivilege	624	wmic.exe
Token: SeIncBasePriorityPrivilege	624	wmic.exe
Token: SeCreatePagefilePrivilege	624	wmic.exe
Token: SeBackupPrivilege	624	wmic.exe
Token: SeRestorePrivilege	624	wmic.exe
Token: SeShutdownPrivilege	624	wmic.exe
Token: SeDebugPrivilege	624	wmic.exe
Token: SeSystemEnvironmentPrivilege	624	wmic.exe
Token: SeRemoteShutdownPrivilege	624	wmic.exe
Token: SeUndockPrivilege	624	wmic.exe
Token: SeManageVolumePrivilege	624	wmic.exe
Token: 33	624	wmic.exe
Token: 34	624	wmic.exe
Token: 35	624	wmic.exe
Token: SeIncreaseQuotaPrivilege	624	wmic.exe
Token: SeSecurityPrivilege	624	wmic.exe
Token: SeTakeOwnershipPrivilege	624	wmic.exe
Token: SeLoadDriverPrivilege	624	wmic.exe
Token: SeSystemProfilePrivilege	624	wmic.exe
Token: SeSystemtimePrivilege	624	wmic.exe
Token: SeProfSingleProcessPrivilege	624	wmic.exe
Token: SeIncBasePriorityPrivilege	624	wmic.exe
Token: SeCreatePagefilePrivilege	624	wmic.exe
Token: SeBackupPrivilege	624	wmic.exe
Token: SeRestorePrivilege	624	wmic.exe
Token: SeShutdownPrivilege	624	wmic.exe
Token: SeDebugPrivilege	624	wmic.exe
Token: SeSystemEnvironmentPrivilege	624	wmic.exe
Token: SeRemoteShutdownPrivilege	624	wmic.exe
Token: SeUndockPrivilege	624	wmic.exe
Token: SeManageVolumePrivilege	624	wmic.exe
Token: 33	624	wmic.exe
Token: 34	624	wmic.exe
Token: 35	624	wmic.exe
Token: SeIncreaseQuotaPrivilege	1884	wmic.exe
Token: SeSecurityPrivilege	1884	wmic.exe
Token: SeTakeOwnershipPrivilege	1884	wmic.exe
Token: SeLoadDriverPrivilege	1884	wmic.exe
Token: SeSystemProfilePrivilege	1884	wmic.exe
Token: SeSystemtimePrivilege	1884	wmic.exe
Token: SeProfSingleProcessPrivilege	1884	wmic.exe
Token: SeIncBasePriorityPrivilege	1884	wmic.exe
Token: SeCreatePagefilePrivilege	1884	wmic.exe
Token: SeBackupPrivilege	1884	wmic.exe
Token: SeRestorePrivilege	1884	wmic.exe
Token: SeShutdownPrivilege	1884	wmic.exe
Token: SeDebugPrivilege	1884	wmic.exe
Token: SeSystemEnvironmentPrivilege	1884	wmic.exe
Token: SeRemoteShutdownPrivilege	1884	wmic.exe
Token: SeUndockPrivilege	1884	wmic.exe
Token: SeManageVolumePrivilege	1884	wmic.exe
Token: 33	1884	wmic.exe
Token: 34	1884	wmic.exe
Token: 35	1884	wmic.exe
Token: SeIncreaseQuotaPrivilege	1884	wmic.exe
Token: SeSecurityPrivilege	1884	wmic.exe
Token: SeTakeOwnershipPrivilege	1884	wmic.exe
Token: SeLoadDriverPrivilege	1884	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
828	java.exe
828	java.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1420	2044	setup.exe	29
PID 2044 wrote to memory of 1420	2044	setup.exe	29
PID 2044 wrote to memory of 1420	2044	setup.exe	29
PID 2044 wrote to memory of 1420	2044	setup.exe	29
PID 2044 wrote to memory of 1420	2044	setup.exe	29
PID 2044 wrote to memory of 1420	2044	setup.exe	29
PID 2044 wrote to memory of 1420	2044	setup.exe	29
PID 1420 wrote to memory of 828	1420	setup.exe	30
PID 1420 wrote to memory of 828	1420	setup.exe	30
PID 1420 wrote to memory of 828	1420	setup.exe	30
PID 1420 wrote to memory of 828	1420	setup.exe	30
PID 828 wrote to memory of 624	828	java.exe	31
PID 828 wrote to memory of 624	828	java.exe	31
PID 828 wrote to memory of 624	828	java.exe	31
PID 828 wrote to memory of 1884	828	java.exe	33
PID 828 wrote to memory of 1884	828	java.exe	33
PID 828 wrote to memory of 1884	828	java.exe	33
PID 828 wrote to memory of 296	828	java.exe	34
PID 828 wrote to memory of 296	828	java.exe	34
PID 828 wrote to memory of 296	828	java.exe	34
PID 828 wrote to memory of 1484	828	java.exe	35
PID 828 wrote to memory of 1484	828	java.exe	35
PID 828 wrote to memory of 1484	828	java.exe	35
PID 828 wrote to memory of 1384	828	java.exe	36
PID 828 wrote to memory of 1384	828	java.exe	36
PID 828 wrote to memory of 1384	828	java.exe	36

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1384	attrib.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\I1683270171\Windows\setup.exe
  C:\Users\Admin\AppData\Local\Temp\I1683270171\Windows\setup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\system32\java.exe
    "C:\Windows\system32\java.exe" -Xms20971520 -classpath "C:\Users\Admin\AppData\Local\Temp\I1683270171\InstallerData\IAClasses.zip;C:\Users\Admin\AppData\Local\Temp\I1683270171\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270171\Windows\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270171\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270171\Windows\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270171\InstallerData;C:\Users\Admin\AppData\Local\Temp\I1683270171\Windows\InstallerData;" com.zerog.lax.LAX "C:/Users/Admin/AppData/Local/Temp/I1683270171/Windows/setup.lax" "C:/Users/Admin/AppData/Local/Temp/lax1102.tmp"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get name
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:624
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get name
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1884
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get name
      4⤵
      PID:296
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get version
      4⤵
      PID:1484
  - - C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\Admin\InstallAnywhere"
      4⤵
      Views/modifies file attributes
      PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\I1683270171\InstallerData\Execute.zip

Filesize
18.0MB

MD5
fb90e663bce3ba198c01f3be086aedd4

SHA1
2ed063059cbee8910bd685a678ca46375a5b74c6

SHA256
2f3ed7a2f099a2a8b6659b8190f85ba633baff99828bc0e32bef21c441868f21

SHA512
de161ba3415fe9baa58a6654d2879797d81088176203c8b203e87f1ff3b7568885c41074469f306bb7eb89d2459d7fdd2ef6ff68085a95a4b04986f2edf91070

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270171\InstallerData\IAClasses.zip

Filesize
4.7MB

MD5
1e5280726dd5f67513a751277ab1f99d

SHA1
6a5ea3874095e285c7311f81719344801e407e78

SHA256
e01aa1f3af160de1a81321d0cb9fb9d8bc6b9790d881382da8f07cb95bc0595f

SHA512
21f8e75432270b1c6ec6d7569d9dc63d98e2c68e1435e241cd5b52ff65f932afc1c5c88cafc87fe04811c45ac41a1f8b9176c7238a6594465a9f44c8eb8b02b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270171\Windows\jvmspecs\jvmspecs.properties

Filesize
448B

MD5
9ea1f68278fc08c315a1457237da584a

SHA1
0387799d27cd1944a1798d82613786fc91ade4c1

SHA256
b374be5a723bc5e3fff8c9ad5b9ee1aab09e814b1bed53d569e82e3653af5d9e

SHA512
fe02dd56c7f8b2c99e7f9673128c4867b6682c3081452bf0a78420ab910670d3a9866fa0e2ce2f891795bec8a9cc690468441130abef4e3700542f9da2d4c6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270171\Windows\resource\iawin64_x64.dll

Filesize
130KB

MD5
29abcd83cadb184d0e2552a6103bad44

SHA1
902131c67019b6f27aa02b60db9ce8fae7259f05

SHA256
85bf3ff44c3ec0883947ae7f38c152ac4f97350d95a40f0db01f8923192dc617

SHA512
5058f15ff99321ecfd1e7054739bd764c0e6da240b485c92326691869ba75e912ff705a90659a882a92a5039e5e7fafa8043629ce83e8b950721d4c1d702daa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270171\Windows\setup.exe

Filesize
538KB

MD5
5f0c61a74ae912c9b37bceb449b8b33e

SHA1
9d90020032e44e2a8465c77fb85ece57f2a09193

SHA256
dede6586c6679f0dbcb242572c4a7a617c7c960a39c9417673574db8ad813997

SHA512
53b23ecc33dc91e2de62c9c07ec7feedfbe8093f95496abf836eaee507f9096294dd6d4618a99297ad32b1117eb16a3ff5f9cf387b8d99235cf47659b24981e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270171\Windows\setup.exe

Filesize
538KB

MD5
5f0c61a74ae912c9b37bceb449b8b33e

SHA1
9d90020032e44e2a8465c77fb85ece57f2a09193

SHA256
dede6586c6679f0dbcb242572c4a7a617c7c960a39c9417673574db8ad813997

SHA512
53b23ecc33dc91e2de62c9c07ec7feedfbe8093f95496abf836eaee507f9096294dd6d4618a99297ad32b1117eb16a3ff5f9cf387b8d99235cf47659b24981e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270171\Windows\setup.lax

Filesize
1KB

MD5
6775ee9a0c7ec3c4c3518312facea186

SHA1
128e666f482d201910a5b620afc595736f18fa78

SHA256
c95de3e32edf58eb2f6c0c82a80033a30cd0a4c0e86a7d98ec56a1c5117574bf

SHA512
350b0ca1e6ac0a42768b1516049a6cbe0d3c90115e760cf97ac0e19f30af765130990c62de9441d35c49e4f590b6ef1b825c86f71669ed8ae2962af91f8f3f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270171\sea_loc

Filesize
45B

MD5
d8143de7a6779bf01772f9b0565f41f7

SHA1
c7556bb074f53750314eb9d8c6614ccfd0f0c93c

SHA256
da9d71d6fec28ff5dbcab9094a9310ce83a009d6c7c1538fff5aebf48a461f73

SHA512
3b8c55e75b912614ed1738cfe6aefb97c0d2ff29dbb02d5ee0bc795a726e7a176c9549151621aaad39babfa398a917b3c9104c66718c9f78abadcfee14fde6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lax1102.tmp

Filesize
6KB

MD5
a9151a4cbffbcad1cd331f817f9a6f05

SHA1
f12cdb213f6b0c803d3c98edb7d466e83fa600a0

SHA256
1fba88aba081590f5f40c5479ec17ad82d819fc2af5dbb03495c04e4dc8d4a8a

SHA512
fb84b50512c55f5494de7ceff61c01eb2049058e5a78e6b3f3f4d9fc7cd41cb065945d98287098fc5139959cdc48070ebb174bc92c9dbbed40f9e581a21787b8

Download Submit
\Users\Admin\AppData\Local\Temp\I1683270171\Windows\resource\iawin64_x64.dll

Filesize
130KB

MD5
29abcd83cadb184d0e2552a6103bad44

SHA1
902131c67019b6f27aa02b60db9ce8fae7259f05

SHA256
85bf3ff44c3ec0883947ae7f38c152ac4f97350d95a40f0db01f8923192dc617

SHA512
5058f15ff99321ecfd1e7054739bd764c0e6da240b485c92326691869ba75e912ff705a90659a882a92a5039e5e7fafa8043629ce83e8b950721d4c1d702daa3

Download Submit
\Users\Admin\AppData\Local\Temp\I1683270171\Windows\setup.exe

Filesize
538KB

MD5
5f0c61a74ae912c9b37bceb449b8b33e

SHA1
9d90020032e44e2a8465c77fb85ece57f2a09193

SHA256
dede6586c6679f0dbcb242572c4a7a617c7c960a39c9417673574db8ad813997

SHA512
53b23ecc33dc91e2de62c9c07ec7feedfbe8093f95496abf836eaee507f9096294dd6d4618a99297ad32b1117eb16a3ff5f9cf387b8d99235cf47659b24981e9

Download Submit
memory/828-125-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/828-120-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/828-132-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/828-118-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/828-113-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/828-112-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/828-163-0x0000000001E90000-0x0000000001E9A000-memory.dmp

Filesize
40KB

Download
memory/828-161-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/828-164-0x0000000001E90000-0x0000000001E9A000-memory.dmp

Filesize
40KB

Download
memory/828-170-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/828-173-0x0000000001E90000-0x0000000001E9A000-memory.dmp

Filesize
40KB

Download
memory/828-174-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/828-191-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads