05f70889faab9026b3f10a7c7d57d80ed8b86b3b4cf0531730f11990f1ce0d17

Analysis

max time kernel
14s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05f70889faab9026b3f10a7c7d57d80ed8b86b3b4cf0531730f11990f1ce0d17.exe
Size

8.5MB
MD5

36f483ebb13c2e7bea84e97e117062f4
SHA1

3f782b2398848dfdf63c7230b9b96d47c4268a97
SHA256

05f70889faab9026b3f10a7c7d57d80ed8b86b3b4cf0531730f11990f1ce0d17
SHA512

07c1527f27c0bcc68e94f8c1113411ebf1cb0a41020554a7417082ff22d086431c7a21b88ed437efd61aff29cc40ab56e402f0833542ed296c57815a32f2bf0e
SSDEEP

196608:CmmtcGjKom4Xhtblbr1S//m1In+V6FDHiwKCeysU:Pmtdl1bRuoIv7iRU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
392	BLCC5_3_23.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	javaw.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3060	icacls.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	312	wmic.exe
Token: SeSecurityPrivilege	312	wmic.exe
Token: SeTakeOwnershipPrivilege	312	wmic.exe
Token: SeLoadDriverPrivilege	312	wmic.exe
Token: SeSystemProfilePrivilege	312	wmic.exe
Token: SeSystemtimePrivilege	312	wmic.exe
Token: SeProfSingleProcessPrivilege	312	wmic.exe
Token: SeIncBasePriorityPrivilege	312	wmic.exe
Token: SeCreatePagefilePrivilege	312	wmic.exe
Token: SeBackupPrivilege	312	wmic.exe
Token: SeRestorePrivilege	312	wmic.exe
Token: SeShutdownPrivilege	312	wmic.exe
Token: SeDebugPrivilege	312	wmic.exe
Token: SeSystemEnvironmentPrivilege	312	wmic.exe
Token: SeRemoteShutdownPrivilege	312	wmic.exe
Token: SeUndockPrivilege	312	wmic.exe
Token: SeManageVolumePrivilege	312	wmic.exe
Token: 33	312	wmic.exe
Token: 34	312	wmic.exe
Token: 35	312	wmic.exe
Token: 36	312	wmic.exe
Token: SeIncreaseQuotaPrivilege	312	wmic.exe
Token: SeSecurityPrivilege	312	wmic.exe
Token: SeTakeOwnershipPrivilege	312	wmic.exe
Token: SeLoadDriverPrivilege	312	wmic.exe
Token: SeSystemProfilePrivilege	312	wmic.exe
Token: SeSystemtimePrivilege	312	wmic.exe
Token: SeProfSingleProcessPrivilege	312	wmic.exe
Token: SeIncBasePriorityPrivilege	312	wmic.exe
Token: SeCreatePagefilePrivilege	312	wmic.exe
Token: SeBackupPrivilege	312	wmic.exe
Token: SeRestorePrivilege	312	wmic.exe
Token: SeShutdownPrivilege	312	wmic.exe
Token: SeDebugPrivilege	312	wmic.exe
Token: SeSystemEnvironmentPrivilege	312	wmic.exe
Token: SeRemoteShutdownPrivilege	312	wmic.exe
Token: SeUndockPrivilege	312	wmic.exe
Token: SeManageVolumePrivilege	312	wmic.exe
Token: 33	312	wmic.exe
Token: 34	312	wmic.exe
Token: 35	312	wmic.exe
Token: 36	312	wmic.exe
Token: SeIncreaseQuotaPrivilege	2560	wmic.exe
Token: SeSecurityPrivilege	2560	wmic.exe
Token: SeTakeOwnershipPrivilege	2560	wmic.exe
Token: SeLoadDriverPrivilege	2560	wmic.exe
Token: SeSystemProfilePrivilege	2560	wmic.exe
Token: SeSystemtimePrivilege	2560	wmic.exe
Token: SeProfSingleProcessPrivilege	2560	wmic.exe
Token: SeIncBasePriorityPrivilege	2560	wmic.exe
Token: SeCreatePagefilePrivilege	2560	wmic.exe
Token: SeBackupPrivilege	2560	wmic.exe
Token: SeRestorePrivilege	2560	wmic.exe
Token: SeShutdownPrivilege	2560	wmic.exe
Token: SeDebugPrivilege	2560	wmic.exe
Token: SeSystemEnvironmentPrivilege	2560	wmic.exe
Token: SeRemoteShutdownPrivilege	2560	wmic.exe
Token: SeUndockPrivilege	2560	wmic.exe
Token: SeManageVolumePrivilege	2560	wmic.exe
Token: 33	2560	wmic.exe
Token: 34	2560	wmic.exe
Token: 35	2560	wmic.exe
Token: 36	2560	wmic.exe
Token: SeIncreaseQuotaPrivilege	2560	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3024	javaw.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 392	4084	05f70889faab9026b3f10a7c7d57d80ed8b86b3b4cf0531730f11990f1ce0d17.exe	89
PID 4084 wrote to memory of 392	4084	05f70889faab9026b3f10a7c7d57d80ed8b86b3b4cf0531730f11990f1ce0d17.exe	89
PID 4084 wrote to memory of 392	4084	05f70889faab9026b3f10a7c7d57d80ed8b86b3b4cf0531730f11990f1ce0d17.exe	89
PID 392 wrote to memory of 3024	392	BLCC5_3_23.exe	90
PID 392 wrote to memory of 3024	392	BLCC5_3_23.exe	90
PID 3024 wrote to memory of 3060	3024	javaw.exe	92
PID 3024 wrote to memory of 3060	3024	javaw.exe	92
PID 3024 wrote to memory of 312	3024	javaw.exe	95
PID 3024 wrote to memory of 312	3024	javaw.exe	95
PID 3024 wrote to memory of 2560	3024	javaw.exe	98
PID 3024 wrote to memory of 2560	3024	javaw.exe	98
PID 3024 wrote to memory of 4628	3024	javaw.exe	100
PID 3024 wrote to memory of 4628	3024	javaw.exe	100
PID 3024 wrote to memory of 1528	3024	javaw.exe	102
PID 3024 wrote to memory of 1528	3024	javaw.exe	102
PID 3024 wrote to memory of 1540	3024	javaw.exe	104
PID 3024 wrote to memory of 1540	3024	javaw.exe	104

C:\Users\Admin\AppData\Local\Temp\05f70889faab9026b3f10a7c7d57d80ed8b86b3b4cf0531730f11990f1ce0d17.exe
"C:\Users\Admin\AppData\Local\Temp\05f70889faab9026b3f10a7c7d57d80ed8b86b3b4cf0531730f11990f1ce0d17.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Admin\AppData\Local\Temp\I1706200431\Windows\BLCC5_3_23.exe
  C:\Users\Admin\AppData\Local\Temp\I1706200431\Windows\BLCC5_3_23.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -Xms16777216 -Xmx50331648 -classpath "C:\Users\Admin\AppData\Local\Temp\I1706200431\InstallerData\IAClasses.zip;C:\Users\Admin\AppData\Local\Temp\I1706200431\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1706200431\Windows\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1706200431\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1706200431\Windows\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1706200431\InstallerData;C:\Users\Admin\AppData\Local\Temp\I1706200431\Windows\InstallerData;" com.zerog.lax.LAX "C:/Users/Admin/AppData/Local/Temp/I1706200431/Windows/BLCC5_3_23.lax" "C:/Users/Admin/AppData/Local/Temp/lax49AB.tmp"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      4⤵
      Modifies file permissions
      PID:3060
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get name
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:312
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get name
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2560
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get name
      4⤵
      PID:4628
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get name
      4⤵
      PID:1528
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get version
      4⤵
      PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
330361bcb97d06e29c5110ee68c10926

SHA1
770e1fc769d6ca97fdc77b9abe205d472a1f2e0e

SHA256
e9933565cefbcd4c2534cfe8458ff8bc4d0ec0cd3675c4749b22a159361553ca

SHA512
b2fb2250d6d0180eb63c54487705bee33dbb299229021955aad74ac4b13c1ee5df86f7696376876db3f56b04ac79675b224559740dd76d1c3eae9ef2b7fd2623

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1706200431\InstallerData\Execute.zip

Filesize
896KB

MD5
d4de483f2ac18b45d692b447f9978e13

SHA1
08f8cd929ef00d17c6dadec5fac26b3ea174fb22

SHA256
e7f8afcec736d79f66bccf508f6d4815ab2954768d5b974b72b2b08cf0aee9a4

SHA512
89765e1facfaf5845704373182250e5feac7a1e62ea4c1b4b0549a904ecbe72c45146659226d7b36e1ed42ca3128b328b8127cbe7d0033475f58e4563089644a

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1706200431\InstallerData\IAClasses.zip

Filesize
1.7MB

MD5
bbc4e6fb82c8c6e3e4cefc413365701b

SHA1
632a1ee4dae2c8f3fca164ff6b01b11acca72a78

SHA256
a2ba6332ff6d4efa348eababb15330fc167f262192803b4966cf1ad1f3ce8b93

SHA512
454e187ee6147d630d3b475ccf28394d058ddf5a2723724ee47d5286bbea5592782d9d247d1c45d2e48391cd215b29140ed4929c63e482f95fa08ea3a3bbcfe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1706200431\Windows\BLCC5_3_23.exe

Filesize
545KB

MD5
2a0a5f4f9eb7f74c8dc5752368a85b56

SHA1
1834bb55003cdcea05cb715ab8d99eca6f3f1250

SHA256
d7821a898e6cb83641032ead55703d9656d7a38061c1b5e73be66899322856db

SHA512
3fa6c28ae8e9eb972bcaba7c7ec1fa2bcca425a4fea1c731486fdbaa1d1f19b6aea8467bd6483bef2e945a66c304fd2fa57c997ba8c97ea24772108750b124d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1706200431\Windows\BLCC5_3_23.lax

Filesize
1KB

MD5
5c1105af1c9d3caed695aa9ef23d0342

SHA1
ad44b9eee6b85ef1e4bb772e7168d5770f247aef

SHA256
b70f0c2c75c7d60c89e793101398635f730e66e9de3d4a2865f4857c9c2d8688

SHA512
a0084b35bd6e00823ce4d3651ed5e7d57a2c1fa0ccd2c7ef90d5920dc1f61899d8362f9535106c691977e617f45d88ad3da0335944f3cc3b5cf7fba6949668e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1706200431\Windows\jvmspecs\jvmspecs.properties

Filesize
498B

MD5
50c6a7f50d51b90ad8bd9f8460dbb886

SHA1
e7ad5b856d8e8953ba9a936bf515c7c0fb4f572c

SHA256
32802562589e6868ef929b91eaef37997f3d44eadb107422480ae8c03ea32a42

SHA512
344ec97754fdf1f6a0bc9a69fdd7ad725786602c32ec50428f17770df5e9a4c84e9f864415ccf1daf900c5ee949e5aff3e26976583ef4678883f09cd891bde29

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1706200431\Windows\resource\iawin64_x64.dll

Filesize
142KB

MD5
290cf550cbf94339470d665267a50790

SHA1
1449c90d1f770effcbe3170be255a1b99374a685

SHA256
94e116d5714e9bd6c8989675d5c9405192f8d57149a998ccb5c3c2b6d1572f84

SHA512
7db0b95c0361240ec2d7def897217b9d1721cc180c92eddfa2e96dac95a21ce64701c3ef041d216e407a7f98310c3870fa5ac843ab4f3bad2d1b029c1c7f4a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1706200431\sea_loc

Filesize
104B

MD5
598020303c0297bd661af1ad06c98929

SHA1
6ddd80345ecbd012aafbf0d1f16912ced7b1f69c

SHA256
45ded9aa991ca36135a5701df68986495efcadfba7373cc629c06d116eef8399

SHA512
c656ceb100a142273654fa5bdf3d5a93802354f039d3589564c900bec1adb2adee379d855f10672694af53bceae2c4e8d46d3b5cbf2dc0a037432d666fb0ea83

Download Submit
C:\Users\Admin\AppData\Local\Temp\lax49AB.tmp

Filesize
6KB

MD5
ff3f17d57b9e3fd0862e4fb9d1b8025e

SHA1
4d62d84501dc99034f77cb4ee3088f1679a37341

SHA256
01daf9f34522afd384bdfa4e9767d801aad09725c4dfaf806dfb8116ad957c86

SHA512
b47755057f0e4c846aaf4131d30a2a13aeed78f9d5016958c7acd0c2398e8a40c34b9043649bf0775d8c545b4d6c7d7ceb24fc6f08104094823916bb90d28d37

Download Submit
memory/3024-74-0x0000022198570000-0x0000022198571000-memory.dmp

Filesize
4KB

Download
memory/3024-96-0x0000022198570000-0x0000022198571000-memory.dmp

Filesize
4KB

Download
memory/3024-72-0x0000022198570000-0x0000022198571000-memory.dmp

Filesize
4KB

Download
memory/3024-69-0x0000022198570000-0x0000022198571000-memory.dmp

Filesize
4KB

Download
memory/3024-64-0x0000022198570000-0x0000022198571000-memory.dmp

Filesize
4KB

Download
memory/3024-55-0x0000022198590000-0x0000022199590000-memory.dmp

Filesize
16.0MB

Download
memory/3024-78-0x0000022198570000-0x0000022198571000-memory.dmp

Filesize
4KB

Download
memory/3024-84-0x0000022198570000-0x0000022198571000-memory.dmp

Filesize
4KB

Download
memory/3024-88-0x0000022198590000-0x0000022199590000-memory.dmp

Filesize
16.0MB

Download
memory/3024-71-0x0000022198570000-0x0000022198571000-memory.dmp

Filesize
4KB

Download
memory/3024-101-0x0000022198570000-0x0000022198571000-memory.dmp

Filesize
4KB

Download
memory/3024-100-0x0000022198590000-0x0000022199590000-memory.dmp

Filesize
16.0MB

Download
memory/3024-112-0x0000022198590000-0x0000022199590000-memory.dmp

Filesize
16.0MB

Download
memory/3024-115-0x0000022198570000-0x0000022198571000-memory.dmp

Filesize
4KB

Download
memory/3024-117-0x0000022198590000-0x0000022199590000-memory.dmp

Filesize
16.0MB

Download
memory/3024-125-0x0000022198590000-0x0000022199590000-memory.dmp

Filesize
16.0MB

Download
memory/3024-150-0x0000022198570000-0x0000022198571000-memory.dmp

Filesize
4KB

Download