3ce09172fdc7be44b974fc544d775c712e1b220a79847b4ce9403e7529101356

Analysis

max time kernel
908s
max time network
867s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14/06/2023, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lua2exe.zip
Size

199.9MB
MD5

85be5d886585bf69d7ed17dbb02b6946
SHA1

2ae001bc66000b19a13bf2cdf14866256bd28d45
SHA256

3ce09172fdc7be44b974fc544d775c712e1b220a79847b4ce9403e7529101356
SHA512

19d780a51935022e3d2ad7aa2c47221c2a02047b646dbd2bd96d1fc203b83c2eceb69de0c895529c96000b3a7ff7a8cf895ba00d30cb13fb8b9c53740d0e8d35
SSDEEP

6291456:NDDCNTIpHNjKzxj+bNZfQE5CK2jYbHmmFOg:ZIIFpaqNZoEQKFJl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4952	doge.exe
3720	doge.exe
3436	doge.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2624	4952	WerFault.exe	111
4928	3720	WerFault.exe	115

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\.lua	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file\shell\edit	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\.c	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\.lua\ = "lua_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\.c\ = "c_auto_file"	OpenWith.exe

Opens file in notepad (likely ransom note) 4 IoCs

ransomware

pid	Process
3064	NOTEPAD.EXE
4160	NOTEPAD.EXE
360	NOTEPAD.EXE
4260	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4016	OpenWith.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
2368	OpenWith.exe
2368	OpenWith.exe
2368	OpenWith.exe
2368	OpenWith.exe
2368	OpenWith.exe
2368	OpenWith.exe
2368	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe
4888	OpenWith.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 3404	3964	cmd.exe	81
PID 3964 wrote to memory of 3404	3964	cmd.exe	81
PID 4016 wrote to memory of 360	4016	OpenWith.exe	83
PID 4016 wrote to memory of 360	4016	OpenWith.exe	83
PID 1584 wrote to memory of 2420	1584	cmd.exe	88
PID 1584 wrote to memory of 2420	1584	cmd.exe	88
PID 2368 wrote to memory of 4260	2368	OpenWith.exe	91
PID 2368 wrote to memory of 4260	2368	OpenWith.exe	91
PID 1584 wrote to memory of 1932	1584	cmd.exe	93
PID 1584 wrote to memory of 1932	1584	cmd.exe	93
PID 1932 wrote to memory of 1964	1932	lua.exe	94
PID 1932 wrote to memory of 1964	1932	lua.exe	94
PID 1964 wrote to memory of 2904	1964	cmd.exe	95
PID 1964 wrote to memory of 2904	1964	cmd.exe	95
PID 1932 wrote to memory of 4536	1932	lua.exe	96
PID 1932 wrote to memory of 4536	1932	lua.exe	96
PID 4536 wrote to memory of 3896	4536	cmd.exe	97
PID 4536 wrote to memory of 3896	4536	cmd.exe	97
PID 3896 wrote to memory of 2600	3896	gcc.exe	98
PID 3896 wrote to memory of 2600	3896	gcc.exe	98
PID 1584 wrote to memory of 3600	1584	cmd.exe	99
PID 1584 wrote to memory of 3600	1584	cmd.exe	99
PID 4888 wrote to memory of 3064	4888	OpenWith.exe	101
PID 4888 wrote to memory of 3064	4888	OpenWith.exe	101
PID 1584 wrote to memory of 872	1584	cmd.exe	103
PID 1584 wrote to memory of 872	1584	cmd.exe	103
PID 872 wrote to memory of 2824	872	gcc.exe	104
PID 872 wrote to memory of 2824	872	gcc.exe	104
PID 1584 wrote to memory of 1744	1584	cmd.exe	106
PID 1584 wrote to memory of 1744	1584	cmd.exe	106
PID 1744 wrote to memory of 4008	1744	gcc.exe	107
PID 1744 wrote to memory of 4008	1744	gcc.exe	107
PID 1744 wrote to memory of 3616	1744	gcc.exe	108
PID 1744 wrote to memory of 3616	1744	gcc.exe	108
PID 1744 wrote to memory of 2212	1744	gcc.exe	109
PID 1744 wrote to memory of 2212	1744	gcc.exe	109
PID 2212 wrote to memory of 3784	2212	collect2.exe	110
PID 2212 wrote to memory of 3784	2212	collect2.exe	110
PID 1584 wrote to memory of 3964	1584	cmd.exe	119
PID 1584 wrote to memory of 3964	1584	cmd.exe	119
PID 3964 wrote to memory of 4856	3964	gcc.exe	120
PID 3964 wrote to memory of 4856	3964	gcc.exe	120
PID 3964 wrote to memory of 5096	3964	gcc.exe	121
PID 3964 wrote to memory of 5096	3964	gcc.exe	121
PID 3964 wrote to memory of 4004	3964	gcc.exe	122
PID 3964 wrote to memory of 4004	3964	gcc.exe	122
PID 4004 wrote to memory of 1616	4004	collect2.exe	123
PID 4004 wrote to memory of 1616	4004	collect2.exe	123

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\lua2exe.zip
1⤵
PID:2516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\lua2exe\lte.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Users\Admin\Desktop\lua2exe\source\lualib\lua.exe
  lualib\lua.exe convert.lua C:\Users\Admin\Desktop\lua2exe\
  2⤵
  PID:3404

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lua2exe\source\convert.lua
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:360

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\Desktop\lua2exe\source\lualib\lua.exe
  lualib\lua.exe convert.lua C:\Users\Admin\Desktop\lua2exe\
  2⤵
  PID:2420
- C:\Users\Admin\Desktop\lua2exe\source\lualib\lua.exe
  lualib\lua.exe convert.lua in.lua -o out.exe C:\Users\Admin\Desktop\lua2exe\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c lualib\luac54.exe -o generated_lua_bytecode.luac C:\Users\Admin\Desktop\lua2exe\in.lua
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Users\Admin\Desktop\lua2exe\source\lualib\luac54.exe
      lualib\luac54.exe -o generated_lua_bytecode.luac C:\Users\Admin\Desktop\lua2exe\in.lua
      4⤵
      PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c compiler\mingw64\bin\gcc.exe generated_c.c -o C:\Users\Admin\Desktop\lua2exe\out.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\gcc.exe
      compiler\mingw64\bin\gcc.exe generated_c.c -o C:\Users\Admin\Desktop\lua2exe\out.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\cc1.exe
        
        C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/cc1.exe -quiet -iprefix C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/ -D_REENTRANT generated_c.c -quiet -dumpdir C:\Users\Admin\Desktop\lua2exe\out- -dumpbase generated_c.c -dumpbase-ext .c -mtune=core2 -march=nocona -o C:\Users\Admin\AppData\Local\Temp\cctkPs5d.s
        5⤵
        
        PID:2600
- C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\gcc.exe
  gcc.exe
  2⤵
  PID:3600
- C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\gcc.exe
  gcc.exe lol.c -o doge.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\cc1.exe
    C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/cc1.exe -quiet -iprefix C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/ -D_REENTRANT lol.c -quiet -dumpdir doge- -dumpbase lol.c -dumpbase-ext .c -mtune=core2 -march=nocona -o C:\Users\Admin\AppData\Local\Temp\ccSirhCD.s
    3⤵
    PID:2824
- C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\gcc.exe
  gcc.exe lol.c -o doge.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\cc1.exe
    C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/cc1.exe -quiet -iprefix C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/ -D_REENTRANT lol.c -quiet -dumpdir doge- -dumpbase lol.c -dumpbase-ext .c -mtune=core2 -march=nocona -o C:\Users\Admin\AppData\Local\Temp\ccamUgwA.s
    3⤵
    PID:4008
- - C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\x86_64-w64-mingw32\bin\as.exe
    C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/bin/as.exe -o C:\Users\Admin\AppData\Local\Temp\ccC2m6jA.o C:\Users\Admin\AppData\Local\Temp\ccamUgwA.s
    3⤵
    PID:3616
- - C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\collect2.exe
    C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/collect2.exe -plugin C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/liblto_plugin.dll -plugin-opt=C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/lto-wrapper.exe -plugin-opt=-fresolution=C:\Users\Admin\AppData\Local\Temp\ccXAPSvT.res -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-lpthread -plugin-opt=-pass-through=-ladvapi32 -plugin-opt=-pass-through=-lshell32 -plugin-opt=-pass-through=-luser32 -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-liconv -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 --sysroot=C:/buildroot/x86_64-1310-posix-seh-msvcrt-rt_v11-rev1/mingw64 -m i386pep -Bdynamic -o doge.exe C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib/crt2.o C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtbegin.o -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0 -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../.. C:\Users\Admin\AppData\Local\Temp\ccC2m6jA.o -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 -lpthread -ladvapi32 -lshell32 -luser32 -lkernel32 -liconv -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtend.o
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\x86_64-w64-mingw32\bin\ld.exe
      C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe -plugin C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/liblto_plugin.dll -plugin-opt=C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/lto-wrapper.exe -plugin-opt=-fresolution=C:\Users\Admin\AppData\Local\Temp\ccXAPSvT.res -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-lpthread -plugin-opt=-pass-through=-ladvapi32 -plugin-opt=-pass-through=-lshell32 -plugin-opt=-pass-through=-luser32 -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-liconv -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 --sysroot=C:/buildroot/x86_64-1310-posix-seh-msvcrt-rt_v11-rev1/mingw64 -m i386pep -Bdynamic -o doge.exe C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib/crt2.o C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtbegin.o -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0 -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../.. C:\Users\Admin\AppData\Local\Temp\ccC2m6jA.o -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 -lpthread -ladvapi32 -lshell32 -luser32 -lkernel32 -liconv -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtend.o
      4⤵
      PID:3784
- C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\gcc.exe
  gcc.exe lol.c -o doge.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\cc1.exe
    C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/cc1.exe -quiet -iprefix C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/ -D_REENTRANT lol.c -quiet -dumpdir doge- -dumpbase lol.c -dumpbase-ext .c -mtune=core2 -march=nocona -o C:\Users\Admin\AppData\Local\Temp\ccf9SMVZ.s
    3⤵
    PID:4856
- - C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\x86_64-w64-mingw32\bin\as.exe
    C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/bin/as.exe -o C:\Users\Admin\AppData\Local\Temp\ccjtRy47.o C:\Users\Admin\AppData\Local\Temp\ccf9SMVZ.s
    3⤵
    PID:5096
- - C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\collect2.exe
    C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/collect2.exe -plugin C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/liblto_plugin.dll -plugin-opt=C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/lto-wrapper.exe -plugin-opt=-fresolution=C:\Users\Admin\AppData\Local\Temp\ccpMC4Pe.res -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-lpthread -plugin-opt=-pass-through=-ladvapi32 -plugin-opt=-pass-through=-lshell32 -plugin-opt=-pass-through=-luser32 -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-liconv -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 --sysroot=C:/buildroot/x86_64-1310-posix-seh-msvcrt-rt_v11-rev1/mingw64 -m i386pep -Bdynamic -o doge.exe C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib/crt2.o C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtbegin.o -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0 -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../.. C:\Users\Admin\AppData\Local\Temp\ccjtRy47.o -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 -lpthread -ladvapi32 -lshell32 -luser32 -lkernel32 -liconv -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtend.o
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\x86_64-w64-mingw32\bin\ld.exe
      C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe -plugin C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/liblto_plugin.dll -plugin-opt=C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/lto-wrapper.exe -plugin-opt=-fresolution=C:\Users\Admin\AppData\Local\Temp\ccpMC4Pe.res -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-lpthread -plugin-opt=-pass-through=-ladvapi32 -plugin-opt=-pass-through=-lshell32 -plugin-opt=-pass-through=-luser32 -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-liconv -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 --sysroot=C:/buildroot/x86_64-1310-posix-seh-msvcrt-rt_v11-rev1/mingw64 -m i386pep -Bdynamic -o doge.exe C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib/crt2.o C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtbegin.o -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0 -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../.. C:\Users\Admin\AppData\Local\Temp\ccjtRy47.o -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 -lpthread -ladvapi32 -lshell32 -luser32 -lkernel32 -liconv -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtend.o
      4⤵
      PID:1616

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lua2exe\in.lua
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4260

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\lol.c
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3064

C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe
"C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe"
1⤵
- Executes dropped EXE
PID:4952
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4952 -s 164
  2⤵
  - Program crash
  PID:2624

C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe
"C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe"
1⤵
- Executes dropped EXE
PID:3720
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3720 -s 132
  2⤵
  - Program crash
  PID:4928

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\lol.c
1⤵
- Opens file in notepad (likely ransom note)
PID:4160

C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe
"C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe"
1⤵
- Executes dropped EXE
PID:3436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ccC2m6jA.o

Filesize
1KB

MD5
ea4bdefbe5ad111bd32a23fe558c9ff5

SHA1
b611b44cd762f2d1776872315731eed7174b48ba

SHA256
8e97e804be76c3f3b052b2ddbc966a3fefb5317f56c5c80719888c054cfa946a

SHA512
68c8329b1c98ed02d782830df9cbe44ed3cb8334151a385eb692da83a3c5790fe0b31975c77e12f66ff0f09fa483f4e2b2d6aed79ab66f3e318196367ce6b2dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccamUgwA.s

Filesize
1KB

MD5
0f338409784779e4b75b1e443acba04f

SHA1
27b7d8d6351a4d38ed0a8e612753714c7431e589

SHA256
bf47f41584059ddf057e898236a1db3e5911aecf7a517932a7010b868ff2feb0

SHA512
f93800d0d6347a355deeb1fd482efbf3ec0b67aaef09be34134ef7c35549541307b1cf3c78e1c43ce549ab58cee155a8d07c967a1b92e853685f54ab891e2f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccf9SMVZ.s

Filesize
1KB

MD5
10e0ef28dad3c9db5bd891bd62f821ab

SHA1
d2b13d9ed669b4dd36e0a42913b896577d150148

SHA256
8bdebc49501f2ebb0a10b2a0d107a206f2a76dc31ef6f686d61c7268f6652585

SHA512
6b4b0b03ce8609558ddae08333d1a592a2d9a2617e7fd1b6ade6b1e72ffd17f3aa7b4ddcbe43369a53d26e68920ff9ec388d3eab60d7e0e79e839fe1efde628e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccjtRy47.o

Filesize
1KB

MD5
29e1c9b1a68dc471f39ce16428656f34

SHA1
884cbb28c30b0edad51fc29c6b3917c17bdd1a97

SHA256
41ea9685dadbfe06edab9fcc8785f805d06ef37cfc554b361e02f817d7412999

SHA512
b9ac94b01d36201d320cc4ea90de1c04ed704e92ecb656d8d95a071218a242ee0be146f8d2d6d0eac2643f1b189387ad13fb31d4e5e782172353d3fcb1435a75

Download Submit
C:\Users\Admin\Desktop\lua2exe\in.lua

Filesize
21B

MD5
a34b35c4670e93e7e6b045017dcf50a8

SHA1
0e272ac247eb64b53c48a6c17ee1f9d686165f01

SHA256
830c23c40505782a4fd7b5517783696a69856956266b7a26a4a55ccbdf22ba9e

SHA512
4da353fcd8e4cac8be252ea8bcd1252de54ac941f322e3bf64385bbc4dca78dfd04b4464ea4029b761e9bb5b8148e738bc66c02b4170d483c03fdaadde66f1c6

Download Submit
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe

Filesize
74KB

MD5
05abd537551101f4d8acc86b7135203b

SHA1
78d96bd306119073a175482e0125a6e8aa7aa552

SHA256
01db93d19015ad10d31345c1bc685a9922ac1e7d3dce4c3eae3a9639f904be81

SHA512
30365741bbbcb822a7ac3053881bed7eb0d2cda94ebd1599154865b5beffa4438084300766765a10b11763abc98894a25a75671785380bf08ca9ee6b8bf6d970

Download Submit
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe

Filesize
74KB

MD5
05abd537551101f4d8acc86b7135203b

SHA1
78d96bd306119073a175482e0125a6e8aa7aa552

SHA256
01db93d19015ad10d31345c1bc685a9922ac1e7d3dce4c3eae3a9639f904be81

SHA512
30365741bbbcb822a7ac3053881bed7eb0d2cda94ebd1599154865b5beffa4438084300766765a10b11763abc98894a25a75671785380bf08ca9ee6b8bf6d970

Download Submit
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe

Filesize
74KB

MD5
05abd537551101f4d8acc86b7135203b

SHA1
78d96bd306119073a175482e0125a6e8aa7aa552

SHA256
01db93d19015ad10d31345c1bc685a9922ac1e7d3dce4c3eae3a9639f904be81

SHA512
30365741bbbcb822a7ac3053881bed7eb0d2cda94ebd1599154865b5beffa4438084300766765a10b11763abc98894a25a75671785380bf08ca9ee6b8bf6d970

Download Submit
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe

Filesize
74KB

MD5
f67162fbb7d26e5949e2a5c225c4a8d2

SHA1
f125071a8135160793be998ec1b18f3ceea06e16

SHA256
6978b37d7c468ef15f1fe2c9d505be2771238fead13637ed705cd1e5adbdb33c

SHA512
02843cd88ac260132ac0bc60cd60d82a35f22ce034bd768b07b73abc58e63e286f1e7bcbd940bb8afb01eb98edcc665f52dfde3c5802939df0bfae14e0a32491

Download Submit
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\lol.c

Filesize
65B

MD5
852f936202df02015a8a51a420a35f31

SHA1
168fd07c5eaca67836085677b07a61de29a0a7b9

SHA256
37adc3aae952b9a6c4bf77c20b507bc7817004874925927c27430f2e2ef17902

SHA512
9bab6bab57d744d2df148be8a684e974ecdc0b9288cb2ea5d6dbf0f34ca2c3d2d97d58b0eb4f96bd67f30bf5df5ce8a5cecdb90d9f98a5655f13b2fb512816d7

Download Submit
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\lol.c

Filesize
76B

MD5
28eea32f2580ee70fc1c762474ae1150

SHA1
b74fa8ef93510ceedddfb39782fd5e533ac2968e

SHA256
ac407b299de469141ea97494a08e24e5d83b1100aea53650c2e824bbb397e38a

SHA512
626d59d6e32c26688b413f102d1672d9e63bd8683b830107bbde768fcb79311fb26804a2403a841194175029812d50af032c549564b656afaa66505ad3882aa1

Download Submit
C:\Users\Admin\Desktop\lua2exe\source\convert.lua

Filesize
10KB

MD5
6cb720d7db35589a53e966213de89ef4

SHA1
d32d04856ebdb3f8db37b26b6aafc3d56cbedd0a

SHA256
eeb2e66c82a919bd7bb0cedeb65bd80e73edee69b99485d9ead0bdbce188688c

SHA512
e437e634eb472178b894c8e65687c79380faf0fb36e4669f3586d75df01dee2d3a6f31c2ccc7eeb3c74ef39a5abda016bc7dd4eec811a30b6448d49c69fd4205

Download Submit
C:\Users\Admin\Desktop\lua2exe\source\generated_c.c

Filesize
1.8MB

MD5
0fa2a15da68603e4e4023568e1ea3d41

SHA1
860acfc307153711559caabf7f7857a114518ec4

SHA256
b2e36992b046106cec81b2057136d01aae85e91d33bbea8a63fd05e16a71f3f2

SHA512
e76564e892ada8d9ad4e63498a06b52c347a9fb63e5f55bcd8d1ca03e9c95215af9790aac1d62de054f0dc9f9351c1051d3dce89e49a71071bed97040dcc2730

Download Submit
C:\Users\Admin\Desktop\lua2exe\source\generated_lua_bytecode.luac

Filesize
138B

MD5
7de270b816e6f84d1b0c883df4a1e602

SHA1
b09c7c05699878d6293d40644fdeba3f1ca949f0

SHA256
174715b8e40509a169b0465676e5329806aba1d384c38b09c9f81b8caadc72c8

SHA512
5f1fc22477d55a07257089a1918a68813d2422dd5d63e92908bb0b74840606770cab4614a1c33e317c87c75c2ce33db8bebe85bd73d02957428a56fb85a78884

Download Submit
memory/872-147-0x0000000140000000-0x000000014028A000-memory.dmp

Filesize
2.5MB

Download
memory/1616-180-0x00007FF75C470000-0x00007FF75C623000-memory.dmp

Filesize
1.7MB

Download
memory/1744-162-0x0000000140000000-0x000000014028A000-memory.dmp

Filesize
2.5MB

Download
memory/1932-135-0x0000000065B80000-0x0000000065BCF000-memory.dmp

Filesize
316KB

Download
memory/1932-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1932-141-0x0000000065B80000-0x0000000065BCF000-memory.dmp

Filesize
316KB

Download
memory/1932-134-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2212-160-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2420-126-0x0000000065B80000-0x0000000065BCF000-memory.dmp

Filesize
316KB

Download
memory/2420-125-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2824-145-0x0000000140000000-0x0000000142209000-memory.dmp

Filesize
34.0MB

Download
memory/2904-130-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3404-121-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3404-122-0x0000000065B80000-0x0000000065BCF000-memory.dmp

Filesize
316KB

Download
memory/3436-186-0x00007FF7F6FE0000-0x00007FF7F6FF8000-memory.dmp

Filesize
96KB

Download
memory/3600-143-0x00007FFD67180000-0x00007FFD67196000-memory.dmp

Filesize
88KB

Download
memory/3600-142-0x0000000140000000-0x000000014028A000-memory.dmp

Filesize
2.5MB

Download
memory/3616-155-0x00007FF69AA50000-0x00007FF69AC1C000-memory.dmp

Filesize
1.8MB

Download
memory/3720-168-0x00007FF755080000-0x00007FF755098000-memory.dmp

Filesize
96KB

Download
memory/3784-159-0x00007FF75C470000-0x00007FF75C623000-memory.dmp

Filesize
1.7MB

Download
memory/3896-136-0x0000000140000000-0x000000014028A000-memory.dmp

Filesize
2.5MB

Download
memory/3896-139-0x00007FFD61460000-0x00007FFD61476000-memory.dmp

Filesize
88KB

Download
memory/3896-138-0x0000000140000000-0x000000014028A000-memory.dmp

Filesize
2.5MB

Download
memory/3896-137-0x00007FFD61460000-0x00007FFD61476000-memory.dmp

Filesize
88KB

Download
memory/3964-183-0x0000000140000000-0x000000014028A000-memory.dmp

Filesize
2.5MB

Download
memory/4004-181-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4008-152-0x00007FFD67180000-0x00007FFD67196000-memory.dmp

Filesize
88KB

Download
memory/4008-151-0x0000000140000000-0x0000000142209000-memory.dmp

Filesize
34.0MB

Download
memory/4856-172-0x0000000140000000-0x0000000142209000-memory.dmp

Filesize
34.0MB

Download
memory/4856-173-0x00007FFD67180000-0x00007FFD67196000-memory.dmp

Filesize
88KB

Download
memory/4952-166-0x00007FF755080000-0x00007FF755098000-memory.dmp

Filesize
96KB

Download
memory/5096-176-0x00007FF69AA50000-0x00007FF69AC1C000-memory.dmp

Filesize
1.8MB

Download