Analysis
-
max time kernel
908s -
max time network
867s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
14/06/2023, 15:03
Static task
static1
Behavioral task
behavioral1
Sample
lua2exe.zip
Resource
win10-20230220-en
General
-
Target
lua2exe.zip
-
Size
199.9MB
-
MD5
85be5d886585bf69d7ed17dbb02b6946
-
SHA1
2ae001bc66000b19a13bf2cdf14866256bd28d45
-
SHA256
3ce09172fdc7be44b974fc544d775c712e1b220a79847b4ce9403e7529101356
-
SHA512
19d780a51935022e3d2ad7aa2c47221c2a02047b646dbd2bd96d1fc203b83c2eceb69de0c895529c96000b3a7ff7a8cf895ba00d30cb13fb8b9c53740d0e8d35
-
SSDEEP
6291456:NDDCNTIpHNjKzxj+bNZfQE5CK2jYbHmmFOg:ZIIFpaqNZoEQKFJl
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4952 doge.exe 3720 doge.exe 3436 doge.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2624 4952 WerFault.exe 111 4928 3720 WerFault.exe 115 -
Modifies registry class 23 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\.lua OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file\shell\edit OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file\shell\edit\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\.c OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file\shell\edit OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file\shell\edit\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\.lua\ = "lua_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\lua_auto_file\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\c_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\.c\ = "c_auto_file" OpenWith.exe -
Opens file in notepad (likely ransom note) 4 IoCs
pid Process 3064 NOTEPAD.EXE 4160 NOTEPAD.EXE 360 NOTEPAD.EXE 4260 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4016 OpenWith.exe -
Suspicious use of SetWindowsHookEx 37 IoCs
pid Process 4016 OpenWith.exe 4016 OpenWith.exe 4016 OpenWith.exe 4016 OpenWith.exe 4016 OpenWith.exe 4016 OpenWith.exe 4016 OpenWith.exe 4016 OpenWith.exe 4016 OpenWith.exe 4016 OpenWith.exe 4016 OpenWith.exe 4016 OpenWith.exe 4016 OpenWith.exe 4016 OpenWith.exe 4016 OpenWith.exe 4016 OpenWith.exe 4016 OpenWith.exe 2368 OpenWith.exe 2368 OpenWith.exe 2368 OpenWith.exe 2368 OpenWith.exe 2368 OpenWith.exe 2368 OpenWith.exe 2368 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe 4888 OpenWith.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 3964 wrote to memory of 3404 3964 cmd.exe 81 PID 3964 wrote to memory of 3404 3964 cmd.exe 81 PID 4016 wrote to memory of 360 4016 OpenWith.exe 83 PID 4016 wrote to memory of 360 4016 OpenWith.exe 83 PID 1584 wrote to memory of 2420 1584 cmd.exe 88 PID 1584 wrote to memory of 2420 1584 cmd.exe 88 PID 2368 wrote to memory of 4260 2368 OpenWith.exe 91 PID 2368 wrote to memory of 4260 2368 OpenWith.exe 91 PID 1584 wrote to memory of 1932 1584 cmd.exe 93 PID 1584 wrote to memory of 1932 1584 cmd.exe 93 PID 1932 wrote to memory of 1964 1932 lua.exe 94 PID 1932 wrote to memory of 1964 1932 lua.exe 94 PID 1964 wrote to memory of 2904 1964 cmd.exe 95 PID 1964 wrote to memory of 2904 1964 cmd.exe 95 PID 1932 wrote to memory of 4536 1932 lua.exe 96 PID 1932 wrote to memory of 4536 1932 lua.exe 96 PID 4536 wrote to memory of 3896 4536 cmd.exe 97 PID 4536 wrote to memory of 3896 4536 cmd.exe 97 PID 3896 wrote to memory of 2600 3896 gcc.exe 98 PID 3896 wrote to memory of 2600 3896 gcc.exe 98 PID 1584 wrote to memory of 3600 1584 cmd.exe 99 PID 1584 wrote to memory of 3600 1584 cmd.exe 99 PID 4888 wrote to memory of 3064 4888 OpenWith.exe 101 PID 4888 wrote to memory of 3064 4888 OpenWith.exe 101 PID 1584 wrote to memory of 872 1584 cmd.exe 103 PID 1584 wrote to memory of 872 1584 cmd.exe 103 PID 872 wrote to memory of 2824 872 gcc.exe 104 PID 872 wrote to memory of 2824 872 gcc.exe 104 PID 1584 wrote to memory of 1744 1584 cmd.exe 106 PID 1584 wrote to memory of 1744 1584 cmd.exe 106 PID 1744 wrote to memory of 4008 1744 gcc.exe 107 PID 1744 wrote to memory of 4008 1744 gcc.exe 107 PID 1744 wrote to memory of 3616 1744 gcc.exe 108 PID 1744 wrote to memory of 3616 1744 gcc.exe 108 PID 1744 wrote to memory of 2212 1744 gcc.exe 109 PID 1744 wrote to memory of 2212 1744 gcc.exe 109 PID 2212 wrote to memory of 3784 2212 collect2.exe 110 PID 2212 wrote to memory of 3784 2212 collect2.exe 110 PID 1584 wrote to memory of 3964 1584 cmd.exe 119 PID 1584 wrote to memory of 3964 1584 cmd.exe 119 PID 3964 wrote to memory of 4856 3964 gcc.exe 120 PID 3964 wrote to memory of 4856 3964 gcc.exe 120 PID 3964 wrote to memory of 5096 3964 gcc.exe 121 PID 3964 wrote to memory of 5096 3964 gcc.exe 121 PID 3964 wrote to memory of 4004 3964 gcc.exe 122 PID 3964 wrote to memory of 4004 3964 gcc.exe 122 PID 4004 wrote to memory of 1616 4004 collect2.exe 123 PID 4004 wrote to memory of 1616 4004 collect2.exe 123
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\lua2exe.zip1⤵PID:2516
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\lua2exe\lte.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\Desktop\lua2exe\source\lualib\lua.exelualib\lua.exe convert.lua C:\Users\Admin\Desktop\lua2exe\2⤵PID:3404
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lua2exe\source\convert.lua2⤵
- Opens file in notepad (likely ransom note)
PID:360
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\Desktop\lua2exe\source\lualib\lua.exelualib\lua.exe convert.lua C:\Users\Admin\Desktop\lua2exe\2⤵PID:2420
-
-
C:\Users\Admin\Desktop\lua2exe\source\lualib\lua.exelualib\lua.exe convert.lua in.lua -o out.exe C:\Users\Admin\Desktop\lua2exe\2⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lualib\luac54.exe -o generated_lua_bytecode.luac C:\Users\Admin\Desktop\lua2exe\in.lua3⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\Desktop\lua2exe\source\lualib\luac54.exelualib\luac54.exe -o generated_lua_bytecode.luac C:\Users\Admin\Desktop\lua2exe\in.lua4⤵PID:2904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c compiler\mingw64\bin\gcc.exe generated_c.c -o C:\Users\Admin\Desktop\lua2exe\out.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\gcc.execompiler\mingw64\bin\gcc.exe generated_c.c -o C:\Users\Admin\Desktop\lua2exe\out.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\cc1.exeC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/cc1.exe -quiet -iprefix C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/ -D_REENTRANT generated_c.c -quiet -dumpdir C:\Users\Admin\Desktop\lua2exe\out- -dumpbase generated_c.c -dumpbase-ext .c -mtune=core2 -march=nocona -o C:\Users\Admin\AppData\Local\Temp\cctkPs5d.s5⤵PID:2600
-
-
-
-
-
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\gcc.exegcc.exe2⤵PID:3600
-
-
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\gcc.exegcc.exe lol.c -o doge.exe2⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\cc1.exeC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/cc1.exe -quiet -iprefix C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/ -D_REENTRANT lol.c -quiet -dumpdir doge- -dumpbase lol.c -dumpbase-ext .c -mtune=core2 -march=nocona -o C:\Users\Admin\AppData\Local\Temp\ccSirhCD.s3⤵PID:2824
-
-
-
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\gcc.exegcc.exe lol.c -o doge.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\cc1.exeC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/cc1.exe -quiet -iprefix C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/ -D_REENTRANT lol.c -quiet -dumpdir doge- -dumpbase lol.c -dumpbase-ext .c -mtune=core2 -march=nocona -o C:\Users\Admin\AppData\Local\Temp\ccamUgwA.s3⤵PID:4008
-
-
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\x86_64-w64-mingw32\bin\as.exeC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/bin/as.exe -o C:\Users\Admin\AppData\Local\Temp\ccC2m6jA.o C:\Users\Admin\AppData\Local\Temp\ccamUgwA.s3⤵PID:3616
-
-
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\collect2.exeC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/collect2.exe -plugin C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/liblto_plugin.dll -plugin-opt=C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/lto-wrapper.exe -plugin-opt=-fresolution=C:\Users\Admin\AppData\Local\Temp\ccXAPSvT.res -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-lpthread -plugin-opt=-pass-through=-ladvapi32 -plugin-opt=-pass-through=-lshell32 -plugin-opt=-pass-through=-luser32 -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-liconv -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 --sysroot=C:/buildroot/x86_64-1310-posix-seh-msvcrt-rt_v11-rev1/mingw64 -m i386pep -Bdynamic -o doge.exe C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib/crt2.o C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtbegin.o -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0 -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../.. C:\Users\Admin\AppData\Local\Temp\ccC2m6jA.o -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 -lpthread -ladvapi32 -lshell32 -luser32 -lkernel32 -liconv -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtend.o3⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\x86_64-w64-mingw32\bin\ld.exeC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe -plugin C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/liblto_plugin.dll -plugin-opt=C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/lto-wrapper.exe -plugin-opt=-fresolution=C:\Users\Admin\AppData\Local\Temp\ccXAPSvT.res -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-lpthread -plugin-opt=-pass-through=-ladvapi32 -plugin-opt=-pass-through=-lshell32 -plugin-opt=-pass-through=-luser32 -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-liconv -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 --sysroot=C:/buildroot/x86_64-1310-posix-seh-msvcrt-rt_v11-rev1/mingw64 -m i386pep -Bdynamic -o doge.exe C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib/crt2.o C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtbegin.o -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0 -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../.. C:\Users\Admin\AppData\Local\Temp\ccC2m6jA.o -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 -lpthread -ladvapi32 -lshell32 -luser32 -lkernel32 -liconv -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtend.o4⤵PID:3784
-
-
-
-
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\gcc.exegcc.exe lol.c -o doge.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\cc1.exeC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/cc1.exe -quiet -iprefix C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/ -D_REENTRANT lol.c -quiet -dumpdir doge- -dumpbase lol.c -dumpbase-ext .c -mtune=core2 -march=nocona -o C:\Users\Admin\AppData\Local\Temp\ccf9SMVZ.s3⤵PID:4856
-
-
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\x86_64-w64-mingw32\bin\as.exeC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/bin/as.exe -o C:\Users\Admin\AppData\Local\Temp\ccjtRy47.o C:\Users\Admin\AppData\Local\Temp\ccf9SMVZ.s3⤵PID:5096
-
-
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\collect2.exeC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/collect2.exe -plugin C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/liblto_plugin.dll -plugin-opt=C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/lto-wrapper.exe -plugin-opt=-fresolution=C:\Users\Admin\AppData\Local\Temp\ccpMC4Pe.res -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-lpthread -plugin-opt=-pass-through=-ladvapi32 -plugin-opt=-pass-through=-lshell32 -plugin-opt=-pass-through=-luser32 -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-liconv -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 --sysroot=C:/buildroot/x86_64-1310-posix-seh-msvcrt-rt_v11-rev1/mingw64 -m i386pep -Bdynamic -o doge.exe C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib/crt2.o C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtbegin.o -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0 -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../.. C:\Users\Admin\AppData\Local\Temp\ccjtRy47.o -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 -lpthread -ladvapi32 -lshell32 -luser32 -lkernel32 -liconv -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtend.o3⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\x86_64-w64-mingw32\bin\ld.exeC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe -plugin C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/liblto_plugin.dll -plugin-opt=C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/lto-wrapper.exe -plugin-opt=-fresolution=C:\Users\Admin\AppData\Local\Temp\ccpMC4Pe.res -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-lpthread -plugin-opt=-pass-through=-ladvapi32 -plugin-opt=-pass-through=-lshell32 -plugin-opt=-pass-through=-luser32 -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-liconv -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 --sysroot=C:/buildroot/x86_64-1310-posix-seh-msvcrt-rt_v11-rev1/mingw64 -m i386pep -Bdynamic -o doge.exe C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib/crt2.o C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtbegin.o -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0 -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../.. C:\Users\Admin\AppData\Local\Temp\ccjtRy47.o -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 -lpthread -ladvapi32 -lshell32 -luser32 -lkernel32 -liconv -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtend.o4⤵PID:1616
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lua2exe\in.lua2⤵
- Opens file in notepad (likely ransom note)
PID:4260
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\lol.c2⤵
- Opens file in notepad (likely ransom note)
PID:3064
-
-
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe"C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe"1⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4952 -s 1642⤵
- Program crash
PID:2624
-
-
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe"C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe"1⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3720 -s 1322⤵
- Program crash
PID:4928
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\lol.c1⤵
- Opens file in notepad (likely ransom note)
PID:4160
-
C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe"C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe"1⤵
- Executes dropped EXE
PID:3436
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ea4bdefbe5ad111bd32a23fe558c9ff5
SHA1b611b44cd762f2d1776872315731eed7174b48ba
SHA2568e97e804be76c3f3b052b2ddbc966a3fefb5317f56c5c80719888c054cfa946a
SHA51268c8329b1c98ed02d782830df9cbe44ed3cb8334151a385eb692da83a3c5790fe0b31975c77e12f66ff0f09fa483f4e2b2d6aed79ab66f3e318196367ce6b2dd
-
Filesize
1KB
MD50f338409784779e4b75b1e443acba04f
SHA127b7d8d6351a4d38ed0a8e612753714c7431e589
SHA256bf47f41584059ddf057e898236a1db3e5911aecf7a517932a7010b868ff2feb0
SHA512f93800d0d6347a355deeb1fd482efbf3ec0b67aaef09be34134ef7c35549541307b1cf3c78e1c43ce549ab58cee155a8d07c967a1b92e853685f54ab891e2f38
-
Filesize
1KB
MD510e0ef28dad3c9db5bd891bd62f821ab
SHA1d2b13d9ed669b4dd36e0a42913b896577d150148
SHA2568bdebc49501f2ebb0a10b2a0d107a206f2a76dc31ef6f686d61c7268f6652585
SHA5126b4b0b03ce8609558ddae08333d1a592a2d9a2617e7fd1b6ade6b1e72ffd17f3aa7b4ddcbe43369a53d26e68920ff9ec388d3eab60d7e0e79e839fe1efde628e
-
Filesize
1KB
MD529e1c9b1a68dc471f39ce16428656f34
SHA1884cbb28c30b0edad51fc29c6b3917c17bdd1a97
SHA25641ea9685dadbfe06edab9fcc8785f805d06ef37cfc554b361e02f817d7412999
SHA512b9ac94b01d36201d320cc4ea90de1c04ed704e92ecb656d8d95a071218a242ee0be146f8d2d6d0eac2643f1b189387ad13fb31d4e5e782172353d3fcb1435a75
-
Filesize
21B
MD5a34b35c4670e93e7e6b045017dcf50a8
SHA10e272ac247eb64b53c48a6c17ee1f9d686165f01
SHA256830c23c40505782a4fd7b5517783696a69856956266b7a26a4a55ccbdf22ba9e
SHA5124da353fcd8e4cac8be252ea8bcd1252de54ac941f322e3bf64385bbc4dca78dfd04b4464ea4029b761e9bb5b8148e738bc66c02b4170d483c03fdaadde66f1c6
-
Filesize
74KB
MD505abd537551101f4d8acc86b7135203b
SHA178d96bd306119073a175482e0125a6e8aa7aa552
SHA25601db93d19015ad10d31345c1bc685a9922ac1e7d3dce4c3eae3a9639f904be81
SHA51230365741bbbcb822a7ac3053881bed7eb0d2cda94ebd1599154865b5beffa4438084300766765a10b11763abc98894a25a75671785380bf08ca9ee6b8bf6d970
-
Filesize
74KB
MD505abd537551101f4d8acc86b7135203b
SHA178d96bd306119073a175482e0125a6e8aa7aa552
SHA25601db93d19015ad10d31345c1bc685a9922ac1e7d3dce4c3eae3a9639f904be81
SHA51230365741bbbcb822a7ac3053881bed7eb0d2cda94ebd1599154865b5beffa4438084300766765a10b11763abc98894a25a75671785380bf08ca9ee6b8bf6d970
-
Filesize
74KB
MD505abd537551101f4d8acc86b7135203b
SHA178d96bd306119073a175482e0125a6e8aa7aa552
SHA25601db93d19015ad10d31345c1bc685a9922ac1e7d3dce4c3eae3a9639f904be81
SHA51230365741bbbcb822a7ac3053881bed7eb0d2cda94ebd1599154865b5beffa4438084300766765a10b11763abc98894a25a75671785380bf08ca9ee6b8bf6d970
-
Filesize
74KB
MD5f67162fbb7d26e5949e2a5c225c4a8d2
SHA1f125071a8135160793be998ec1b18f3ceea06e16
SHA2566978b37d7c468ef15f1fe2c9d505be2771238fead13637ed705cd1e5adbdb33c
SHA51202843cd88ac260132ac0bc60cd60d82a35f22ce034bd768b07b73abc58e63e286f1e7bcbd940bb8afb01eb98edcc665f52dfde3c5802939df0bfae14e0a32491
-
Filesize
65B
MD5852f936202df02015a8a51a420a35f31
SHA1168fd07c5eaca67836085677b07a61de29a0a7b9
SHA25637adc3aae952b9a6c4bf77c20b507bc7817004874925927c27430f2e2ef17902
SHA5129bab6bab57d744d2df148be8a684e974ecdc0b9288cb2ea5d6dbf0f34ca2c3d2d97d58b0eb4f96bd67f30bf5df5ce8a5cecdb90d9f98a5655f13b2fb512816d7
-
Filesize
76B
MD528eea32f2580ee70fc1c762474ae1150
SHA1b74fa8ef93510ceedddfb39782fd5e533ac2968e
SHA256ac407b299de469141ea97494a08e24e5d83b1100aea53650c2e824bbb397e38a
SHA512626d59d6e32c26688b413f102d1672d9e63bd8683b830107bbde768fcb79311fb26804a2403a841194175029812d50af032c549564b656afaa66505ad3882aa1
-
Filesize
10KB
MD56cb720d7db35589a53e966213de89ef4
SHA1d32d04856ebdb3f8db37b26b6aafc3d56cbedd0a
SHA256eeb2e66c82a919bd7bb0cedeb65bd80e73edee69b99485d9ead0bdbce188688c
SHA512e437e634eb472178b894c8e65687c79380faf0fb36e4669f3586d75df01dee2d3a6f31c2ccc7eeb3c74ef39a5abda016bc7dd4eec811a30b6448d49c69fd4205
-
Filesize
1.8MB
MD50fa2a15da68603e4e4023568e1ea3d41
SHA1860acfc307153711559caabf7f7857a114518ec4
SHA256b2e36992b046106cec81b2057136d01aae85e91d33bbea8a63fd05e16a71f3f2
SHA512e76564e892ada8d9ad4e63498a06b52c347a9fb63e5f55bcd8d1ca03e9c95215af9790aac1d62de054f0dc9f9351c1051d3dce89e49a71071bed97040dcc2730
-
Filesize
138B
MD57de270b816e6f84d1b0c883df4a1e602
SHA1b09c7c05699878d6293d40644fdeba3f1ca949f0
SHA256174715b8e40509a169b0465676e5329806aba1d384c38b09c9f81b8caadc72c8
SHA5125f1fc22477d55a07257089a1918a68813d2422dd5d63e92908bb0b74840606770cab4614a1c33e317c87c75c2ce33db8bebe85bd73d02957428a56fb85a78884