Overview
overview
7Static
static
3Ro-exec Executor.zip
windows7-x64
6Ro-exec Executor.zip
windows10-2004-x64
1Launcher.bat
windows7-x64
1Launcher.bat
windows10-2004-x64
7compiler.exe
windows7-x64
1compiler.exe
windows10-2004-x64
1config
windows7-x64
1config
windows10-2004-x64
1lua51.dll
windows7-x64
3lua51.dll
windows10-2004-x64
3Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 01:44
Static task
static1
Behavioral task
behavioral1
Sample
Ro-exec Executor.zip
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
Ro-exec Executor.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Launcher.bat
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Launcher.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
compiler.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
compiler.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
config
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
config
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
lua51.dll
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
lua51.dll
Resource
win10v2004-20240226-en
General
-
Target
Launcher.bat
-
Size
544B
-
MD5
17033b44988e812ebade9022cba3584f
-
SHA1
3c98c9f36212cfeec679057cabb1ea5d4bffb1a1
-
SHA256
deda21bef6613c01484a7c219070f1c510d96a31373a9561e31a8e45b3c94473
-
SHA512
9f54c72cafeedb4b332e8c4d438e88475d1757ea4ffdf23d13d0f1bae55806b3fe58cf48002085f5a867c5d8906c4b7674584c4070288e35026037cdc33eb282
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2108 crt.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Setup\Scripts\ErrorHandler.cmd compiler.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3572 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2172 powershell.exe 2172 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2172 powershell.exe Token: SeIncreaseQuotaPrivilege 2172 powershell.exe Token: SeSecurityPrivilege 2172 powershell.exe Token: SeTakeOwnershipPrivilege 2172 powershell.exe Token: SeLoadDriverPrivilege 2172 powershell.exe Token: SeSystemProfilePrivilege 2172 powershell.exe Token: SeSystemtimePrivilege 2172 powershell.exe Token: SeProfSingleProcessPrivilege 2172 powershell.exe Token: SeIncBasePriorityPrivilege 2172 powershell.exe Token: SeCreatePagefilePrivilege 2172 powershell.exe Token: SeBackupPrivilege 2172 powershell.exe Token: SeRestorePrivilege 2172 powershell.exe Token: SeShutdownPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeSystemEnvironmentPrivilege 2172 powershell.exe Token: SeRemoteShutdownPrivilege 2172 powershell.exe Token: SeUndockPrivilege 2172 powershell.exe Token: SeManageVolumePrivilege 2172 powershell.exe Token: 33 2172 powershell.exe Token: 34 2172 powershell.exe Token: 35 2172 powershell.exe Token: 36 2172 powershell.exe Token: SeIncreaseQuotaPrivilege 2172 powershell.exe Token: SeSecurityPrivilege 2172 powershell.exe Token: SeTakeOwnershipPrivilege 2172 powershell.exe Token: SeLoadDriverPrivilege 2172 powershell.exe Token: SeSystemProfilePrivilege 2172 powershell.exe Token: SeSystemtimePrivilege 2172 powershell.exe Token: SeProfSingleProcessPrivilege 2172 powershell.exe Token: SeIncBasePriorityPrivilege 2172 powershell.exe Token: SeCreatePagefilePrivilege 2172 powershell.exe Token: SeBackupPrivilege 2172 powershell.exe Token: SeRestorePrivilege 2172 powershell.exe Token: SeShutdownPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeSystemEnvironmentPrivilege 2172 powershell.exe Token: SeRemoteShutdownPrivilege 2172 powershell.exe Token: SeUndockPrivilege 2172 powershell.exe Token: SeManageVolumePrivilege 2172 powershell.exe Token: 33 2172 powershell.exe Token: 34 2172 powershell.exe Token: 35 2172 powershell.exe Token: 36 2172 powershell.exe Token: SeIncreaseQuotaPrivilege 2172 powershell.exe Token: SeSecurityPrivilege 2172 powershell.exe Token: SeTakeOwnershipPrivilege 2172 powershell.exe Token: SeLoadDriverPrivilege 2172 powershell.exe Token: SeSystemProfilePrivilege 2172 powershell.exe Token: SeSystemtimePrivilege 2172 powershell.exe Token: SeProfSingleProcessPrivilege 2172 powershell.exe Token: SeIncBasePriorityPrivilege 2172 powershell.exe Token: SeCreatePagefilePrivilege 2172 powershell.exe Token: SeBackupPrivilege 2172 powershell.exe Token: SeRestorePrivilege 2172 powershell.exe Token: SeShutdownPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeSystemEnvironmentPrivilege 2172 powershell.exe Token: SeRemoteShutdownPrivilege 2172 powershell.exe Token: SeUndockPrivilege 2172 powershell.exe Token: SeManageVolumePrivilege 2172 powershell.exe Token: 33 2172 powershell.exe Token: 34 2172 powershell.exe Token: 35 2172 powershell.exe Token: 36 2172 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4616 wrote to memory of 4192 4616 cmd.exe 86 PID 4616 wrote to memory of 4192 4616 cmd.exe 86 PID 4616 wrote to memory of 3148 4616 cmd.exe 87 PID 4616 wrote to memory of 3148 4616 cmd.exe 87 PID 4616 wrote to memory of 3148 4616 cmd.exe 87 PID 3148 wrote to memory of 3572 3148 compiler.exe 98 PID 3148 wrote to memory of 3572 3148 compiler.exe 98 PID 3148 wrote to memory of 3572 3148 compiler.exe 98 PID 3148 wrote to memory of 2172 3148 compiler.exe 109 PID 3148 wrote to memory of 2172 3148 compiler.exe 109 PID 3148 wrote to memory of 2172 3148 compiler.exe 109
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:4192
-
-
C:\Users\Admin\AppData\Local\Temp\compiler.execompiler.exe config2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc daily /st 11:19 /f /tn WindowsSetup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest3⤵
- Creates scheduled task(s)
PID:3572
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Register-ScheduledTask -TaskName 'Y3J0Nzc3' -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\network\crt.exe') -Trigger (New-ScheduledTaskTrigger -At (Get-Date).AddMinutes(1) -Once) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable) -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
-
C:\Users\Admin\AppData\Roaming\network\crt.exeC:\Users\Admin\AppData\Roaming\network\crt.exe1⤵
- Executes dropped EXE
PID:2108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6.2MB
MD5f35ee4423b41aa6ef2466f6f16c3d041
SHA1032f0023e143370b55f305ddb58e7ae02d4fe2f5
SHA2560c5cbf3b27197a1557ea8b8187b23009653fb825f75f1d123203391c5951acb6
SHA512a501d96bf6f7442c9b70cd292ae2ccc9dfd89937342f3b9007021e2ff37a8d1973cba516ba6a5e1699b6a6f74903f335ec53898416b471793fb60eac6138da60
-
Filesize
6.7MB
MD5fe55f6b0e81e42e8117c208162ba58e2
SHA11c735c8500a36094f2060889b29e9499099460cb
SHA256381b35e8922e22e05575b744b09bd0a452d039099c61ab905388cd7451bb8f4c
SHA51251cb848376256eda521c52a2ebb37cd7be1845cb3061d3f57d8ee63f6ee3174822feb663c8202d1d9399e908a180a681317454ea94633a39557a8009d1e0ac5e