f8418708394db6fca1994290189547aa62a581f0e9c2e8096a5837598b03f553

Analysis

max time kernel
29s
max time network
31s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
23-05-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.bat
Size

717B
MD5

7276179fc4a059776470985ee2959249
SHA1

1b6841d675efe612159cc791a429daa39ddf59a7
SHA256

92a928595aac4d6ffccd6e05635fdbb0b82fdac13e0f460eafa22e570d26bf07
SHA512

5a833d7b50cc187363cdd1fda4c0dbf23afd30a29b3e107a33e72bb6ffc617a0fcf2b5f1098507111e2d7c55fbc726361e46e8691bf0d179fb920d1f86b4b6db

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

17 4740 rundll32.exe
18 4740 rundll32.exe
19 4740 rundll32.exe
20 4740 rundll32.exe
21 4740 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1156 rundll32.exe
4740 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Drops file in Windows directory 1 IoCs

Processes:

luajit.exe

description ioc process

File created C:\Windows\Setup\Scripts\ErrorHandler.cmd luajit.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2172 schtasks.exe

flow	pid	process
17	4740	rundll32.exe
18	4740	rundll32.exe
19	4740	rundll32.exe
20	4740	rundll32.exe
21	4740	rundll32.exe

pid	process
1156	rundll32.exe
4740	rundll32.exe

flow	ioc
1	ip-api.com

description	ioc	process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	luajit.exe

pid	process
2172	schtasks.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

cmd.exeluajit.exerundll32.exe

description	pid	process	target process
PID 4864 wrote to memory of 4896	4864	cmd.exe	cacls.exe
PID 4864 wrote to memory of 4896	4864	cmd.exe	cacls.exe
PID 4864 wrote to memory of 2260	4864	cmd.exe	luajit.exe
PID 4864 wrote to memory of 2260	4864	cmd.exe	luajit.exe
PID 4864 wrote to memory of 2260	4864	cmd.exe	luajit.exe
PID 2260 wrote to memory of 2172	2260	luajit.exe	schtasks.exe
PID 2260 wrote to memory of 2172	2260	luajit.exe	schtasks.exe
PID 2260 wrote to memory of 2172	2260	luajit.exe	schtasks.exe
PID 2260 wrote to memory of 1156	2260	luajit.exe	rundll32.exe
PID 2260 wrote to memory of 1156	2260	luajit.exe	rundll32.exe
PID 2260 wrote to memory of 1156	2260	luajit.exe	rundll32.exe
PID 1156 wrote to memory of 4740	1156	rundll32.exe	rundll32.exe
PID 1156 wrote to memory of 4740	1156	rundll32.exe	rundll32.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\luajit.exe
luajit.exe log
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc daily /st 10:05 /f /tn WindowsSetup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
3⤵
- Creates scheduled task(s)
PID:2172

C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Users\Admin\AppData\Roaming\Lua\bin\lua.dll", init
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\system32\rundll32.exe
rundll32 "C:\Users\Admin\AppData\Roaming\Lua\bin\lua.dll", init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
281B

MD5
2db5345850c203829dc2d4c66b441ac6

SHA1
25e5cbaffdfe0456301188b304106baea4750535

SHA256
2716710828b2390a73099b978e2ca941a8bce3fdc275fa58d511be7177e150ca

SHA512
c36e197ca81a2d9786d822d1058e1817600e82763c2027213ea67abbc0eb1257d48893163550cb6d46205e282c101efdfee9388d1457e30e78dee34e5b1e0ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
72d4880bc5c5e75d2c69ea85932f6015

SHA1
ac33593f45a034fef778aa22b0b93dd29a6c7366

SHA256
7e576ce866607f8e6802355e09db9431853bd6568fc239ff4e3308b4edc06b6d

SHA512
ba0976e2b8652d3dc71558e669ab450b793c49a61aa01a1b0b4dfe9a6c8bf0ab065548a314bad955104be5d5ef6948d959569433c40c69b01dd8b3ac09fa36e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
979B

MD5
bc90511177a4597118c0cd5572567295

SHA1
ab38408b2f638d16ee748aae07dea098071f7aed

SHA256
eacd1a0ba09bb02dc47fa6e150be8a7d27ac8d082f33a3549e12be8161765784

SHA512
126d34d1095e69c89fff418e21cb72ed71d63977cc30a1202d7c5ebd80b6c4d960db4964ef7d1972a370f561205def244e33628632c44226ad1cb30f6c0dd1f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
6fe86f61844682b66eb0e8e5ffedb9db

SHA1
ee01554a31c29ea6cf581c2728d1d0ecc5a5c720

SHA256
19e5c432c12c7f17a681f54cc75b5a88b2f374360e1ecb086bf21447a0fd830a

SHA512
93dc92d22b193ba9a6db17cfdd191985ad989a1fc71a6049f361a5e9132ec8381480064b03923a93785bf1dc194b3ccc5a1320e97f55cac93783ddaa16df6abe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
480B

MD5
353283862b42edf363669361f43ddd79

SHA1
683d3e2b691d4762ee2eacea8e795b64a4702571

SHA256
cd51a52bc9414d9f6d29a824a74d1aaf4ce172d762ea3e8bc0fd26c5b802c6a8

SHA512
5d3e52dd1322faf6831b6b03dfb7be46ebc66b8918e74a67391c8b887c36d22ffbb5b11dff50b9e47d7d9d86b0dacc214a7a231c2236cbf0055c33b2befe8668

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
e7cab4d322c2868e40152d7a8ba3f317

SHA1
fc7f97a0267d44a9295fbcb6420f4f69346bae92

SHA256
c31285ebaf88e5203e7d6e78561717b4871e83ecab2c89059ba11498ef2d5235

SHA512
f33cfecb2334f6dd172930e11346b1ee6b089ff2aa0b6c62e3d8b9c6c54d3c4330e391f805b4092d9a4cda3228bf9f7a620e588f33b824d67489be949adab2dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
94d87bf5c8d56a495b598e34c8408485

SHA1
cc12cccfb91fa47837c85f1c3760edbc185e3b95

SHA256
ba90a0b6dfaffc159ecb99948c2d8fd09177fa89cd94abf6c2d056cb50e3d13e

SHA512
fd505b879034be66816705880d53ec9ce0305f87341e1ad41774d98ff407e4cf38e8a1798780b1213a8ee8abf6261d5d1e89c099c36399bdc9720343eac24a7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
e3f3171e071d9e635a8893171447fcec

SHA1
caf98513f9b8e67c4ecbe50d9cc270c841e7a04e

SHA256
baaa64ad5251822c5126bc6c4ee6b7b5dac260a620c472dc5e411995e8ed7fc9

SHA512
f064cfe15386266f2e1b78e76f2ceac2d865d686e1ee3ab9c3226321ded9385878889502ad716e9f4fee79c4fbf121743998ed486241c1d915275a1dc2d6d84f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZ23PR86\packet[1].log

Filesize
4.1MB

MD5
0ffd3bd05a9281981db2330e5a7291c1

SHA1
fabbfea6c072f68692b81571d38e8eab72de1362

SHA256
286dca4423a65cbd5d23e9bf002e584ec16a88c0a5edf4cfdc6b639d982593ad

SHA512
54ff1df237207e4fe70808583b96a07d0366887ed7e3389527eaadb6c3e045c19c4ba1621a47e24fa661f52b504274b46af91acd1b562bc15b1e51518846c333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FSXOS7P2\json[1].json

Filesize
297B

MD5
bd0c2d8e6b0fe0de4a3869c02ee43a85

SHA1
21d8cca90ea489f88c2953156e6c3dec6945388b

SHA256
3a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533

SHA512
496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6

Download Submit
C:\Users\Admin\Pictures\2EBF137A1B71487AA697945BAA2A07F9

Filesize
1KB

MD5
0685f628f7b26462640a2d8647a9db08

SHA1
dfd04f884ca8ef1074a28153d0d9754462693a2d

SHA256
4d2490dfccac8fff703222d3d3b82d3c390b4b9458c3e3e305dc4a29389b5e39

SHA512
7fe7549f120349ccaf39719595d1bd338882b8191f85f5f4d3f6a2e7688b1e442db2eda6db2fc8ac5b09a2e7574fbfd2bdaf72946e587fce2de610bcaaf723ec

Download Submit
memory/2260-32-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-26-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-61-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-60-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-59-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-58-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-57-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-56-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-55-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-54-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-53-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-52-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-51-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-50-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-49-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-48-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-47-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-46-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-45-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-44-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-43-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-42-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-41-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-40-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-39-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-38-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-37-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-36-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-35-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-34-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-33-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-83-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2260-31-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-30-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-29-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-28-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-27-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-62-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-25-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-24-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-23-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-22-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-21-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-20-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-19-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-18-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-16-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-15-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-14-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-13-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-12-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-3-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-2-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-1-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-11-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-10-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-9-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-8-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-7-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-5-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-6-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-4-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-0-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-268-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2260-84-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2260-85-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2260-86-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2260-87-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2260-88-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2260-63-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2260-17-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/4740-264-0x000001970E3D0000-0x000001970E3D1000-memory.dmp

Filesize
4KB

Download
memory/4740-263-0x000001970E3D0000-0x000001970E3D1000-memory.dmp

Filesize
4KB

Download
memory/4740-262-0x000001970E3D0000-0x000001970E3D1000-memory.dmp

Filesize
4KB

Download
memory/4740-261-0x000001970E3D0000-0x000001970E3D1000-memory.dmp

Filesize
4KB

Download
memory/4740-260-0x000001970E3D0000-0x000001970E3D1000-memory.dmp

Filesize
4KB

Download