373e608b8d84e66ca539779c29fef0ab7c35cf92410efbc1521604dfe51dead4

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.bat
Size

593B
MD5

b654b57d9b629ce512393a6adfcb9756
SHA1

e4b40f401102962e30e4a9820cd1031f5d1ab1ab
SHA256

b1149e7b5ae78c5d7b0178e19ea9bc5b353ea70e184edfccd8a80413af537975
SHA512

18e26a448c951efbc8fbec544a5bb19aba2610ae8516600894c4897fc2548f60ae0ab8eec8a24d2ff806909454d4aaac1a9d15fb662e5797b20619fbdb89294e

Score

6^/10

discovery

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	compiler.exe
File opened for modification	C:\Windows\Setup\Scripts\ErrorHandler.cmd	compiler.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3984	schtasks.exe
3200	schtasks.exe
3788	schtasks.exe
4568	schtasks.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 32	3656	cmd.exe	85
PID 3656 wrote to memory of 32	3656	cmd.exe	85
PID 3656 wrote to memory of 32	3656	cmd.exe	85
PID 32 wrote to memory of 3200	32	compiler.exe	100
PID 32 wrote to memory of 3200	32	compiler.exe	100
PID 32 wrote to memory of 3200	32	compiler.exe	100
PID 32 wrote to memory of 3788	32	compiler.exe	102
PID 32 wrote to memory of 3788	32	compiler.exe	102
PID 32 wrote to memory of 3788	32	compiler.exe	102
PID 32 wrote to memory of 2472	32	compiler.exe	104
PID 32 wrote to memory of 2472	32	compiler.exe	104
PID 32 wrote to memory of 2472	32	compiler.exe	104
PID 2472 wrote to memory of 4568	2472	compiler.exe	105
PID 2472 wrote to memory of 4568	2472	compiler.exe	105
PID 2472 wrote to memory of 4568	2472	compiler.exe	105
PID 2472 wrote to memory of 3984	2472	compiler.exe	106
PID 2472 wrote to memory of 3984	2472	compiler.exe	106
PID 2472 wrote to memory of 3984	2472	compiler.exe	106
PID 2472 wrote to memory of 4500	2472	compiler.exe	109
PID 2472 wrote to memory of 4500	2472	compiler.exe	109
PID 2472 wrote to memory of 4500	2472	compiler.exe	109

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Users\Admin\AppData\Local\Temp\compiler.exe
  compiler.exe conf.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 13:07 /f /tn EmailCleanupTask_ODA0 /tr ""C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODA0.exe" "C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\conf.txt""
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3200
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 13:07 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3788
- - C:\Users\Admin\AppData\Local\Temp\compiler.exe
    "C:\Users\Admin\AppData\Local\Temp\compiler.exe" "C:\Users\Admin\AppData\Roaming\conf.lua"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc daily /st 10:18 /f /tn WordProcessorTask_ODA0 /tr ""C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODA0.exe" "C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\conf.lua""
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4568
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc daily /st 10:18 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3984
  - - C:\Users\Admin\AppData\Local\Temp\compiler.exe
      "C:\Users\Admin\AppData\Local\Temp\compiler.exe" "C:\Users\Admin\AppData\Roaming\conf.lua"
      4⤵
      PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
281B

MD5
5901b87dff7c7fbd7339624c7cad72d9

SHA1
d338575e4585d65e10a791e6b6d276cc8250febb

SHA256
0081272d5446e4866cdf7740ba53dc9846282f0363ae0f1cc0c6c339e2820851

SHA512
74091be714ed197ecdd27fe24038662b7fa356ddc1ec35fe4498751acf8cf35d5f4bb1d30f7ea9d1e993d060da4fe8c8445c6d9e46dedbbcc18e64e6863f3374

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
ab4f14a5462720297f97ff6589aaf525

SHA1
11de38a54e7701565e51c6d2398db224d91344ef

SHA256
fd064d667c352c1c53ec134be009b7f837251ddf430f639ffdbade5cf9791827

SHA512
cb4c8f683d7a7a1b634153e92e9386c5909789b1d9007c3448d9205aad9abb14cfcf6267247ee0a8130afef943e4e679f84a3235f4f924942d314d496adced20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
979B

MD5
116e2e525d151ef225b8918992aaf542

SHA1
f16f24d093a8b01a7bc155742ad07bb4e68ebf4d

SHA256
162dfc2aee189004af5c6186f004d7a909337be21e0cd81dff66b8ba19c0888a

SHA512
7f3de6c601c531eb7b20e69a584f8129c74b966914e7d4421f7b5cd7384de30429c25b047f6684862cdd67b1ae8a92af24559fe727a1d4432387d5c871139a99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
41fb85998718a60639a4846feca331c7

SHA1
c8285ee1823f298765c00efa1a7036a23e03789a

SHA256
309bdd62e6ac4b286b0d77f8ae76815b1ae5cc262af5f44d52869839da093ce6

SHA512
78331eef9b51b754599eb4de2693de11c84dadbb06394670e359de562e490c484c7b5a218d0357d9cdca99b35ad2d44063b97eeef7ec55759cbbde765c36e23d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
480B

MD5
93bec93889323e3cf46cd643bdef107c

SHA1
601bf67031c586b1a6da0c426949c895b1e5c87d

SHA256
ab61f1a9008c96f59377ca570f7515d4d79389ae1f89d184e078d3fede2202cb

SHA512
e3bf65aa13dc3801ad8e2078ce2060cb935927a624d0b7ab22a87d3c6a985ca655e6d307420010caf6aad1a785f4a024f152da4565ea070d94bec7c0d9cfd7c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
e93d32075edcfa6c5f24c53560a197c7

SHA1
5baa80c49c4da4ba8e030e7d77e079112581aea9

SHA256
add0564d342d951af7970b229c60496be65e316f75a0dfa890d45eed62a416f0

SHA512
2cdb76acd484bfb9d99226bf36114d5f60300bd40a9bf579cb475b3e5762e399d38319064e6047b4677cd50ec417ed4debb45c3106c0e7faf23f3ead632fe623

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
280057f01b5183bf905ebf5a6375500f

SHA1
294791e413f348b2a36375e08185c2b386f6717d

SHA256
af2ecce4c6b8aa6491f60d517c5e3569a097b640eb696fd8e3a347598bebbce3

SHA512
9f260db6d52d3f114dbebae5944f25382f1c4b1d5354b9292a5b48f30cd31f9d8297812da5a7ac2a3142978b052a90535e9e75f2337149be8a5bae22e2daed17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
cbec75da81206672ca91a20a7f93f2df

SHA1
6305874266d5bd0087159115467011c0f9fe60d2

SHA256
2d2dbe1fb28136e2279f1c897254e0455ae724fc46b8e9ab58c9e8cec4b5efce

SHA512
a5d91b3e28a71ed3f7c5f9e93ad35887b8630cf3c5077f9326da03aab7aeecf88dac81179508f2215f8b4274ed8755dd877d3e65db189944ef62fee78ae3feaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AF6HG05X\json[1].json

Filesize
311B

MD5
9105750f17d90587cfdb3073e3db4b41

SHA1
68299e57ccb94050710511c9fba7f144af55038d

SHA256
325bea9d40295cd711d613b7dcb0958e04a537f751b177573a9c40303a4879f9

SHA512
07fcd8e2811bc7d8a481694d32a8d220a03ec99dfd8b9f55de99ff8327d392c6afbd821358b5087e29120b5a6d706f258c723585d3c69a26c1b0c385722256de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VRLMADU3\conf[1].log

Filesize
902KB

MD5
f8e7e868de711849ecd8ae2aa520bb53

SHA1
38633c09c4d6f8cdd4fcb6bb2c06f64068a0a329

SHA256
2331da365e6824a2d00c58fe6b00c652bfccb7df8a3ab936492df7af0312a4a4

SHA512
9b2af2124ec953f0a1538d54a91449281e5b8f67d8a8d9329990805e10ce5fed7af53f161f8035209a9c57c00312bc73bf9c5d186ffdcdfb1161f50e3b5b9c04

Download Submit
C:\Users\Admin\AppData\Roaming\conf.lua

Filesize
300KB

MD5
6ae5064bfd998015ffd0a43e03b65a4f

SHA1
a0d3e85cf565b5fc8308c32c056b3c9f93d8f562

SHA256
18b0bf3046a0a3b4366cd731d1bfb0500a17aed3b2008709cdd591b5072319e1

SHA512
24c3f3d417822990459e122722a3bd6a73fa7e5d0c0bad461d7d4d745f25786ef3f9ba2c19d15b8677535d4ce7f4eb812e61f203bc3610d19a9b607dbd790cba

Download Submit
C:\Windows\Setup\Scripts\ErrorHandler.cmd

Filesize
181B

MD5
e74b85d9b2776532ebde58401eb46939

SHA1
b60e3fab499ff895132b828d3925ad2c4be7c531

SHA256
82d55f7784242bb5f6ada93656206b3467b46c5c97d863fc03b3e4428fb9811b

SHA512
1e86f2125b27fb90f14140a1a69d032f4a0bb094d50c59607328058b3c8ae8c9a4440084dec19e88cbf68a93fec9b37af4f67a857f4388c8adb1e7ce444212ef

Download Submit
memory/32-34-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-26-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-59-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-58-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-57-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-56-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-55-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-54-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-53-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-52-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-51-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-50-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-49-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-48-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-47-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-46-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-45-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-44-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-43-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-42-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-41-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-40-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-39-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-38-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-37-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-36-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-35-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-86-0x00000000014E0000-0x00000000014E1000-memory.dmp

Filesize
4KB

Download
memory/32-33-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-32-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-31-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-30-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-29-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-28-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-27-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-87-0x0000000001660000-0x0000000001661000-memory.dmp

Filesize
4KB

Download
memory/32-25-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-23-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-22-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-21-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-19-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-18-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-17-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-24-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-16-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-13-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-12-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-11-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-10-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-9-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-8-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-7-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-6-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-5-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-4-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-3-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-15-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-2-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-60-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-61-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-76-0x00000000014E0000-0x00000000014E1000-memory.dmp

Filesize
4KB

Download
memory/32-77-0x00000000014E0000-0x00000000014E1000-memory.dmp

Filesize
4KB

Download
memory/32-62-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-63-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-14-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-20-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-1-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/32-0-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/2472-288-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2472-287-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads