11202449315d0f2edb567c5f5e3e4bd403ae0985574344ea8ddf474c1b1fb440

Analysis

max time kernel
146s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-08-2024 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.bat
Size

724B
MD5

9edcc8710e562b5daeed73acaa17e2fd
SHA1

a3d7d0a26c3a058ff0b3a25c64d43397f1823d95
SHA256

f1ed443faa01092320e04e0231327bd59c6df7344ad0f46ca4885d28aa2afd60
SHA512

312fec45d3897ecc67285694a73d4fc7ef044b6f3aa1e6a9d5a8cee0b1b70204396b43fe014a4680c539427c070f199ff91f151fbdc2ae8e0d97f1b3fca3cb4a

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	pastebin.com
26	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	luajit.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luajit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luajit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1972	schtasks.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 4192	1532	cmd.exe	82
PID 1532 wrote to memory of 4192	1532	cmd.exe	82
PID 1532 wrote to memory of 3476	1532	cmd.exe	83
PID 1532 wrote to memory of 3476	1532	cmd.exe	83
PID 1532 wrote to memory of 3476	1532	cmd.exe	83
PID 3476 wrote to memory of 1972	3476	luajit.exe	87
PID 3476 wrote to memory of 1972	3476	luajit.exe	87
PID 3476 wrote to memory of 1972	3476	luajit.exe	87
PID 3476 wrote to memory of 4440	3476	luajit.exe	88
PID 3476 wrote to memory of 4440	3476	luajit.exe	88
PID 3476 wrote to memory of 4440	3476	luajit.exe	88

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:4192
- C:\Users\Admin\AppData\Local\Temp\luajit.exe
  luajit.exe conf
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 11:55 /f /tn WindowsSetup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1972
- - C:\Users\Admin\AppData\Local\Temp\luajit.exe
    "C:\Users\Admin\AppData\Local\Temp\luajit.exe" "C:\Users\Admin\AppData\Roaming\tmp\conf.lua"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
42f286dbcb65a75907003bbd881cc7be

SHA1
052ceb74fd5e0e35fbf2eb552da3567e162afbf8

SHA256
426a303953ecfde2b4f43a9f189aab67f8e541d012203b50071cd2039542bdd6

SHA512
5c35ef0da55c2101ffe8ee4c654159e1fe76a597eabc31075c42d29bd68b9da7d896a18af516004f7bba26fdff0513555562fa2b6232d1a648f29c4cc152efde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
79e95715acda927255582a02ce6fbbd2

SHA1
5fe896c3c061ca85f05c85409b18d492029cc9eb

SHA256
15e9d03475b0bf734e0da46efd72de95df53a9b643f4c890e90ad48c3880272b

SHA512
5320cf0f5734841195b8231331e1dfb750aa9791150ada955179540e368dcd0d2eacb19adfd2b3436b4c92667c419947a05688dc607d19cb0f40ea127a7055bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9BONLZFE\json[1].json

Filesize
311B

MD5
9105750f17d90587cfdb3073e3db4b41

SHA1
68299e57ccb94050710511c9fba7f144af55038d

SHA256
325bea9d40295cd711d613b7dcb0958e04a537f751b177573a9c40303a4879f9

SHA512
07fcd8e2811bc7d8a481694d32a8d220a03ec99dfd8b9f55de99ff8327d392c6afbd821358b5087e29120b5a6d706f258c723585d3c69a26c1b0c385722256de

Download Submit
C:\Users\Admin\AppData\Roaming\tmp\conf.lua

Filesize
298KB

MD5
a6e82e3f005f61929f62c981670138b1

SHA1
71f15a319a5f8f353068b6463d153e7bcc4ebf23

SHA256
289b7cd5419091154d2db0c1c70e7580ccde22ebe59b03ada35e95ee6b530bd7

SHA512
0691bc3995e0bae2048c966a7f3c207cfd708fa691b2f95b85618c136ab3bb65d4201b4d9d690b3a3b7812c52c537175a91af6efcf98959ed5fca84aa7467cce

Download Submit
memory/3476-35-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-34-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-33-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-31-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-27-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-6-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-32-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-63-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-62-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-61-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-60-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-58-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-57-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-56-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-54-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-53-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-52-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-81-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/3476-51-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-50-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-49-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-48-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-47-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-46-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-45-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-44-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-42-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-41-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-40-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-39-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-38-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-37-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-36-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-30-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-29-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-28-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-26-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-25-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-24-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-23-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-22-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-21-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-20-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-19-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-18-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-17-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-16-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-15-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-14-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-13-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-12-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-11-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-10-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-9-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-8-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-7-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-59-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-55-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-43-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-5-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-4-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-3-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-2-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-1-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/3476-0-0x000000007EF70000-0x000000007EF80000-memory.dmp

Filesize
64KB

Download
memory/4440-247-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/4440-246-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/4440-258-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/4440-257-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/4440-256-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads