5fc2de76755ab476a4cd3880600a556f0f1e2f6117bcf9ae39b136992c55236b

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.bat
Size

29B
MD5

010844aba640fe1c7a29c746b3e5536d
SHA1

0f86396e82884fb66c5146c60ec0e60c8de7f9a4
SHA256

6e5623938b8f3503c10012c60897812f45a85c52a44e7806ee9fb64f4caf2df7
SHA512

1935a11c9bb6c4c52649eb89f26efa29aad8f867c7d2f64bf311e05dea0b89c7db514a9250941c57bddd9bb3becdc00b74e6bef559ed10f874d88454819038c1

Score

6^/10

discovery

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	compiler.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
516	schtasks.exe
1296	schtasks.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 2660	3832	cmd.exe	85
PID 3832 wrote to memory of 2660	3832	cmd.exe	85
PID 3832 wrote to memory of 2660	3832	cmd.exe	85
PID 2660 wrote to memory of 4336	2660	compiler.exe	97
PID 2660 wrote to memory of 4336	2660	compiler.exe	97
PID 2660 wrote to memory of 4336	2660	compiler.exe	97
PID 4336 wrote to memory of 516	4336	compiler.exe	100
PID 4336 wrote to memory of 516	4336	compiler.exe	100
PID 4336 wrote to memory of 516	4336	compiler.exe	100
PID 4336 wrote to memory of 1296	4336	compiler.exe	102
PID 4336 wrote to memory of 1296	4336	compiler.exe	102
PID 4336 wrote to memory of 1296	4336	compiler.exe	102
PID 4336 wrote to memory of 220	4336	compiler.exe	104
PID 4336 wrote to memory of 220	4336	compiler.exe	104
PID 4336 wrote to memory of 220	4336	compiler.exe	104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\AppData\Local\Temp\compiler.exe
  compiler.exe config
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\compiler.exe
    "C:\Users\Admin\AppData\Local\Temp\compiler.exe" "C:\Users\Admin\AppData\Roaming\tmp\conf.lua"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc daily /st 11:08 /f /tn PhotoEditorTask_ODA0 /tr ""C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODA0.exe" "C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\conf.lua""
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:516
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc daily /st 11:08 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\compiler.exe
      "C:\Users\Admin\AppData\Local\Temp\compiler.exe" "C:\Users\Admin\AppData\Roaming\tmp\conf.lua"
      4⤵
      PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
280B

MD5
a66b7796ff6187b51f5747254c94f21d

SHA1
980d0fba2fa21527709831b7fcf92e0443696c11

SHA256
661b208091012d429b08254dad6b7312ec5ce369dc3a7d03b0359308ad0793b9

SHA512
4ffaf245aeb244fed74200585f5a3c197fec954c399e201901ea50a02e9ff012519deeddbf03b195b1d5e6c0120272e7db64b83f882f17d2a206fafd957111ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
27b4ac4d33ea87ea34c6bf4463e9f5fe

SHA1
e4dac1f826d4b0acd8e1f247fe95fe5847eb4809

SHA256
95999c081ad63d5303fce13b5f586f6a82d9c795ea7fcc76d3b3e9f45c34c023

SHA512
f359086dac50291abfb54790d7d3d0486ab90b8dfd31848a44861a79a81ac17474f233aad97c7218301a41957da367a2913dbcf54cb5a298d1a6c35feda22851

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
980B

MD5
5d6dae1d7d3c9fc51cfd907674ae2459

SHA1
c027d7158cbe1da2953a70d6790018092a4dd999

SHA256
5d95365c08dd688efe20765e3f6a3b6b0c4870db4c92edd27d5f89d18ac6c4c3

SHA512
5406b1f7817544d06d5fd47f630e629c0df7e54d16c23b45ab0916bad823bb3390f20c82643aac59064271fbd349ce219e1348389c4825286731fa5beb53747b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
9d898a8f23f3c6ea2aff00d19f7a699e

SHA1
2aea7e54742734784986b99abf8e9e588b9a7a8f

SHA256
6c325bc49dfecd5494d2c551691af4face6dd57a4f3bbdd9507ca0ee700c8856

SHA512
293a6f0c68425917d189d0fab9266acaa1aec56fcfa244dddca6ed08f6bfeb3eeda734b2abfa190bda0459dc6691a6129ce2f2b2d9208cadd362479ab0d38b9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
480B

MD5
4124d7c13a8c33050af5f74d5fe41b25

SHA1
0819c76fcf37c13e1fa8519e3cdb87c2ce8961f9

SHA256
63ef76098748699da44fca39b1dd13254c8e546945e49a8260fec8b5df036f87

SHA512
3f819305b310592dcecd99526b1d1f0e2c7b2ae7dca4a5324ae48c2333e893bf57e0f09b9fc963c8a3f102473a5f615cc5b28f86969d95d54d9f2550654ffcc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
bc47f35b65ab3fb91c54f74e844ea579

SHA1
300a73e5e350c9863795911d38a7c5200cc76cf6

SHA256
0ca5e1f63831ea2f7250744f265d8e87992c8394a85d8269a597422dc3e65544

SHA512
96f0d02a58001f07dfe224d6336988ab2d51a3e6f67ff162a96c7a709c996ade883cd2faa1309131b0435a0be36e3fae06cd493614d2c78f7aa8706497e066ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
0ac372545629f560b0286f65af0f0771

SHA1
0414179d66a4e7d47febc2617f03d6ee63ac5df3

SHA256
73d06638db77d445c5a4f2010f71ccf0100ab70f69e4409ecd5512b9b1dbdf2e

SHA512
a3188daa26bd1305e33efb8ad55444fdb9c0cf566ce6104eed2f5502b2eb3f7492d2a07d7bdcf303f666a1ee3386f000a47ff418aaa5cba30f6cc3de9ba3dd2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
fe3be7dca8986de3fc1101d35a45f184

SHA1
0e0a3597168e1c1ab4fb70c5bd8154edf7b295b1

SHA256
cb0a96b7d8adaf312b1c703925f4b95066782d4c451e06b1d3b8d09b16424c4f

SHA512
be07e0787d9c678b44e2c83e9c2b921f90e7010a75ec7847bccd3e44cd55577cd9ba7b511a43a5917aee0e2e3c3536f558b90dea37cc4edcd9cbfa21b98f7ff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N27JXEQ0\request[1].json

Filesize
896KB

MD5
6621f92e253c53901a45c7eae20938fc

SHA1
7e3759b02202ffaef0e2e41666edf7af66360b65

SHA256
1d359835b097d15a97f9f77359939b79e7d63697eb23de72c88d39b5467fc77b

SHA512
7616351db372c1c391ba5e3cbbada8db17b5d06dc03cb064eaa27083ecf101c3b7d1757ec8dca752200cf5b7118ffdcf818c09dd20f890a0f1dc564db3d1f05e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\json[1].json

Filesize
311B

MD5
9105750f17d90587cfdb3073e3db4b41

SHA1
68299e57ccb94050710511c9fba7f144af55038d

SHA256
325bea9d40295cd711d613b7dcb0958e04a537f751b177573a9c40303a4879f9

SHA512
07fcd8e2811bc7d8a481694d32a8d220a03ec99dfd8b9f55de99ff8327d392c6afbd821358b5087e29120b5a6d706f258c723585d3c69a26c1b0c385722256de

Download Submit
C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODA0.exe

Filesize
874.2MB

MD5
7604458a3760dc23f05ca5ee2197226b

SHA1
dd651e49e4acb5b6075c77119852377252f0cd26

SHA256
4a67387b5b7a3be1b31329dc02805e56230d44bcaeff060ca20343d1fe9b27fb

SHA512
d5025f15d724f7cd9fff8c4b898bbe64ba1a2506a17fae9995472e91ef66c9f8c2917e7d8f68001b1f6cd932ca4759ba40c23709634efb8732f6906e989c2af1

Download Submit
C:\Users\Admin\AppData\Roaming\tmp\conf.lua

Filesize
298KB

MD5
a6e82e3f005f61929f62c981670138b1

SHA1
71f15a319a5f8f353068b6463d153e7bcc4ebf23

SHA256
289b7cd5419091154d2db0c1c70e7580ccde22ebe59b03ada35e95ee6b530bd7

SHA512
0691bc3995e0bae2048c966a7f3c207cfd708fa691b2f95b85618c136ab3bb65d4201b4d9d690b3a3b7812c52c537175a91af6efcf98959ed5fca84aa7467cce

Download Submit
C:\Users\Admin\Pictures\C186ECC367E44D2B8682B6C322DA87AA

Filesize
1KB

MD5
782b86e62396e45cd6a37682f1e0694a

SHA1
a58545a1e89bbabef68b883dbea3e7d021e9393a

SHA256
a9b00e2c58ccd88f647b7533bacea1d54d520c685de841539e5cef574dbf8480

SHA512
0792996b0225b1aa0f2c939a53a752788fe3aee493928988d70947a3b66cb0101108c2e35bcb9038fd717e9b7ea2a747423df98f37c7fa7a188750fdf3ce6ea1

Download Submit
memory/220-429-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/220-428-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2660-56-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-23-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-51-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-50-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-49-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-48-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-47-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-46-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-45-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-44-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-42-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-39-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-38-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-37-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-36-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-35-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-34-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-86-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2660-85-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2660-33-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-32-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-31-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-30-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-29-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-28-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-53-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-43-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-41-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-40-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-27-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-26-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-25-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-24-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-52-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-21-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-20-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-19-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-18-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-17-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-16-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-14-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-13-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-12-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-11-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-10-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-9-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-8-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-7-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-6-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-5-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-4-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-57-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-58-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-59-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-60-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-61-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-62-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-63-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-54-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-55-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-22-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-3-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-2-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-1-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-15-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download
memory/2660-0-0x000000007F070000-0x000000007F080000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads