d1fd4a6680902769d39157959bcdc2b816d5f0ebff8913a02046936323c2ec8e

Analysis

max time kernel
1766s
max time network
1159s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.bat
Size

311B
MD5

365ac921ece415c40ef7af7e24a3bb59
SHA1

e73502e289f4d9b9acbe344c1ae0149b0f38aa2b
SHA256

dc56d38eeb1eb3c0a03d14aae8ecdf9757421d9ffb56035266d1837c367e1679
SHA512

60072fb9cce9fb3bc629d9623e94600d81d45ba1c9affc816f29b30d9fff904209ffb68521732fd2866fbe71db3774bf4c39074e63ef13dbefb83dc0812189a3

Score

6^/10

discovery

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	compiler.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1468	schtasks.exe
1156	schtasks.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 1828	3380	cmd.exe	85
PID 3380 wrote to memory of 1828	3380	cmd.exe	85
PID 3380 wrote to memory of 1828	3380	cmd.exe	85
PID 1828 wrote to memory of 3756	1828	compiler.exe	96
PID 1828 wrote to memory of 3756	1828	compiler.exe	96
PID 1828 wrote to memory of 3756	1828	compiler.exe	96
PID 3756 wrote to memory of 1468	3756	compiler.exe	97
PID 3756 wrote to memory of 1468	3756	compiler.exe	97
PID 3756 wrote to memory of 1468	3756	compiler.exe	97
PID 3756 wrote to memory of 1156	3756	compiler.exe	98
PID 3756 wrote to memory of 1156	3756	compiler.exe	98
PID 3756 wrote to memory of 1156	3756	compiler.exe	98
PID 3756 wrote to memory of 4476	3756	compiler.exe	101
PID 3756 wrote to memory of 4476	3756	compiler.exe	101
PID 3756 wrote to memory of 4476	3756	compiler.exe	101

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Users\Admin\AppData\Local\Temp\compiler.exe
  compiler.exe config
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\compiler.exe
    "C:\Users\Admin\AppData\Local\Temp\compiler.exe" "C:\Users\Admin\AppData\Roaming\tmp\conf.lua"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc daily /st 10:34 /f /tn BrowserMaintenanceTask_ODA0 /tr ""C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODA0.exe" "C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\conf.lua""
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1468
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc daily /st 10:34 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\compiler.exe
      "C:\Users\Admin\AppData\Local\Temp\compiler.exe" "C:\Users\Admin\AppData\Roaming\tmp\conf.lua"
      4⤵
      PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
280B

MD5
a66b7796ff6187b51f5747254c94f21d

SHA1
980d0fba2fa21527709831b7fcf92e0443696c11

SHA256
661b208091012d429b08254dad6b7312ec5ce369dc3a7d03b0359308ad0793b9

SHA512
4ffaf245aeb244fed74200585f5a3c197fec954c399e201901ea50a02e9ff012519deeddbf03b195b1d5e6c0120272e7db64b83f882f17d2a206fafd957111ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
27b4ac4d33ea87ea34c6bf4463e9f5fe

SHA1
e4dac1f826d4b0acd8e1f247fe95fe5847eb4809

SHA256
95999c081ad63d5303fce13b5f586f6a82d9c795ea7fcc76d3b3e9f45c34c023

SHA512
f359086dac50291abfb54790d7d3d0486ab90b8dfd31848a44861a79a81ac17474f233aad97c7218301a41957da367a2913dbcf54cb5a298d1a6c35feda22851

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
980B

MD5
5d6dae1d7d3c9fc51cfd907674ae2459

SHA1
c027d7158cbe1da2953a70d6790018092a4dd999

SHA256
5d95365c08dd688efe20765e3f6a3b6b0c4870db4c92edd27d5f89d18ac6c4c3

SHA512
5406b1f7817544d06d5fd47f630e629c0df7e54d16c23b45ab0916bad823bb3390f20c82643aac59064271fbd349ce219e1348389c4825286731fa5beb53747b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
ee8e439af57ae234508d59d4e8695b0e

SHA1
1d052fdaf110d16526226e7f8656d0ae1a2c2b20

SHA256
2faeecdb2251ce6ee9cb43a4ed7eec02731f18d5711d9f7cbde0146beec4feaa

SHA512
45c73203f2efba97b5da32f1586e956fb23203c20903c8c0d0655b81593d077620315516e362c07bf6a4bb0196632e0c33fe8af034666d535e21a4e8f776ce04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
480B

MD5
6d9c4824951b960bb06316a750926545

SHA1
3615cd061a77c49532d701baf6e0d973df8d37bb

SHA256
d9d0294a429f4d47b205737fe56d60cb8507b9c7de1f2042f74231ea29717fb2

SHA512
1e59b2f36e04763c48a187765e399b9e4e7258a0e059480572ac2d2b72f492f9c2ec77c421e93a2b9463ada86887bc87c182468f0645dd6812ccd2d339693224

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
fe233d80b85436f24abbfb07a48513fe

SHA1
d55f2077a03c1c1877a399f62c303ef1998e1001

SHA256
d229c3d8ac25f90ae349edfef76f7bcf657318e427958eabaa611dda39a947b1

SHA512
86f415502161e86a620fc615900136880e8b20142a5ac113947e254e8c4f8d3ef5efc467dd0f126c48bde99d0f8d42d52917476fad9f66bdcdf259b74777b5fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
1388b08282f83487f5db2a2dcd88b168

SHA1
888cd225b39cbf4424c4030bf4809a2098b26bce

SHA256
c4c6bfa3fdbb9f0f18ddf09bda04c63f7ac3489fd173463244fc271c192ffc34

SHA512
f567ebf194e6c91960be73d4c9bca11705cdc48ebaa140b3fb400963899c7c7e0c17398bf0bffe61455d174855ef1e5fb3ee9620bd3a7ff5f17b3ad04c62cf42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
65e7fd9ec95632bfb03f1e0a0e38d92f

SHA1
3d350f104d87b77014574b31192ab6e6fe22c541

SHA256
2a4e147322cc72b7f2bdbb9d65747f56d5e18f8252443217cb0345652bdfb964

SHA512
d7e5b625ae0e0fe7df7c855c622efa28c9e81fe4815cc555ec507e0fe6c821629cddcc977928b5b6ae4a614e6f746c583efe2b5b97e28528c45d7a48ecd20b5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HDB1LPD\request[1].json

Filesize
896KB

MD5
6621f92e253c53901a45c7eae20938fc

SHA1
7e3759b02202ffaef0e2e41666edf7af66360b65

SHA256
1d359835b097d15a97f9f77359939b79e7d63697eb23de72c88d39b5467fc77b

SHA512
7616351db372c1c391ba5e3cbbada8db17b5d06dc03cb064eaa27083ecf101c3b7d1757ec8dca752200cf5b7118ffdcf818c09dd20f890a0f1dc564db3d1f05e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IFM58U6K\json[1].json

Filesize
311B

MD5
9105750f17d90587cfdb3073e3db4b41

SHA1
68299e57ccb94050710511c9fba7f144af55038d

SHA256
325bea9d40295cd711d613b7dcb0958e04a537f751b177573a9c40303a4879f9

SHA512
07fcd8e2811bc7d8a481694d32a8d220a03ec99dfd8b9f55de99ff8327d392c6afbd821358b5087e29120b5a6d706f258c723585d3c69a26c1b0c385722256de

Download Submit
C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODA0.exe

Filesize
3.5MB

MD5
7ea017d6a07abe8d41251e572c06a1d4

SHA1
1e07d6ca5fe45ef4144db3da6796ddd0c1fa0393

SHA256
17622ec279605b0a82c8d09230b79d29e443f3cd68481b7a6a79efe90d8eb0e0

SHA512
5a09ff3bddccf288a5e0ba9f9942f4bbcc6bc2048118f0b1c9f8712537f630d6d8067768dc716d7223d2ce0fc30154707f0173da3c067306d55a6612b6f4c005

Download Submit
C:\Users\Admin\AppData\Roaming\tmp\conf.lua

Filesize
298KB

MD5
a6e82e3f005f61929f62c981670138b1

SHA1
71f15a319a5f8f353068b6463d153e7bcc4ebf23

SHA256
289b7cd5419091154d2db0c1c70e7580ccde22ebe59b03ada35e95ee6b530bd7

SHA512
0691bc3995e0bae2048c966a7f3c207cfd708fa691b2f95b85618c136ab3bb65d4201b4d9d690b3a3b7812c52c537175a91af6efcf98959ed5fca84aa7467cce

Download Submit
C:\Users\Admin\Pictures\30DD1CC15C254745B2F5CFFA52B1A886

Filesize
1KB

MD5
782b86e62396e45cd6a37682f1e0694a

SHA1
a58545a1e89bbabef68b883dbea3e7d021e9393a

SHA256
a9b00e2c58ccd88f647b7533bacea1d54d520c685de841539e5cef574dbf8480

SHA512
0792996b0225b1aa0f2c939a53a752788fe3aee493928988d70947a3b66cb0101108c2e35bcb9038fd717e9b7ea2a747423df98f37c7fa7a188750fdf3ce6ea1

Download Submit
memory/1828-26-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-17-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-57-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-54-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-55-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-53-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-52-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-42-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-50-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-49-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-48-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-47-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-46-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-45-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-82-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1828-44-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-43-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-39-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-38-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-36-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-35-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-34-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-33-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-30-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-32-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-31-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-28-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-29-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-27-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-59-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-25-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-24-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-23-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-22-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-20-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-19-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-18-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-56-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-16-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-15-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-14-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-11-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-6-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-58-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-51-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-41-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-40-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-37-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-21-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-13-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-12-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-10-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-7-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-5-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-4-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-3-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-2-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-1-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-0-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-86-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/1828-60-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-61-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-78-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1828-79-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1828-62-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-63-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-8-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-9-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

Filesize
64KB

Download
memory/1828-288-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/3756-255-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3756-254-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4476-435-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/4476-434-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/4476-433-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads