Analysis
-
max time kernel
54s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 06:26
General
-
Target
Lua Loader.exe
-
Size
1.2MB
-
MD5
34a466e51a80ad778b3e07aab08e934f
-
SHA1
189592eda4e8a4f051e1af4c56c8b2384c5c0e2b
-
SHA256
59bafd4c82ebacac6b134fd031274210f66a12c391d06015484f63a87b54b461
-
SHA512
699b11e1992ca2a1199fef70bdce13153e5868de4a655efd801de1972844b64bd3b947ecb62ff3148fa76c4eabe2ebbd19bc8b461546234d428ed5d8f04caecc
-
SSDEEP
24576:O5WHS04YNEMuExDiU6E5R9s8xY/2l/dRJ5dtsPxNGfySIbt+rO:O5Wd4auS+UjfU2T/5XDZIbt+r
Malware Config
Extracted
orcus
147.185.221.21
f446e131123a4c2c895327a980a93e72
-
administration_rights_required
false
-
anti_debugger
false
-
anti_tcp_analyzer
false
-
antivm
false
-
autostart_method
1
-
change_creation_date
false
-
force_installer_administrator_privileges
false
-
hide_file
false
-
install
false
-
installation_folder
%appdata%\Microsoft\Speech\Lua.exe
-
installservice
false
-
keylogger_enabled
false
-
newcreationdate
08/03/2024 19:46:52
-
plugins
AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgNgAyADIANQBiADEAZABhADMAMAAyAGMANABhAGYAZgBiAGEAMwAyADQAYwBkAGMAYQA2AGIAZABkADAAYQA2AAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIDIAYQA2AGMAMgBjADIANAA3ADUAOAA2ADQAZgA2AGEAOAA2ADUAZgBlADQAOQAzADQANwAyAGIANQA3AGYANgABBcjswb8CldcC3rcCqMa3DYpVf2wVCkcAYQBtAGUAcgAgAFYAaQBlAHcABwMxAC4AMgBBIDkAZgA0AGEAMAA0ADcAYwA5ADUAYwA2ADQAZABjADUAOQAwADgAZgBjAGEAMAA1AGYAMABkADcAYQA5AGMAOAACAAYG
-
reconnect_delay
10000
-
registry_autostart_keyname
Audio HD Driver
-
registry_hidden_autostart
false
-
set_admin_flag
false
-
tasksch_name
Audio HD Driver
-
tasksch_request_highest_privileges
false
-
try_other_autostart_onfail
false
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation Lua Loader.exe -
Executes dropped EXE 1 IoCs
pid Process 2032 Lua.exe -
Loads dropped DLL 1 IoCs
pid Process 2032 Lua.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lua Loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lua.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe 2032 Lua.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2032 Lua.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2032 Lua.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2032 Lua.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3612 wrote to memory of 2032 3612 Lua Loader.exe 87 PID 3612 wrote to memory of 2032 3612 Lua Loader.exe 87 PID 3612 wrote to memory of 2032 3612 Lua Loader.exe 87 PID 2032 wrote to memory of 3352 2032 Lua.exe 101 PID 2032 wrote to memory of 3352 2032 Lua.exe 101 PID 2032 wrote to memory of 3352 2032 Lua.exe 101 PID 3352 wrote to memory of 3540 3352 csc.exe 103 PID 3352 wrote to memory of 3540 3352 csc.exe 103 PID 3352 wrote to memory of 3540 3352 csc.exe 103 PID 2032 wrote to memory of 4780 2032 Lua.exe 105 PID 2032 wrote to memory of 4780 2032 Lua.exe 105 PID 2032 wrote to memory of 4780 2032 Lua.exe 105 PID 4780 wrote to memory of 5048 4780 csc.exe 107 PID 4780 wrote to memory of 5048 4780 csc.exe 107 PID 4780 wrote to memory of 5048 4780 csc.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lua Loader.exe"C:\Users\Admin\AppData\Local\Temp\Lua Loader.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Lua.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Lua.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\im2hl0cn\im2hl0cn.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8.tmp" "c:\Users\Admin\AppData\Local\Temp\im2hl0cn\CSCA7.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:3540
-
-
-
C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1qjdgdpf\1qjdgdpf.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4ED8.tmp" "c:\Users\Admin\AppData\Local\Temp\1qjdgdpf\CSC4ED7.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:5048
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59176445b5eb7668137f6bacda9525280
SHA1c43c97ce137b061d34120ff08ee35bd1f4c7a6db
SHA2560a3d42947787ddef6f4af9bca3403131e3ca7976aa99c8f3aeb87743400aa376
SHA512ceff17731890ce31471c80246530dbd3fccf41de8bdffaed417f23d1fa87b260b41c47f671675edab094d8f5ac7af7ea2346bff045e0b9235c79871a6f71ef69
-
Filesize
1KB
MD54b97135e3ea76c9d000c68dc599fd218
SHA1bfabc79ac671466ecd8e45982d2b278b4a2491a0
SHA2561b5516c8aefc3fa002b5f312fd0eefd790ab8a4f1c0ae66ac40e837ff96af20c
SHA512d6b0bf528a2c1d999405fbc09a61af462175e2948a8d183589a81cbc23a0cda51cfec570b84acccd75f578ebd510dd84ce974a5467cd3cececbd1d71ef8f843f
-
Filesize
1KB
MD59e7c999ff66b9ec4a27c2846398dbe7a
SHA1fc0b41f95eada19f2bfe826722ddd31e8ce4a17b
SHA2564cb2afa7bb41afc2ff979814779a57c23e970780acf7f18aac239b1e517979ad
SHA512bd3a029927400d3769c605d9bf7784a5b670a62dd0e4d1c39cc44d1976c6578c26f3e08dcf4ff31239dbb52255454389cd555e733dc2994a734005b2cdb0fe0c
-
Filesize
3KB
MD5d1d605681029f10ad619c7aa646eb041
SHA1ddf17f593a3990cd82d027733922eb59e70a87b7
SHA25667efb93a1982cada1b7ecabce2832200635cafb69b60b1f870eed136de5aff4a
SHA512019fe7b7bd3b40834a36b982bc4349f223720132695f78b59392141496e4276fdb5d6b343850445290540fdd589c1ea6150ac7b5bd006c77d14f8786459ebd64
-
Filesize
626KB
MD5d8aec01ff14e3e7ad43a4b71e30482e4
SHA1e3015f56f17d845ec7eef11d41bbbc28cc16d096
SHA256da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e
SHA512f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf
-
Filesize
1.2MB
MD534a466e51a80ad778b3e07aab08e934f
SHA1189592eda4e8a4f051e1af4c56c8b2384c5c0e2b
SHA25659bafd4c82ebacac6b134fd031274210f66a12c391d06015484f63a87b54b461
SHA512699b11e1992ca2a1199fef70bdce13153e5868de4a655efd801de1972844b64bd3b947ecb62ff3148fa76c4eabe2ebbd19bc8b461546234d428ed5d8f04caecc
-
Filesize
297B
MD5d1ec50346481bd11b2d8be43f6358af3
SHA12dfd60169ce047aa6c42e61492897e7d027f8712
SHA256fb936f7a30099d17b28f4c38ee5fd79b46cbf6b3524445ebaea1dece8183bb72
SHA512c60431823fadc13eebaaf63fb77360b60605e226868d098cf7ba034a16fc61f965455dd0b4ba4f1d557953696cf1a5d4921a9f717aba66f1e8b2b761cf909425
-
Filesize
279B
MD5bb46a9793e097694b2e1a4cc1ba97f37
SHA10ed368831bfd51cb0ae0b453da7bf46228a221a9
SHA256cc58d243c0e715e4d780474606496a55a8acc58d04c4784de7bd2d588e16554c
SHA5125eb0dec38bdeb6a3e9ef628b19d7fd6c3d64b44f5b31f57757e256cd21992a54690b1d8c013e88009812a595d5fac1bb6708d342eadb813d5a1dbd553f915482
-
Filesize
652B
MD5f1f03f2671cc211f0bdd8563be7f2c5c
SHA151a52f0c3bd65d89021529ff3c52cd2e6fcbfdb2
SHA25643193843b31ace6155509af601eb190165f5e53ecf69a86352f65f2b0bd21c86
SHA512354af71b974c35cd69520fa99701525a622eb12bd40c76e631f3d6d4320fdcb0c5fc462e11ae49f6ad0275566ba49f7655cf9bb3a64d1956db027bf7baaaa8b3
-
Filesize
652B
MD5f2d96e76d91d73c6e40592d9e64d7bd4
SHA1fc26454554ae38f378a01fbd5dbc2f45eea34557
SHA2566dbe24df60c3c9719e16a1a027ccc6c3db5a04e3dca03101465092f53933454e
SHA512577f451399ab50f6e0a9fe5b06a2192fef1ee444e3c56e191c8f842f4b0daa4abc5660ba422e9c4a647934797dfc70fafaf25d088c72a2f8881616c0e29a4fa7
-
Filesize
285B
MD54d95622f967f043b01d907b419b16f48
SHA14ee52dfc3011311a9db8f07341a58bac5a1f3c5a
SHA256fa701a8903493269fa20d49fbf81d06120f978d18899a9b5b2e5a7e565ec73c8
SHA51218c1c1ba1ea6fe8e62cf279d58229673c409843c679deaca73790855267b2f4ed1db60a61d7e6bcf82f670f155606f0d7c2883cfd4cc802863b35c0a06646ee7
-
Filesize
279B
MD57759c8d9c937592d8ed2b0e53e1059c2
SHA10fd0fc1c1cf4fb8b0b1f5d0f08f0d7366161b2f6
SHA256a247732f703f2f860d9c844a9270fe3f17cb7612984b8832f9566c614dd20ec0
SHA512af48fe2947cf9e96f059018648fb39456c58012f0f47ca0b5a404546275f1f34010243e7af745ded3c9b6e2c8b7b87b531c031557b953b2eda5d859014608ed2