adb01eccb72b9a8c58b277a8543957d4f9f1095629fc42e30558fdcc7c6482b3

Analysis

max time kernel
24s
max time network
29s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03/10/2024, 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.bat
Size

1KB
MD5

657a0896af0d783b71acee3e3ac09ab3
SHA1

00346d1e96589652460cbcae7897cce245caa852
SHA256

c6e3c6dd72ee9a69ea53f0eea8285168bab3b534462a43bf41c0e6f4913512d4
SHA512

65f691628c1e0a22cdb30c49f7c641d5915e9236fb43ebe670c9bba4be296c8bd7c0b1a6b5a5537357cf9effb92533ff87e44bc8003a186bfb4a166a63a13263

Score

6^/10

discovery

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	compiler.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
252	schtasks.exe
688	schtasks.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 920	1776	cmd.exe	78
PID 1776 wrote to memory of 920	1776	cmd.exe	78
PID 1776 wrote to memory of 920	1776	cmd.exe	78
PID 920 wrote to memory of 688	920	compiler.exe	81
PID 920 wrote to memory of 688	920	compiler.exe	81
PID 920 wrote to memory of 688	920	compiler.exe	81
PID 920 wrote to memory of 252	920	compiler.exe	82
PID 920 wrote to memory of 252	920	compiler.exe	82
PID 920 wrote to memory of 252	920	compiler.exe	82
PID 1660 wrote to memory of 3308	1660	cmd.exe	89
PID 1660 wrote to memory of 3308	1660	cmd.exe	89
PID 1660 wrote to memory of 3308	1660	cmd.exe	89
PID 1512 wrote to memory of 4300	1512	cmd.exe	92
PID 1512 wrote to memory of 4300	1512	cmd.exe	92
PID 1512 wrote to memory of 4300	1512	cmd.exe	92

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\compiler.exe
  compiler.exe conf.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 14:39 /f /tn GameOptimizerTask_ODA1 /tr ""C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODA1.exe" "C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\conf.txt""
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:688
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 14:39 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Launcher.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\compiler.exe
  compiler.exe conf.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Launcher.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\compiler.exe
  compiler.exe conf.txt
  2⤵
  PID:4300

C:\Users\Admin\AppData\Local\Temp\compiler.exe
"C:\Users\Admin\AppData\Local\Temp\compiler.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4780

C:\Users\Admin\AppData\Local\Temp\compiler.exe
"C:\Users\Admin\AppData\Local\Temp\compiler.exe"
1⤵
PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
720338739456ba40d9dfaa7c7c9d2ba2

SHA1
e90307b776cbcea39fc8e8fb1491a2132642e7ef

SHA256
87a6f12aa9885227d268a98a1e14f065a35a5945cee1ca35df703e70cdf74420

SHA512
d7378afba36af6e3cf72b67bca965dc628969de52cbf01be7f4f731b5c795c246ab69c7a9311b4ad3b7a3552694ed1b82681bba78dc12a4fd34a3b1675e6aea8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
6ee28e8d9a66956b524e14c33a125e5b

SHA1
7cafee2661e1c145aec3ea6957e7bb34f983cc97

SHA256
fe49b267b80ef8036d5cff2841454059979886f443742a83ee79830d1288634b

SHA512
f66bbbada298c4c5e34f4f7fd31af13c4d4fe8d6579b8e0b486f7c2687ba7a18f6673e72eaefcec805976647a4b5c6347004d5ec741fa8c4d3b9c173634e4af7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IKUNXQCA\json[1].json

Filesize
289B

MD5
59386c53f2570f0e370e2ece30ccce7a

SHA1
b2fe2bc41bc2c07a33ebbc2e3ec6e30229215d69

SHA256
3b845724fd74dd2034ec56d4a2ecacc2dd49e0b388bf68f2e9546b9f8fa8065f

SHA512
3dd155da349193d5b1c185c52b2bd5b66edcff318d4fb051799523c490f6a95c9da85ab8dc203334b4630c978b0cb6fa70fcc54497e33ea1b9c91f4497541569

Download Submit
C:\Users\Admin\Pictures\99EF8723B5CB4D6AB7A37E98E5E6F2A8

Filesize
696B

MD5
e9272f583ca9d4a0e7aaf0d594f491bc

SHA1
77474a308a2d2470bcfa03ba2e34cfe80fda9cfd

SHA256
98bdfee86496046e6e8a8ca199129eaa2dceb4dea2d7ed4ef4c4145ddb1a965e

SHA512
83e5858a9b1456c2d1a85c1adee0dd0de589966556cddf17a23ebd16f285a323173a820d292e515e29d2f7889444f44214e75170e972aa66e3977f5034c7df1d

Download Submit
memory/920-40-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-64-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-63-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-80-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/920-82-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/920-81-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/920-79-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/920-89-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/920-60-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-61-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-59-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-57-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-58-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-56-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-55-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-54-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-53-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-52-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-51-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-50-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-49-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-48-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-47-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-46-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-45-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-44-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-43-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-42-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-41-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-39-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-38-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-37-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-36-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-35-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-34-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-33-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-32-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-31-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-30-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-29-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-28-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-27-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-26-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-25-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-24-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-21-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-22-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-20-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-19-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-18-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-17-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-16-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-15-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-14-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-13-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-12-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-11-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-10-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-9-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-8-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-7-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-6-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-5-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-4-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-2-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-23-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-3-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-1-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-0-0x000000007FA60000-0x000000007FA70000-memory.dmp

Filesize
64KB

Download
memory/920-124-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/920-156-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/920-157-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads