9de052d7b835e0b896644c23c696c5d31c78b6d5f5366ab46b9b368f18106e0c

Resubmissions

04/01/2025, 22:11

250104-13x5xssjap 6

04/01/2025, 22:06

250104-11dcqs1raj 10

Analysis

max time kernel
63s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2025, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.bat
Size

2KB
MD5

a8883d531fc8b94f0ce002b1bc607d1d
SHA1

7f52ffa1e9fab82955dfe3cbb04714b85a4990ac
SHA256

cc5480ea61441b4112dfbbb04402e91b0abb7d64ca4461b5c8a46b063bb33e9e
SHA512

789d3a4161d1ea4d72dd2c9c56fb8b135bc5d613c69e328aeef0c4e1fdd9191dc89f2d819d925e7878baef282120a3c481cffc762ba923a925eeea21da0a62f6

Score

6^/10

discovery

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	lua.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4728	schtasks.exe
3920	schtasks.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3748	2548	cmd.exe	83
PID 2548 wrote to memory of 3748	2548	cmd.exe	83
PID 2548 wrote to memory of 3748	2548	cmd.exe	83
PID 3748 wrote to memory of 4728	3748	lua.exe	86
PID 3748 wrote to memory of 4728	3748	lua.exe	86
PID 3748 wrote to memory of 4728	3748	lua.exe	86
PID 3748 wrote to memory of 3920	3748	lua.exe	87
PID 3748 wrote to memory of 3920	3748	lua.exe	87
PID 3748 wrote to memory of 3920	3748	lua.exe	87

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\lua.exe
  lua.exe config.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 14:26 /f /tn WindowsErrorRecovery_ODA3 /tr ""C:\Users\Admin\AppData\Local\ODA3\ODA3.exe" "C:\Users\Admin\AppData\Local\ODA3\config.txt""
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4728
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 14:26 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3748-4-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-7-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-63-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-62-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-61-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-60-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-58-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-57-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-56-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-55-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-54-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-53-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-52-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-51-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-50-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-49-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-48-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-47-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-46-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-45-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-44-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-43-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-42-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-41-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-40-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-39-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-38-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-37-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-36-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-35-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-34-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-33-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-32-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-31-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-30-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-29-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-28-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-27-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-24-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-23-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-22-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-21-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-20-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-19-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-18-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-17-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-16-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-15-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-14-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-13-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-12-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-11-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-10-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-9-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-6-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-59-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-26-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-25-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-8-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-5-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-3-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-2-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-1-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-0-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

Filesize
64KB

Download
memory/3748-77-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/3748-76-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/3748-79-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/3748-84-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/3748-142-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads