luminosity | 8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7
submitted
25-10-2020 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe
Size

1.5MB
MD5

6283d7dedf246ce837a43b9843356cd4
SHA1

f81c108eced16ff1f6b9b34037f14b248242ce34
SHA256

8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516
SHA512

831f45b904b10454c5499c6b9888a9ea91ed632a1df15e9535661bcdd45c0365254dfae044cf6d1c2dc9d5fc39a533c139114b95e6b3d7abd712304968491d6c

Score

10^/10

rat luminosity spyware persistence keylogger trojan stealer hawkeye

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
173.237.185.61
Port:
587
Username:
[email protected]
Password:
7213575ace

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Luminosity 26 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

description	ioc	pid	Process
		680	schtasks.exe
		1904	schtasks.exe
		1172	schtasks.exe
		1584	schtasks.exe
		1296	schtasks.exe
		2028	schtasks.exe
		520	schtasks.exe
		1180	schtasks.exe
		408	schtasks.exe
		2000	schtasks.exe
		1472	schtasks.exe
		1648	schtasks.exe
		1044	schtasks.exe
		1580	schtasks.exe
		1732	schtasks.exe
		2036	schtasks.exe
		804	schtasks.exe
		1432	schtasks.exe
		1528	schtasks.exe
		1236	schtasks.exe
		1368	schtasks.exe
		1892	schtasks.exe
		1116	schtasks.exe
		1496	schtasks.exe
File opened for modification	C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT		Binded Pred.exe
		796	schtasks.exe

Executes dropped EXE 1 IoCs

pid	Process
1664	Binded Pred.exe

Loads dropped DLL 1 IoCs

pid	Process
1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\""	REG.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	whatismyipaddress.com
8	whatismyipaddress.com
9	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1896 set thread context of 1108	1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	29
PID 1664 set thread context of 324	1664	Binded Pred.exe	31
PID 1664 set thread context of 1844	1664	Binded Pred.exe	34

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
408	schtasks.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe
Token: SeDebugPrivilege	1664	Binded Pred.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1664	Binded Pred.exe
1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe

Suspicious use of WriteProcessMemory 137 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1664	1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	28
PID 1896 wrote to memory of 1664	1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	28
PID 1896 wrote to memory of 1664	1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	28
PID 1896 wrote to memory of 1664	1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	28
PID 1896 wrote to memory of 1108	1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	29
PID 1896 wrote to memory of 1108	1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	29
PID 1896 wrote to memory of 1108	1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	29
PID 1896 wrote to memory of 1108	1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	29
PID 1896 wrote to memory of 1108	1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	29
PID 1896 wrote to memory of 1108	1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	29
PID 1896 wrote to memory of 1108	1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	29
PID 1896 wrote to memory of 1108	1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	29
PID 1896 wrote to memory of 1108	1896	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	29
PID 1664 wrote to memory of 324	1664	Binded Pred.exe	31
PID 1664 wrote to memory of 324	1664	Binded Pred.exe	31
PID 1664 wrote to memory of 324	1664	Binded Pred.exe	31
PID 1664 wrote to memory of 324	1664	Binded Pred.exe	31
PID 1664 wrote to memory of 324	1664	Binded Pred.exe	31
PID 1664 wrote to memory of 324	1664	Binded Pred.exe	31
PID 1664 wrote to memory of 324	1664	Binded Pred.exe	31
PID 1664 wrote to memory of 324	1664	Binded Pred.exe	31
PID 1664 wrote to memory of 324	1664	Binded Pred.exe	31
PID 1664 wrote to memory of 324	1664	Binded Pred.exe	31
PID 1108 wrote to memory of 1432	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	32
PID 1108 wrote to memory of 1432	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	32
PID 1108 wrote to memory of 1432	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	32
PID 1108 wrote to memory of 1432	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	32
PID 1664 wrote to memory of 1844	1664	Binded Pred.exe	34
PID 1664 wrote to memory of 1844	1664	Binded Pred.exe	34
PID 1664 wrote to memory of 1844	1664	Binded Pred.exe	34
PID 1664 wrote to memory of 1844	1664	Binded Pred.exe	34
PID 1664 wrote to memory of 1844	1664	Binded Pred.exe	34
PID 1664 wrote to memory of 1844	1664	Binded Pred.exe	34
PID 1664 wrote to memory of 1844	1664	Binded Pred.exe	34
PID 1664 wrote to memory of 1844	1664	Binded Pred.exe	34
PID 1664 wrote to memory of 1844	1664	Binded Pred.exe	34
PID 1664 wrote to memory of 1844	1664	Binded Pred.exe	34
PID 1108 wrote to memory of 1528	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	36
PID 1108 wrote to memory of 1528	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	36
PID 1108 wrote to memory of 1528	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	36
PID 1108 wrote to memory of 1528	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	36
PID 1108 wrote to memory of 796	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	38
PID 1108 wrote to memory of 796	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	38
PID 1108 wrote to memory of 796	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	38
PID 1108 wrote to memory of 796	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	38
PID 1108 wrote to memory of 2000	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	40
PID 1108 wrote to memory of 2000	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	40
PID 1108 wrote to memory of 2000	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	40
PID 1108 wrote to memory of 2000	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	40
PID 1108 wrote to memory of 1236	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	42
PID 1108 wrote to memory of 1236	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	42
PID 1108 wrote to memory of 1236	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	42
PID 1108 wrote to memory of 1236	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	42
PID 1108 wrote to memory of 1472	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	44
PID 1108 wrote to memory of 1472	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	44
PID 1108 wrote to memory of 1472	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	44
PID 1108 wrote to memory of 1472	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	44
PID 1108 wrote to memory of 1968	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	46
PID 1108 wrote to memory of 1968	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	46
PID 1108 wrote to memory of 1968	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	46
PID 1108 wrote to memory of 1968	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	46
PID 1108 wrote to memory of 1648	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	48
PID 1108 wrote to memory of 1648	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	48
PID 1108 wrote to memory of 1648	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	48
PID 1108 wrote to memory of 1648	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	48
PID 1108 wrote to memory of 1584	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	50
PID 1108 wrote to memory of 1584	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	50
PID 1108 wrote to memory of 1584	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	50
PID 1108 wrote to memory of 1584	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	50
PID 1108 wrote to memory of 1368	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	52
PID 1108 wrote to memory of 1368	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	52
PID 1108 wrote to memory of 1368	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	52
PID 1108 wrote to memory of 1368	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	52
PID 1108 wrote to memory of 1296	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	54
PID 1108 wrote to memory of 1296	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	54
PID 1108 wrote to memory of 1296	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	54
PID 1108 wrote to memory of 1296	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	54
PID 1108 wrote to memory of 1892	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	56
PID 1108 wrote to memory of 1892	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	56
PID 1108 wrote to memory of 1892	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	56
PID 1108 wrote to memory of 1892	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	56
PID 1108 wrote to memory of 2028	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	58
PID 1108 wrote to memory of 2028	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	58
PID 1108 wrote to memory of 2028	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	58
PID 1108 wrote to memory of 2028	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	58
PID 1108 wrote to memory of 1044	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	60
PID 1108 wrote to memory of 1044	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	60
PID 1108 wrote to memory of 1044	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	60
PID 1108 wrote to memory of 1044	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	60
PID 1108 wrote to memory of 1580	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	62
PID 1108 wrote to memory of 1580	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	62
PID 1108 wrote to memory of 1580	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	62
PID 1108 wrote to memory of 1580	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	62
PID 1108 wrote to memory of 1904	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	64
PID 1108 wrote to memory of 1904	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	64
PID 1108 wrote to memory of 1904	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	64
PID 1108 wrote to memory of 1904	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	64
PID 1108 wrote to memory of 1732	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	66
PID 1108 wrote to memory of 1732	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	66
PID 1108 wrote to memory of 1732	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	66
PID 1108 wrote to memory of 1732	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	66
PID 1108 wrote to memory of 520	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	68
PID 1108 wrote to memory of 520	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	68
PID 1108 wrote to memory of 520	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	68
PID 1108 wrote to memory of 520	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	68
PID 1108 wrote to memory of 2036	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	70
PID 1108 wrote to memory of 2036	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	70
PID 1108 wrote to memory of 2036	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	70
PID 1108 wrote to memory of 2036	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	70
PID 1108 wrote to memory of 1116	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	72
PID 1108 wrote to memory of 1116	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	72
PID 1108 wrote to memory of 1116	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	72
PID 1108 wrote to memory of 1116	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	72
PID 1108 wrote to memory of 804	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	74
PID 1108 wrote to memory of 804	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	74
PID 1108 wrote to memory of 804	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	74
PID 1108 wrote to memory of 804	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	74
PID 1108 wrote to memory of 1172	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	76
PID 1108 wrote to memory of 1172	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	76
PID 1108 wrote to memory of 1172	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	76
PID 1108 wrote to memory of 1172	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	76
PID 1108 wrote to memory of 1496	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	78
PID 1108 wrote to memory of 1496	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	78
PID 1108 wrote to memory of 1496	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	78
PID 1108 wrote to memory of 1496	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	78
PID 1108 wrote to memory of 1180	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	80
PID 1108 wrote to memory of 1180	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	80
PID 1108 wrote to memory of 1180	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	80
PID 1108 wrote to memory of 1180	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	80
PID 1108 wrote to memory of 680	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	82
PID 1108 wrote to memory of 680	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	82
PID 1108 wrote to memory of 680	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	82
PID 1108 wrote to memory of 680	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	82
PID 1108 wrote to memory of 408	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	84
PID 1108 wrote to memory of 408	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	84
PID 1108 wrote to memory of 408	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	84
PID 1108 wrote to memory of 408	1108	8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe	84

C:\Users\Admin\AppData\Local\Temp\8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe
"C:\Users\Admin\AppData\Local\Temp\8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\Documents\Binded Pred.exe
  "C:\Users\Admin\Documents\Binded Pred.exe"
  2⤵
  - Luminosity
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    PID:324
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
    3⤵
    PID:1844
- C:\Users\Admin\AppData\Local\Temp\8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe
  "C:\Users\Admin\AppData\Local\Temp\8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516.exe"
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1432
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1528
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:796
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:2000
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1236
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1472
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:1968
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1648
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1584
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1368
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1296
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1892
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:2028
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1044
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1580
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1904
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:2036
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1116
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:804
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1172
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1496
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:1180
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    PID:680
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f /rl highest
    3⤵
    - Luminosity
    - Creates scheduled task(s)
    PID:408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/324-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/324-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1108-5-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1108-6-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1108-4-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1512-16-0x000007FEF8590000-0x000007FEF880A000-memory.dmp

Filesize
2.5MB

Download
memory/1844-15-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1844-13-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads