Overview

overview

10

Static

static

fe54c49acf...ee.exe

windows7_x64

10

fe54c49acf...ee.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    183s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    15-05-2021 12:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe54c49acfc6485aea338336c5be99ebb0df277c779fd25b18801ad71f886cee.exe

  • Size

    28.9MB

  • MD5

    38dcc51a50e6c2f1282e9a7620d89c17

  • SHA1

    e971cde2c9b72989886a85b1bd8f80a9aa531c11

  • SHA256

    fe54c49acfc6485aea338336c5be99ebb0df277c779fd25b18801ad71f886cee

  • SHA512

    bf18b1244dcf2ec5204e29b56a17080353e5d2ca70e9d342a9d9602846919909596ef8a1e8e6db5c2f9ad2502d947a6ef713a78b71447c647f4fb057d1b86936

Score
10/10
luminositypersistencerat

Malware Config

Signatures

  • Luminosity 1 IoCs

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    ratluminosity
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe54c49acfc6485aea338336c5be99ebb0df277c779fd25b18801ad71f886cee.exe
    "C:\Users\Admin\AppData\Local\Temp\fe54c49acfc6485aea338336c5be99ebb0df277c779fd25b18801ad71f886cee.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Users\Admin\AppData\Local\Temp\fe54c49acfc6485aea338336c5be99ebb0df277c779fd25b18801ad71f886cee.exe
      "C:\Users\Admin\AppData\Local\Temp\fe54c49acfc6485aea338336c5be99ebb0df277c779fd25b18801ad71f886cee.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn "Windows Autostart" /tr "'C:\Program Files (x86)\Microsoft\swchost.exe' /startup" /sc MINUTE /f /rl highest
        3⤵
        • Luminosity
        • Creates scheduled task(s)
        PID:704
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Windows Autostart" /d "cmd /c """start """Windows Autostart""" """C:\Program Files (x86)\Microsoft\swchost.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1744
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {38495B81-9E85-4674-A40F-7D1BFFB2C343} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Program Files (x86)\Microsoft\swchost.exe
      "C:\Program Files (x86)\Microsoft\swchost.exe" /startup
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Program Files (x86)\Microsoft\swchost.exe
        "C:\Program Files (x86)\Microsoft\swchost.exe"
        3⤵
          PID:1332
      • C:\Program Files (x86)\Microsoft\swchost.exe
        "C:\Program Files (x86)\Microsoft\swchost.exe" /startup
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1616
        • C:\Program Files (x86)\Microsoft\swchost.exe
          "C:\Program Files (x86)\Microsoft\swchost.exe"
          3⤵
            PID:292
        • C:\Program Files (x86)\Microsoft\swchost.exe
          "C:\Program Files (x86)\Microsoft\swchost.exe" /startup
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2000
          • C:\Program Files (x86)\Microsoft\swchost.exe
            "C:\Program Files (x86)\Microsoft\swchost.exe"
            3⤵
              PID:2008

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/964-80-0x00000000049F0000-0x00000000049F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/964-81-0x0000000000450000-0x0000000000451000-memory.dmp

          Filesize

          4KB

          Download

        • memory/964-74-0x00000000002E0000-0x00000000002E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/964-73-0x00000000003F0000-0x0000000000407000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1060-68-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1060-72-0x0000000000240000-0x0000000000249000-memory.dmp

          Filesize

          36KB

          Download

        • memory/1060-65-0x0000000000400000-0x00000000004DC000-memory.dmp

          Filesize

          880KB

          Download

        • memory/1060-63-0x0000000000400000-0x00000000004DC000-memory.dmp

          Filesize

          880KB

          Download

        • memory/1616-87-0x0000000000380000-0x0000000000381000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1616-93-0x00000000003E0000-0x00000000003E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1616-94-0x00000000003D0000-0x00000000003D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1616-86-0x0000000000260000-0x0000000000277000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1860-59-0x0000000000E10000-0x0000000000E11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1860-61-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1860-62-0x0000000004980000-0x0000000004A6A000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2000-98-0x0000000000390000-0x00000000003A7000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2000-99-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2000-106-0x0000000000440000-0x0000000000441000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2000-105-0x0000000004B50000-0x0000000004B51000-memory.dmp

          Filesize

          4KB

          Download