Overview

overview

10

Static

static

fe54c49acf...ee.exe

windows7_x64

10

fe54c49acf...ee.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 12:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe54c49acfc6485aea338336c5be99ebb0df277c779fd25b18801ad71f886cee.exe

  • Size

    28.9MB

  • MD5

    38dcc51a50e6c2f1282e9a7620d89c17

  • SHA1

    e971cde2c9b72989886a85b1bd8f80a9aa531c11

  • SHA256

    fe54c49acfc6485aea338336c5be99ebb0df277c779fd25b18801ad71f886cee

  • SHA512

    bf18b1244dcf2ec5204e29b56a17080353e5d2ca70e9d342a9d9602846919909596ef8a1e8e6db5c2f9ad2502d947a6ef713a78b71447c647f4fb057d1b86936

Score
10/10
luminositypersistencerat

Malware Config

Signatures

  • Luminosity 1 IoCs

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    ratluminosity
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe54c49acfc6485aea338336c5be99ebb0df277c779fd25b18801ad71f886cee.exe
    "C:\Users\Admin\AppData\Local\Temp\fe54c49acfc6485aea338336c5be99ebb0df277c779fd25b18801ad71f886cee.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Users\Admin\AppData\Local\Temp\fe54c49acfc6485aea338336c5be99ebb0df277c779fd25b18801ad71f886cee.exe
      "C:\Users\Admin\AppData\Local\Temp\fe54c49acfc6485aea338336c5be99ebb0df277c779fd25b18801ad71f886cee.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn "Windows Autostart" /tr "'C:\Program Files (x86)\Microsoft\swchost.exe' /startup" /sc MINUTE /f /rl highest
        3⤵
        • Luminosity
        • Creates scheduled task(s)
        PID:1200
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Windows Autostart" /d "cmd /c """start """Windows Autostart""" """C:\Program Files (x86)\Microsoft\swchost.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2460
  • C:\Program Files (x86)\Microsoft\swchost.exe
    "C:\Program Files (x86)\Microsoft\swchost.exe" /startup
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Program Files (x86)\Microsoft\swchost.exe
      "C:\Program Files (x86)\Microsoft\swchost.exe"
      2⤵
        PID:3728
    • C:\Program Files (x86)\Microsoft\swchost.exe
      "C:\Program Files (x86)\Microsoft\swchost.exe" /startup
      1⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Program Files (x86)\Microsoft\swchost.exe
        "C:\Program Files (x86)\Microsoft\swchost.exe"
        2⤵
          PID:3816

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/212-133-0x0000000006940000-0x0000000006949000-memory.dmp

        Filesize

        36KB

        Download

      • memory/212-126-0x0000000004F70000-0x0000000004F71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/212-129-0x0000000004D50000-0x0000000004DEC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/212-119-0x0000000000400000-0x00000000004DC000-memory.dmp

        Filesize

        880KB

        Download

      • memory/780-127-0x0000000005220000-0x0000000005221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/780-114-0x00000000007B0000-0x00000000007B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/780-118-0x0000000005370000-0x000000000545A000-memory.dmp

        Filesize

        936KB

        Download

      • memory/780-117-0x00000000052D0000-0x00000000052D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/780-116-0x0000000005730000-0x0000000005731000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1204-147-0x00000000051D0000-0x00000000051D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1204-135-0x0000000002940000-0x0000000002941000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1204-134-0x0000000002920000-0x0000000002937000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1204-148-0x0000000002990000-0x0000000002991000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-164-0x0000000000C20000-0x0000000000C21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-151-0x0000000000C00000-0x0000000000C17000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2088-152-0x0000000000B90000-0x0000000000B91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-163-0x0000000004B00000-0x0000000004B01000-memory.dmp

        Filesize

        4KB

        Download