luminosity | 1aab662435a6a2aeadf54ab5c31dbc6560dd4c9332769ed968e3ccf77ae8da68

Analysis

max time kernel
150s
max time network
155s
platform
windows10_x64
resource
win10v20210410
submitted
13-07-2021 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zeusvm_test002.exe
Size

1.4MB
MD5

05dfc8f126418c77521ff45f607257af
SHA1

a784ca3c97a83532cf2a2d497365fa8e7fe353cf
SHA256

1aab662435a6a2aeadf54ab5c31dbc6560dd4c9332769ed968e3ccf77ae8da68
SHA512

1b2d930388c86edc62d7a3614779ed9e04ad1ed0382619f70e470cc1b9faf3a7248c17d6675620c1ba5a9d802d41b533db65435abfda6a567a9b5745fa9288e6

Score

10^/10

luminosity pony discovery persistence rat spyware stealer upx

Malware Config

Signatures

Luminosity 2 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

description	ioc	pid	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000		zeusvm_test002.exe
		2416	schtasks.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 4 IoCs

pid	Process
2628	luminos.exe
2980	Pony.exe
1124	bot.exe
3456	unik.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000001ab51-121.dat	upx
behavioral2/files/0x000300000001ab51-120.dat	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\Currentversion\Run	luminos.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 2724	1736	zeusvm_test002.exe	82
PID 1124 set thread context of 2420	1124	bot.exe	90
PID 2628 set thread context of 2416	2628	luminos.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1204	2724	WerFault.exe	82

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2416	schtasks.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b06010505070308620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d81436247f0000000100000016000000301406082b0601050507030906082b060105050703011400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000007e00000001000000080000000000cf97a737d6010300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180400000001000000100000002c8f9f661d1890b147269d8e86828ca92000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	zeusvm_test002.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 5c0000000100000004000000000800000400000001000000100000002c8f9f661d1890b147269d8e86828ca90300000001000000140000006252dc40f71143a22fde9ef7348e064251b181187e00000001000000080000000000cf97a737d6010b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded37f0000000100000016000000301406082b0601050507030906082b06010505070301620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d814362409000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad1900000001000000100000000b6cd9778e41ad67fd6be0a6903710442000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	zeusvm_test002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	zeusvm_test002.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b06010505070308620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d81436247f0000000100000016000000301406082b0601050507030906082b060105050703011400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000007e00000001000000080000000000cf97a737d6010300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	zeusvm_test002.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0400000001000000100000002c8f9f661d1890b147269d8e86828ca90300000001000000140000006252dc40f71143a22fde9ef7348e064251b181187e00000001000000080000000000cf97a737d6010b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded37f0000000100000016000000301406082b0601050507030906082b06010505070301620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d814362409000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	zeusvm_test002.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3456	unik.exe
3456	unik.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
1124	bot.exe
1124	bot.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
3380	explorer.exe
3380	explorer.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
3456	unik.exe
3456	unik.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2420	cmd.exe
2420	cmd.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2416	schtasks.exe
2416	schtasks.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe
2628	luminos.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1124	bot.exe
Token: SeImpersonatePrivilege	2980	Pony.exe
Token: SeTcbPrivilege	2980	Pony.exe
Token: SeChangeNotifyPrivilege	2980	Pony.exe
Token: SeCreateTokenPrivilege	2980	Pony.exe
Token: SeBackupPrivilege	2980	Pony.exe
Token: SeRestorePrivilege	2980	Pony.exe
Token: SeIncreaseQuotaPrivilege	2980	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	2980	Pony.exe
Token: SeImpersonatePrivilege	2980	Pony.exe
Token: SeTcbPrivilege	2980	Pony.exe
Token: SeChangeNotifyPrivilege	2980	Pony.exe
Token: SeCreateTokenPrivilege	2980	Pony.exe
Token: SeBackupPrivilege	2980	Pony.exe
Token: SeRestorePrivilege	2980	Pony.exe
Token: SeIncreaseQuotaPrivilege	2980	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	2980	Pony.exe
Token: SeImpersonatePrivilege	2980	Pony.exe
Token: SeTcbPrivilege	2980	Pony.exe
Token: SeChangeNotifyPrivilege	2980	Pony.exe
Token: SeCreateTokenPrivilege	2980	Pony.exe
Token: SeBackupPrivilege	2980	Pony.exe
Token: SeRestorePrivilege	2980	Pony.exe
Token: SeIncreaseQuotaPrivilege	2980	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	2980	Pony.exe
Token: SeImpersonatePrivilege	2980	Pony.exe
Token: SeTcbPrivilege	2980	Pony.exe
Token: SeChangeNotifyPrivilege	2980	Pony.exe
Token: SeCreateTokenPrivilege	2980	Pony.exe
Token: SeBackupPrivilege	2980	Pony.exe
Token: SeRestorePrivilege	2980	Pony.exe
Token: SeIncreaseQuotaPrivilege	2980	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	2980	Pony.exe
Token: SeImpersonatePrivilege	2980	Pony.exe
Token: SeTcbPrivilege	2980	Pony.exe
Token: SeChangeNotifyPrivilege	2980	Pony.exe
Token: SeCreateTokenPrivilege	2980	Pony.exe
Token: SeBackupPrivilege	2980	Pony.exe
Token: SeRestorePrivilege	2980	Pony.exe
Token: SeIncreaseQuotaPrivilege	2980	Pony.exe
Token: SeAssignPrimaryTokenPrivilege	2980	Pony.exe
Token: SeDebugPrivilege	2628	luminos.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2628	luminos.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2628	1736	zeusvm_test002.exe	78
PID 1736 wrote to memory of 2628	1736	zeusvm_test002.exe	78
PID 1736 wrote to memory of 2628	1736	zeusvm_test002.exe	78
PID 1736 wrote to memory of 2980	1736	zeusvm_test002.exe	79
PID 1736 wrote to memory of 2980	1736	zeusvm_test002.exe	79
PID 1736 wrote to memory of 2980	1736	zeusvm_test002.exe	79
PID 1736 wrote to memory of 1124	1736	zeusvm_test002.exe	80
PID 1736 wrote to memory of 1124	1736	zeusvm_test002.exe	80
PID 1736 wrote to memory of 1124	1736	zeusvm_test002.exe	80
PID 1736 wrote to memory of 2724	1736	zeusvm_test002.exe	82
PID 1736 wrote to memory of 2724	1736	zeusvm_test002.exe	82
PID 1736 wrote to memory of 2724	1736	zeusvm_test002.exe	82
PID 1736 wrote to memory of 2724	1736	zeusvm_test002.exe	82
PID 1736 wrote to memory of 2724	1736	zeusvm_test002.exe	82
PID 1736 wrote to memory of 2724	1736	zeusvm_test002.exe	82
PID 1736 wrote to memory of 2724	1736	zeusvm_test002.exe	82
PID 1736 wrote to memory of 2724	1736	zeusvm_test002.exe	82
PID 1124 wrote to memory of 3456	1124	bot.exe	81
PID 1124 wrote to memory of 3456	1124	bot.exe	81
PID 1124 wrote to memory of 3456	1124	bot.exe	81
PID 3456 wrote to memory of 3380	3456	unik.exe	84
PID 3456 wrote to memory of 3380	3456	unik.exe	84
PID 3456 wrote to memory of 3380	3456	unik.exe	84
PID 3456 wrote to memory of 3380	3456	unik.exe	84
PID 3456 wrote to memory of 3380	3456	unik.exe	84
PID 3456 wrote to memory of 3380	3456	unik.exe	84
PID 3456 wrote to memory of 3380	3456	unik.exe	84
PID 3456 wrote to memory of 3380	3456	unik.exe	84
PID 3456 wrote to memory of 3380	3456	unik.exe	84
PID 3456 wrote to memory of 2628	3456	unik.exe	78
PID 3456 wrote to memory of 2628	3456	unik.exe	78
PID 3456 wrote to memory of 2628	3456	unik.exe	78
PID 3456 wrote to memory of 2628	3456	unik.exe	78
PID 3456 wrote to memory of 2628	3456	unik.exe	78
PID 3456 wrote to memory of 2628	3456	unik.exe	78
PID 2980 wrote to memory of 2480	2980	Pony.exe	87
PID 2980 wrote to memory of 2480	2980	Pony.exe	87
PID 2980 wrote to memory of 2480	2980	Pony.exe	87
PID 3456 wrote to memory of 1124	3456	unik.exe	80
PID 3456 wrote to memory of 1124	3456	unik.exe	80
PID 3456 wrote to memory of 1124	3456	unik.exe	80
PID 3456 wrote to memory of 1124	3456	unik.exe	80
PID 3456 wrote to memory of 1124	3456	unik.exe	80
PID 3456 wrote to memory of 1124	3456	unik.exe	80
PID 2628 wrote to memory of 1124	2628	luminos.exe	80
PID 2628 wrote to memory of 1124	2628	luminos.exe	80
PID 2628 wrote to memory of 1124	2628	luminos.exe	80
PID 2628 wrote to memory of 1124	2628	luminos.exe	80
PID 2628 wrote to memory of 1124	2628	luminos.exe	80
PID 2628 wrote to memory of 3380	2628	luminos.exe	84
PID 2628 wrote to memory of 3380	2628	luminos.exe	84
PID 2628 wrote to memory of 3380	2628	luminos.exe	84
PID 2628 wrote to memory of 3380	2628	luminos.exe	84
PID 2628 wrote to memory of 3380	2628	luminos.exe	84
PID 2628 wrote to memory of 3456	2628	luminos.exe	81
PID 2628 wrote to memory of 3456	2628	luminos.exe	81
PID 2628 wrote to memory of 3456	2628	luminos.exe	81
PID 2628 wrote to memory of 3456	2628	luminos.exe	81
PID 2628 wrote to memory of 3456	2628	luminos.exe	81
PID 1124 wrote to memory of 2420	1124	bot.exe	90
PID 1124 wrote to memory of 2420	1124	bot.exe	90
PID 1124 wrote to memory of 2420	1124	bot.exe	90
PID 1124 wrote to memory of 2420	1124	bot.exe	90
PID 1124 wrote to memory of 2420	1124	bot.exe	90

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\zeusvm_test002.exe
  "C:\Users\Admin\AppData\Local\Temp\zeusvm_test002.exe"
  2⤵
  - Luminosity
  - Suspicious use of SetThreadContext
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Roaming\luminos.exe
    "C:\Users\Admin\AppData\Roaming\luminos.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc onlogon /tn "Computer Helper" /rl highest /tr "'C:\ProgramData\160685\helper.exe' /startup" /f
      4⤵
      Luminosity
      Creates scheduled task(s)
      Suspicious behavior: EnumeratesProcesses
      PID:2416
- - C:\Users\Admin\AppData\Roaming\Pony.exe
    "C:\Users\Admin\AppData\Roaming\Pony.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\259277000.bat" "C:\Users\Admin\AppData\Roaming\Pony.exe" "
      4⤵
      PID:2480
- - C:\Users\Admin\AppData\Roaming\bot.exe
    "C:\Users\Admin\AppData\Roaming\bot.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Users\Admin\AppData\Roaming\Gahau\unik.exe
      "C:\Users\Admin\AppData\Roaming\Gahau\unik.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3456
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3380
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp16603f28.bat"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2420
- - C:\Users\Admin\AppData\Local\Temp\zeusvm_test002.exe
    "C:\Users\Admin\AppData\Local\Temp\zeusvm_test002.exe"
    3⤵
    PID:2724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 24
      4⤵
      Program crash
      PID:1204

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
PID:3844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1124-138-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download
memory/1124-140-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1124-149-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1124-139-0x0000000000640000-0x0000000000657000-memory.dmp

Filesize
92KB

Download
memory/1736-114-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/2416-152-0x0000000000780000-0x00000000007AE000-memory.dmp

Filesize
184KB

Download
memory/2416-156-0x0000000000700000-0x0000000000717000-memory.dmp

Filesize
92KB

Download
memory/2416-157-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2420-150-0x0000000000160000-0x0000000000177000-memory.dmp

Filesize
92KB

Download
memory/2420-151-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2420-145-0x0000000000340000-0x000000000036E000-memory.dmp

Filesize
184KB

Download
memory/2628-134-0x0000000006450000-0x000000000647E000-memory.dmp

Filesize
184KB

Download
memory/2628-137-0x00000000065D0000-0x00000000065D1000-memory.dmp

Filesize
4KB

Download
memory/2628-119-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/2724-125-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3380-141-0x0000000002940000-0x0000000002957000-memory.dmp

Filesize
92KB

Download
memory/3380-143-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3380-133-0x0000000002910000-0x000000000293E000-memory.dmp

Filesize
184KB

Download
memory/3456-144-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download