Overview

overview

10

Static

static

New PO 800...20.exe

windows7_x64

10

New PO 800...20.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 22:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New PO 8003987747484873672020.exe

  • Size

    293KB

  • MD5

    7c1768b63f9baa0720999f746e56a3ec

  • SHA1

    8bb578ad423522f6f7c54275ed8269601ee68bd7

  • SHA256

    2db7aa7291c73bde092cd4cc8af0aff7eac7245ae5b034d8bb8810c76d85cd91

  • SHA512

    aa40e474dfc97638f75ff9495b8766e546704d80828ecdfc98ea0d3ac01e3c22a4b131ecb22ccbd75bfe15906c259a3db215bbd0684bca2704eee590a5e17b21

Score
10/10
luminositypersistencerat

Malware Config

Signatures

  • Luminosity 2 IoCs

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    ratluminosity
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New PO 8003987747484873672020.exe
    "C:\Users\Admin\AppData\Local\Temp\New PO 8003987747484873672020.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QFUlQILxU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE96.tmp"
      2⤵
      • Luminosity
      PID:3524
    • C:\Users\Admin\AppData\Local\Temp\New PO 8003987747484873672020.exe
      "C:\Users\Admin\AppData\Local\Temp\New PO 8003987747484873672020.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\ProgramData\213113\anibtcent.exe.exe
        "C:\ProgramData\213113\anibtcent.exe.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4364
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QFUlQILxU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9191.tmp"
          4⤵
          • Luminosity
          • Creates scheduled task(s)
          PID:3176
        • C:\ProgramData\213113\anibtcent.exe.exe
          "C:\ProgramData\213113\anibtcent.exe.exe"
          4⤵
          • Executes dropped EXE
          PID:4336

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\213113\anibtcent.exe.exe
    Filesize

    293KB

    MD5

    7c1768b63f9baa0720999f746e56a3ec

    SHA1

    8bb578ad423522f6f7c54275ed8269601ee68bd7

    SHA256

    2db7aa7291c73bde092cd4cc8af0aff7eac7245ae5b034d8bb8810c76d85cd91

    SHA512

    aa40e474dfc97638f75ff9495b8766e546704d80828ecdfc98ea0d3ac01e3c22a4b131ecb22ccbd75bfe15906c259a3db215bbd0684bca2704eee590a5e17b21

    Download Submit

  • C:\ProgramData\213113\anibtcent.exe.exe
    Filesize

    293KB

    MD5

    7c1768b63f9baa0720999f746e56a3ec

    SHA1

    8bb578ad423522f6f7c54275ed8269601ee68bd7

    SHA256

    2db7aa7291c73bde092cd4cc8af0aff7eac7245ae5b034d8bb8810c76d85cd91

    SHA512

    aa40e474dfc97638f75ff9495b8766e546704d80828ecdfc98ea0d3ac01e3c22a4b131ecb22ccbd75bfe15906c259a3db215bbd0684bca2704eee590a5e17b21

    Download Submit

  • C:\ProgramData\213113\anibtcent.exe.exe
    Filesize

    293KB

    MD5

    7c1768b63f9baa0720999f746e56a3ec

    SHA1

    8bb578ad423522f6f7c54275ed8269601ee68bd7

    SHA256

    2db7aa7291c73bde092cd4cc8af0aff7eac7245ae5b034d8bb8810c76d85cd91

    SHA512

    aa40e474dfc97638f75ff9495b8766e546704d80828ecdfc98ea0d3ac01e3c22a4b131ecb22ccbd75bfe15906c259a3db215bbd0684bca2704eee590a5e17b21

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New PO 8003987747484873672020.exe.log
    Filesize

    507B

    MD5

    76ffb2f33cb32ade8fc862a67599e9d8

    SHA1

    920cc4ab75b36d2f9f6e979b74db568973c49130

    SHA256

    f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

    SHA512

    f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\anibtcent.exe.exe.log
    Filesize

    507B

    MD5

    76ffb2f33cb32ade8fc862a67599e9d8

    SHA1

    920cc4ab75b36d2f9f6e979b74db568973c49130

    SHA256

    f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

    SHA512

    f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9191.tmp
    Filesize

    1KB

    MD5

    32b10a99b73ad7b71b9364bc8f66e942

    SHA1

    4b5752285c0e8932b0496e325f8585fc97d6b050

    SHA256

    1c78724d0b2dfa00fd6cfe33f1046769553ca79c97031060eb54620b3e3bcac8

    SHA512

    90237ef847dca1f7b000c78dc60abf3e79a444f619ba38dd352b0a99968abe00cc77346a3cc631ecf06d66ef8bf3d85e221cfb097d515326309fcd1a253e5d3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpE96.tmp
    Filesize

    1KB

    MD5

    32b10a99b73ad7b71b9364bc8f66e942

    SHA1

    4b5752285c0e8932b0496e325f8585fc97d6b050

    SHA256

    1c78724d0b2dfa00fd6cfe33f1046769553ca79c97031060eb54620b3e3bcac8

    SHA512

    90237ef847dca1f7b000c78dc60abf3e79a444f619ba38dd352b0a99968abe00cc77346a3cc631ecf06d66ef8bf3d85e221cfb097d515326309fcd1a253e5d3b

    Download Submit

  • memory/112-130-0x00000000001D0000-0x0000000000220000-memory.dmp

    Filesize

    320KB

    Download

  • memory/112-133-0x0000000005750000-0x00000000057EC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/112-132-0x0000000004BF0000-0x0000000004C82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/112-131-0x0000000005100000-0x00000000056A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1960-137-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1960-139-0x0000000005700000-0x0000000005766000-memory.dmp

    Filesize

    408KB

    Download