Analysis
-
max time kernel
156s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-06-2022 22:40
Static task
static1
Behavioral task
behavioral1
Sample
16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe
Resource
win10v2004-20220414-en
General
-
Target
16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe
-
Size
501KB
-
MD5
365c7943dc2aab5777fbc8a127a5187d
-
SHA1
08aab407d36826c7dd2036d0cc260907a68cb7a9
-
SHA256
16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3
-
SHA512
5cd9f4e9ad28ccce3435efd1bed18a4145a35e42e8f9258e7b5ebf61cb8ef34ea43192c39e4bc6231fa0cd4ca963200aeee62fb19f5016528968aa76a68c260a
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\827379\\client.exe\"" 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4272 set thread context of 4720 4272 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 81 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4720 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4272 wrote to memory of 4720 4272 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 81 PID 4272 wrote to memory of 4720 4272 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 81 PID 4272 wrote to memory of 4720 4272 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 81 PID 4272 wrote to memory of 4720 4272 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 81 PID 4272 wrote to memory of 4720 4272 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 81 PID 4272 wrote to memory of 4720 4272 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 81 PID 4272 wrote to memory of 4720 4272 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 81 PID 4272 wrote to memory of 4720 4272 16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe"C:\Users\Admin\AppData\Local\Temp\16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe"C:\Users\Admin\AppData\Local\Temp\16ebc150998d18a2f00ba92ff7704d8e3615f6cddf8a48921b678439189a1bd3.exe"2⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4720
-