Analysis
-
max time kernel
168s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 09:46
Static task
static1
Behavioral task
behavioral1
Sample
210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe
Resource
win10v2004-20220414-en
General
-
Target
210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe
-
Size
550KB
-
MD5
03598ac96100cf4cb41e01e3f4f43ef1
-
SHA1
5bbe4890beb41e5aa137e3ebb8277b6318e1b524
-
SHA256
210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e
-
SHA512
90dfb3fced9be8e29fa750b9085b2b3b07abcf2433e95044adbefea01d373f3ad0a899f781fd61c426a8f22ac09a4757b5523ce72176ea47e767e88d64223d7d
Malware Config
Signatures
-
Luminosity 1 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
pid Process 4008 schtasks.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3496 set thread context of 3352 3496 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 79 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4008 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3496 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3496 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 4008 schtasks.exe 4008 schtasks.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3496 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe Token: SeDebugPrivilege 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3496 wrote to memory of 3352 3496 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 79 PID 3496 wrote to memory of 3352 3496 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 79 PID 3496 wrote to memory of 3352 3496 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 79 PID 3496 wrote to memory of 3352 3496 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 79 PID 3496 wrote to memory of 3352 3496 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 79 PID 3496 wrote to memory of 3352 3496 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 79 PID 3496 wrote to memory of 3352 3496 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 79 PID 3496 wrote to memory of 3352 3496 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 79 PID 3352 wrote to memory of 4008 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 80 PID 3352 wrote to memory of 4008 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 80 PID 3352 wrote to memory of 4008 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 80 PID 3352 wrote to memory of 4008 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 80 PID 3352 wrote to memory of 4008 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 80 PID 3352 wrote to memory of 4008 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 80 PID 3352 wrote to memory of 4008 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 80 PID 3352 wrote to memory of 4008 3352 210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe"C:\Users\Admin\AppData\Local\Temp\210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe"C:\Users\Admin\AppData\Local\Temp\210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc onlogon /tn "Adobe Updater" /rl highest /tr "'C:\Program Files (x86)\Adobe Updater\armscv.exe' /startup" /f3⤵
- Luminosity
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
PID:4008
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe.log
Filesize341B
MD50a03cd5cee2fbb8ee3a91185dcfc3d8c
SHA186df802434bd16c8b7aa1a6be94422d3ef9351ee
SHA256fe236dce3f7bc95eceb9223349d13b6a737fc331121889a4ff60ef84fcac82de
SHA51213803a22c21c1f51dc84f7988e9839cee5118c41cc8613e7dd152d281de52b5987ef28a2357fc2d79f162b482ecb5385090b23782eba111eb0d5e2752af324fb