Analysis

  • max time kernel
    168s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-06-2022 09:46

General

  • Target

    210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe

  • Size

    550KB

  • MD5

    03598ac96100cf4cb41e01e3f4f43ef1

  • SHA1

    5bbe4890beb41e5aa137e3ebb8277b6318e1b524

  • SHA256

    210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e

  • SHA512

    90dfb3fced9be8e29fa750b9085b2b3b07abcf2433e95044adbefea01d373f3ad0a899f781fd61c426a8f22ac09a4757b5523ce72176ea47e767e88d64223d7d

Score
10/10

Malware Config

Signatures

  • Luminosity 1 IoCs

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe
    "C:\Users\Admin\AppData\Local\Temp\210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3496
    • C:\Users\Admin\AppData\Local\Temp\210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe
      "C:\Users\Admin\AppData\Local\Temp\210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3352
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc onlogon /tn "Adobe Updater" /rl highest /tr "'C:\Program Files (x86)\Adobe Updater\armscv.exe' /startup" /f
        3⤵
        • Luminosity
        • Creates scheduled task(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:4008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\210e940c47cf79db8a3b9bceff1e4caae76653aeaf97080883ff735fd354221e.exe.log

    Filesize

    341B

    MD5

    0a03cd5cee2fbb8ee3a91185dcfc3d8c

    SHA1

    86df802434bd16c8b7aa1a6be94422d3ef9351ee

    SHA256

    fe236dce3f7bc95eceb9223349d13b6a737fc331121889a4ff60ef84fcac82de

    SHA512

    13803a22c21c1f51dc84f7988e9839cee5118c41cc8613e7dd152d281de52b5987ef28a2357fc2d79f162b482ecb5385090b23782eba111eb0d5e2752af324fb

  • memory/3352-136-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

  • memory/3352-137-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

  • memory/3496-130-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

  • memory/3496-131-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

  • memory/3496-135-0x0000000075520000-0x0000000075AD1000-memory.dmp

    Filesize

    5.7MB

  • memory/4008-139-0x0000000000980000-0x0000000000997000-memory.dmp

    Filesize

    92KB

  • memory/4008-140-0x0000000000980000-0x0000000000997000-memory.dmp

    Filesize

    92KB

  • memory/4008-141-0x0000000000980000-0x0000000000997000-memory.dmp

    Filesize

    92KB