Analysis

  • max time kernel
    153s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-06-2022 11:23

General

  • Target

    20caa9abe0b37c0d09b041b84573c3a62deceb9a3e5e876e4725ece403b72c71.exe

  • Size

    852KB

  • MD5

    7bc5c48e8e95526e4adb155a561bc09b

  • SHA1

    755b965d1c32ff5af956cb68a6463f0f71a5895a

  • SHA256

    20caa9abe0b37c0d09b041b84573c3a62deceb9a3e5e876e4725ece403b72c71

  • SHA512

    c9db71c27a13a580c27d830d3098d7d2389b1d74d01fde3f429ff1881dc0132884cd58d0ef1002b1dfa51bd320d24b71629b3785262c9125d64a5565c84ba571

Score
10/10

Malware Config

Signatures

  • Luminosity 1 IoCs

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20caa9abe0b37c0d09b041b84573c3a62deceb9a3e5e876e4725ece403b72c71.exe
    "C:\Users\Admin\AppData\Local\Temp\20caa9abe0b37c0d09b041b84573c3a62deceb9a3e5e876e4725ece403b72c71.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3136
    • C:\Users\Admin\AppData\Local\Temp\20caa9abe0b37c0d09b041b84573c3a62deceb9a3e5e876e4725ece403b72c71.exe
      "C:\Users\Admin\AppData\Local\Temp\20caa9abe0b37c0d09b041b84573c3a62deceb9a3e5e876e4725ece403b72c71.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4488
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc onlogon /tn "System Monitor" /rl highest /tr "'C:\ProgramData\722824\sysmon.exe' /startup" /f
        3⤵
        • Luminosity
        • Creates scheduled task(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:540

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/540-137-0x0000000000CC0000-0x0000000000CD7000-memory.dmp

    Filesize

    92KB

  • memory/540-138-0x0000000000CC0000-0x0000000000CD7000-memory.dmp

    Filesize

    92KB

  • memory/540-139-0x0000000000CC0000-0x0000000000CD7000-memory.dmp

    Filesize

    92KB

  • memory/3136-130-0x0000000074C20000-0x00000000751D1000-memory.dmp

    Filesize

    5.7MB

  • memory/3136-134-0x0000000074C20000-0x00000000751D1000-memory.dmp

    Filesize

    5.7MB

  • memory/4488-132-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

  • memory/4488-133-0x0000000074C20000-0x00000000751D1000-memory.dmp

    Filesize

    5.7MB

  • memory/4488-135-0x0000000074C20000-0x00000000751D1000-memory.dmp

    Filesize

    5.7MB