Analysis
-
max time kernel
151s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 07:32
Static task
static1
Behavioral task
behavioral1
Sample
29f93a7bf1f74d94bbfa8e9e299b368d5835414980f1fff9b86d78afabbeb518.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
29f93a7bf1f74d94bbfa8e9e299b368d5835414980f1fff9b86d78afabbeb518.exe
Resource
win10v2004-20220414-en
General
-
Target
29f93a7bf1f74d94bbfa8e9e299b368d5835414980f1fff9b86d78afabbeb518.exe
-
Size
528KB
-
MD5
168aa881825bf5dbcff0c219bfacc331
-
SHA1
fea6d448d457fe714562038e6d8d8a2bcd58fba2
-
SHA256
29f93a7bf1f74d94bbfa8e9e299b368d5835414980f1fff9b86d78afabbeb518
-
SHA512
d60c17218ade50f0e9660a4a3bcb4694b86ce1b2254bdc29e1224977c728742bb0db2390f34f4ece6972b259a53f975581849c421be04525ffa12457855d3805
Malware Config
Signatures
-
Luminosity 2 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
description ioc pid Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 29f93a7bf1f74d94bbfa8e9e299b368d5835414980f1fff9b86d78afabbeb518.exe 3812 schtasks.exe -
Executes dropped EXE 2 IoCs
pid Process 2952 files.sfx.exe 4072 files.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 29f93a7bf1f74d94bbfa8e9e299b368d5835414980f1fff9b86d78afabbeb518.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation files.sfx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3812 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4172 cmd.exe 4172 cmd.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4196 29f93a7bf1f74d94bbfa8e9e299b368d5835414980f1fff9b86d78afabbeb518.exe 4196 29f93a7bf1f74d94bbfa8e9e299b368d5835414980f1fff9b86d78afabbeb518.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe 4072 files.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4072 files.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4072 files.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4196 wrote to memory of 4172 4196 29f93a7bf1f74d94bbfa8e9e299b368d5835414980f1fff9b86d78afabbeb518.exe 79 PID 4196 wrote to memory of 4172 4196 29f93a7bf1f74d94bbfa8e9e299b368d5835414980f1fff9b86d78afabbeb518.exe 79 PID 4196 wrote to memory of 4172 4196 29f93a7bf1f74d94bbfa8e9e299b368d5835414980f1fff9b86d78afabbeb518.exe 79 PID 4172 wrote to memory of 2952 4172 cmd.exe 82 PID 4172 wrote to memory of 2952 4172 cmd.exe 82 PID 4172 wrote to memory of 2952 4172 cmd.exe 82 PID 2952 wrote to memory of 4072 2952 files.sfx.exe 83 PID 2952 wrote to memory of 4072 2952 files.sfx.exe 83 PID 2952 wrote to memory of 4072 2952 files.sfx.exe 83 PID 4072 wrote to memory of 4172 4072 files.exe 79 PID 4072 wrote to memory of 4172 4072 files.exe 79 PID 4072 wrote to memory of 4172 4072 files.exe 79 PID 4072 wrote to memory of 4172 4072 files.exe 79 PID 4072 wrote to memory of 4172 4072 files.exe 79 PID 4072 wrote to memory of 4196 4072 files.exe 78 PID 4072 wrote to memory of 4196 4072 files.exe 78 PID 4072 wrote to memory of 4196 4072 files.exe 78 PID 4072 wrote to memory of 4196 4072 files.exe 78 PID 4072 wrote to memory of 4196 4072 files.exe 78 PID 4072 wrote to memory of 3812 4072 files.exe 91 PID 4072 wrote to memory of 3812 4072 files.exe 91 PID 4072 wrote to memory of 3812 4072 files.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\29f93a7bf1f74d94bbfa8e9e299b368d5835414980f1fff9b86d78afabbeb518.exe"C:\Users\Admin\AppData\Local\Temp\29f93a7bf1f74d94bbfa8e9e299b368d5835414980f1fff9b86d78afabbeb518.exe"1⤵
- Luminosity
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files.sfx.exefiles.sfx.exe -p123 -dC:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\files.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\files.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc onlogon /tn "flash" /rl highest /tr "'C:\ProgramData\981668\adobe.exe' /startup" /f5⤵
- Luminosity
- Creates scheduled task(s)
PID:3812
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
421KB
MD5b7144894fd1c8ea2941c5801a62a5a96
SHA192d470330cc8cbc2450c187ba43cece64a47a2d4
SHA2567445e90be0cf36a9eb7d811caa625967ef4604d47f5501aabae2e2a1a2667398
SHA512c0ca3d7da5574df17e7b8c4ef602d02eba6d977211003dc526d998ccc9c0b2df315c5e21a3816437f2b634af408ab7f88e6538ae135a611fc2974ae1f1b022cb
-
Filesize
421KB
MD5b7144894fd1c8ea2941c5801a62a5a96
SHA192d470330cc8cbc2450c187ba43cece64a47a2d4
SHA2567445e90be0cf36a9eb7d811caa625967ef4604d47f5501aabae2e2a1a2667398
SHA512c0ca3d7da5574df17e7b8c4ef602d02eba6d977211003dc526d998ccc9c0b2df315c5e21a3816437f2b634af408ab7f88e6538ae135a611fc2974ae1f1b022cb
-
Filesize
28B
MD58a2e0dbe75c83cc337121970c379afd8
SHA18d806548ca78dbd4859e3ed0383f0f0ded19b6bd
SHA25625225b42e1b919f11cb9d0dbc266b5fb4be59551ca370a060337127b5427817d
SHA512a146c635be8dbb4537c8af094b316a232ccb3c0f3d2da2a0ab659ebe6996ae32bbdeb1acdc32b09dc3381713d8f71a51983672b4fd9924198b4f859a8f9c487b
-
Filesize
317KB
MD5b74cf3e1a9a1596b597e4d62c87abbdb
SHA16e68bb13fba9cef4d592b8a6f16080629a83891b
SHA256ea4a7aa918b736985e5e4e2be7139efc3f5c616894e233b9dd1b78700309f237
SHA512bba5cdc76b576e44569a83d934984ffb546437d1d87ef90532b3a366065afad9cdaf3431471f5561e7b530d2b1e9e3dbd6c2103312cd3c9a85ff69690f8a69a7
-
Filesize
317KB
MD5b74cf3e1a9a1596b597e4d62c87abbdb
SHA16e68bb13fba9cef4d592b8a6f16080629a83891b
SHA256ea4a7aa918b736985e5e4e2be7139efc3f5c616894e233b9dd1b78700309f237
SHA512bba5cdc76b576e44569a83d934984ffb546437d1d87ef90532b3a366065afad9cdaf3431471f5561e7b530d2b1e9e3dbd6c2103312cd3c9a85ff69690f8a69a7