Overview

overview

10

Static

static

312e16e72d...0b.exe

windows7_x64

10

312e16e72d...0b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-06-2022 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    312e16e72dcedac92740dfff0b3b2a6e33640b2568acd2be827cec18e483710b.exe

  • Size

    1.8MB

  • MD5

    5b7184b825866b331b646b976e52165d

  • SHA1

    e88407cfb398a23e65113fdaa763e924f0da3819

  • SHA256

    312e16e72dcedac92740dfff0b3b2a6e33640b2568acd2be827cec18e483710b

  • SHA512

    521f667d961b6a703a5230fe52165eb3866527f4542e75b81756fb003a309e60929983e24707e3b7a52ad8ff24edbb5414199d53ca48b59145da4e5b80155f29

Score
10/10
luminositypersistencerat

Malware Config

Signatures

  • Luminosity 2 IoCs

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    ratluminosity
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 36 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\312e16e72dcedac92740dfff0b3b2a6e33640b2568acd2be827cec18e483710b.exe
    "C:\Users\Admin\AppData\Local\Temp\312e16e72dcedac92740dfff0b3b2a6e33640b2568acd2be827cec18e483710b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Users\Admin\AppData\Local\Temp\tsmgr.exe
      "C:\Users\Admin\AppData\Local\Temp\tsmgr.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Luminosity
        • Adds Run key to start application
        PID:576
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /NP /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f
        3⤵
        • Luminosity
        • Creates scheduled task(s)
        PID:1648
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2032
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1032
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1004
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:556
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1580
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1476
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:816
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:604
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1728
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:520
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:952
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2000
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1976
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1624
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1704
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1912
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:836
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\tsmgr.exe.lnk " /f
        3⤵
          PID:2008
      • C:\Users\Admin\AppData\Local\Temp\notepad.exe
        "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1992

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\FolderN\tsmgr.exe
      Filesize

      1.8MB

      MD5

      5b7184b825866b331b646b976e52165d

      SHA1

      e88407cfb398a23e65113fdaa763e924f0da3819

      SHA256

      312e16e72dcedac92740dfff0b3b2a6e33640b2568acd2be827cec18e483710b

      SHA512

      521f667d961b6a703a5230fe52165eb3866527f4542e75b81756fb003a309e60929983e24707e3b7a52ad8ff24edbb5414199d53ca48b59145da4e5b80155f29

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\notepad.exe
      Filesize

      52KB

      MD5

      278edbd499374bf73621f8c1f969d894

      SHA1

      a81170af14747781c5f5f51bb1215893136f0bc0

      SHA256

      c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

      SHA512

      93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\notepad.exe
      Filesize

      52KB

      MD5

      278edbd499374bf73621f8c1f969d894

      SHA1

      a81170af14747781c5f5f51bb1215893136f0bc0

      SHA256

      c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

      SHA512

      93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tsmgr.exe
      Filesize

      857KB

      MD5

      bc6529f2a93dd5eb328963e0b41a855a

      SHA1

      0d3fe448baa8a886fd33541f17e893a8a550640f

      SHA256

      b98c711a375f39574672d49fdb798e70dab73b56c5a605c2cfd55a82d8d1b528

      SHA512

      4b50bc0de71bdbdbe76622d498d70b940e11a5c34b6d58b43765eacb2447d3106da3ac80f3a20e7eed67598bf9875cda9646694724b8fae6d91a7ed97b0bad73

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tsmgr.exe
      Filesize

      857KB

      MD5

      bc6529f2a93dd5eb328963e0b41a855a

      SHA1

      0d3fe448baa8a886fd33541f17e893a8a550640f

      SHA256

      b98c711a375f39574672d49fdb798e70dab73b56c5a605c2cfd55a82d8d1b528

      SHA512

      4b50bc0de71bdbdbe76622d498d70b940e11a5c34b6d58b43765eacb2447d3106da3ac80f3a20e7eed67598bf9875cda9646694724b8fae6d91a7ed97b0bad73

      Download Submit
    • \Users\Admin\AppData\Local\Temp\FolderN\tsmgr.exe
      Filesize

      1.8MB

      MD5

      5b7184b825866b331b646b976e52165d

      SHA1

      e88407cfb398a23e65113fdaa763e924f0da3819

      SHA256

      312e16e72dcedac92740dfff0b3b2a6e33640b2568acd2be827cec18e483710b

      SHA512

      521f667d961b6a703a5230fe52165eb3866527f4542e75b81756fb003a309e60929983e24707e3b7a52ad8ff24edbb5414199d53ca48b59145da4e5b80155f29

      Download Submit
    • \Users\Admin\AppData\Local\Temp\notepad.exe
      Filesize

      52KB

      MD5

      278edbd499374bf73621f8c1f969d894

      SHA1

      a81170af14747781c5f5f51bb1215893136f0bc0

      SHA256

      c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

      SHA512

      93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

      Download Submit
    • \Users\Admin\AppData\Local\Temp\notepad.exe
      Filesize

      52KB

      MD5

      278edbd499374bf73621f8c1f969d894

      SHA1

      a81170af14747781c5f5f51bb1215893136f0bc0

      SHA256

      c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

      SHA512

      93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

      Download Submit
    • \Users\Admin\AppData\Local\Temp\tsmgr.exe
      Filesize

      857KB

      MD5

      bc6529f2a93dd5eb328963e0b41a855a

      SHA1

      0d3fe448baa8a886fd33541f17e893a8a550640f

      SHA256

      b98c711a375f39574672d49fdb798e70dab73b56c5a605c2cfd55a82d8d1b528

      SHA512

      4b50bc0de71bdbdbe76622d498d70b940e11a5c34b6d58b43765eacb2447d3106da3ac80f3a20e7eed67598bf9875cda9646694724b8fae6d91a7ed97b0bad73

      Download Submit
    • \Users\Admin\AppData\Local\Temp\tsmgr.exe
      Filesize

      857KB

      MD5

      bc6529f2a93dd5eb328963e0b41a855a

      SHA1

      0d3fe448baa8a886fd33541f17e893a8a550640f

      SHA256

      b98c711a375f39574672d49fdb798e70dab73b56c5a605c2cfd55a82d8d1b528

      SHA512

      4b50bc0de71bdbdbe76622d498d70b940e11a5c34b6d58b43765eacb2447d3106da3ac80f3a20e7eed67598bf9875cda9646694724b8fae6d91a7ed97b0bad73

      Download Submit
    • \Users\Admin\AppData\Local\Temp\tsmgr.exe
      Filesize

      857KB

      MD5

      bc6529f2a93dd5eb328963e0b41a855a

      SHA1

      0d3fe448baa8a886fd33541f17e893a8a550640f

      SHA256

      b98c711a375f39574672d49fdb798e70dab73b56c5a605c2cfd55a82d8d1b528

      SHA512

      4b50bc0de71bdbdbe76622d498d70b940e11a5c34b6d58b43765eacb2447d3106da3ac80f3a20e7eed67598bf9875cda9646694724b8fae6d91a7ed97b0bad73

      Download Submit
    • memory/520-112-0x0000000000000000-mapping.dmp
      Download
    • memory/556-100-0x0000000000000000-mapping.dmp
      Download
    • memory/576-88-0x0000000000000000-mapping.dmp
      Download
    • memory/604-108-0x0000000000000000-mapping.dmp
      Download
    • memory/816-106-0x0000000000000000-mapping.dmp
      Download
    • memory/836-126-0x0000000000000000-mapping.dmp
      Download
    • memory/952-114-0x0000000000000000-mapping.dmp
      Download
    • memory/1004-98-0x0000000000000000-mapping.dmp
      Download
    • memory/1032-96-0x0000000000000000-mapping.dmp
      Download
    • memory/1112-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1208-91-0x00000000744B0000-0x0000000074A5B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1208-69-0x00000000744B0000-0x0000000074A5B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1208-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1320-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1320-55-0x00000000744B0000-0x0000000074A5B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1320-87-0x00000000744B0000-0x0000000074A5B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1476-104-0x0000000000000000-mapping.dmp
      Download
    • memory/1580-102-0x0000000000000000-mapping.dmp
      Download
    • memory/1624-120-0x0000000000000000-mapping.dmp
      Download
    • memory/1648-92-0x0000000000000000-mapping.dmp
      Download
    • memory/1704-122-0x0000000000000000-mapping.dmp
      Download
    • memory/1728-110-0x0000000000000000-mapping.dmp
      Download
    • memory/1912-124-0x0000000000000000-mapping.dmp
      Download
    • memory/1976-118-0x0000000000000000-mapping.dmp
      Download
    • memory/1992-76-0x0000000000400000-0x00000000004DC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/1992-90-0x00000000744B0000-0x0000000074A5B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1992-74-0x0000000000400000-0x00000000004DC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/1992-77-0x00000000004D7D0E-mapping.dmp
      Download
    • memory/1992-72-0x0000000000400000-0x00000000004DC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/1992-71-0x0000000000400000-0x00000000004DC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/1992-80-0x0000000000400000-0x00000000004DC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/1992-82-0x0000000000400000-0x00000000004DC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/1992-86-0x00000000744B0000-0x0000000074A5B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2000-116-0x0000000000000000-mapping.dmp
      Download
    • memory/2008-65-0x0000000000000000-mapping.dmp
      Download
    • memory/2032-94-0x0000000000000000-mapping.dmp
      Download