Overview

overview

10

Static

static

312e16e72d...0b.exe

windows7_x64

10

312e16e72d...0b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-06-2022 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    312e16e72dcedac92740dfff0b3b2a6e33640b2568acd2be827cec18e483710b.exe

  • Size

    1.8MB

  • MD5

    5b7184b825866b331b646b976e52165d

  • SHA1

    e88407cfb398a23e65113fdaa763e924f0da3819

  • SHA256

    312e16e72dcedac92740dfff0b3b2a6e33640b2568acd2be827cec18e483710b

  • SHA512

    521f667d961b6a703a5230fe52165eb3866527f4542e75b81756fb003a309e60929983e24707e3b7a52ad8ff24edbb5414199d53ca48b59145da4e5b80155f29

Score
10/10
luminositypersistencerat

Malware Config

Signatures

  • Luminosity 2 IoCs

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    ratluminosity
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 42 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\312e16e72dcedac92740dfff0b3b2a6e33640b2568acd2be827cec18e483710b.exe
    "C:\Users\Admin\AppData\Local\Temp\312e16e72dcedac92740dfff0b3b2a6e33640b2568acd2be827cec18e483710b.exe"
    1⤵
    • Luminosity
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3280
    • C:\Users\Admin\AppData\Local\Temp\tsmgr.exe
      "C:\Users\Admin\AppData\Local\Temp\tsmgr.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4648
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /NP /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f
        3⤵
        • Luminosity
        • Creates scheduled task(s)
        PID:3460
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:560
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:880
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2080
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:3620
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4116
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1464
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:3888
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:3048
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2960
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:3448
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4272
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:3144
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4080
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4320
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4048
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:912
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:2436
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:216
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:4432
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:64
        3⤵
        • Adds Run key to start application
        PID:1428
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4836
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\tsmgr.exe.lnk " /f
        3⤵
          PID:1428
      • C:\Users\Admin\AppData\Local\Temp\notepad.exe
        "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
        2⤵
        • Executes dropped EXE
        PID:32

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\FolderN\tsmgr.exe
      Filesize

      1.8MB

      MD5

      5b7184b825866b331b646b976e52165d

      SHA1

      e88407cfb398a23e65113fdaa763e924f0da3819

      SHA256

      312e16e72dcedac92740dfff0b3b2a6e33640b2568acd2be827cec18e483710b

      SHA512

      521f667d961b6a703a5230fe52165eb3866527f4542e75b81756fb003a309e60929983e24707e3b7a52ad8ff24edbb5414199d53ca48b59145da4e5b80155f29

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\notepad.exe
      Filesize

      52KB

      MD5

      a64daca3cfbcd039df3ec29d3eddd001

      SHA1

      eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

      SHA256

      403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

      SHA512

      b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\notepad.exe
      Filesize

      52KB

      MD5

      a64daca3cfbcd039df3ec29d3eddd001

      SHA1

      eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

      SHA256

      403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

      SHA512

      b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tsmgr.exe
      Filesize

      857KB

      MD5

      bc6529f2a93dd5eb328963e0b41a855a

      SHA1

      0d3fe448baa8a886fd33541f17e893a8a550640f

      SHA256

      b98c711a375f39574672d49fdb798e70dab73b56c5a605c2cfd55a82d8d1b528

      SHA512

      4b50bc0de71bdbdbe76622d498d70b940e11a5c34b6d58b43765eacb2447d3106da3ac80f3a20e7eed67598bf9875cda9646694724b8fae6d91a7ed97b0bad73

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tsmgr.exe
      Filesize

      857KB

      MD5

      bc6529f2a93dd5eb328963e0b41a855a

      SHA1

      0d3fe448baa8a886fd33541f17e893a8a550640f

      SHA256

      b98c711a375f39574672d49fdb798e70dab73b56c5a605c2cfd55a82d8d1b528

      SHA512

      4b50bc0de71bdbdbe76622d498d70b940e11a5c34b6d58b43765eacb2447d3106da3ac80f3a20e7eed67598bf9875cda9646694724b8fae6d91a7ed97b0bad73

      Download Submit
    • memory/32-148-0x0000000075020000-0x00000000755D1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/32-147-0x0000000075020000-0x00000000755D1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/32-143-0x0000000075020000-0x00000000755D1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/32-139-0x0000000000000000-mapping.dmp
      Download
    • memory/32-140-0x0000000000400000-0x00000000004DC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/216-168-0x0000000000000000-mapping.dmp
      Download
    • memory/560-150-0x0000000000000000-mapping.dmp
      Download
    • memory/880-151-0x0000000000000000-mapping.dmp
      Download
    • memory/912-166-0x0000000000000000-mapping.dmp
      Download
    • memory/1428-170-0x0000000000000000-mapping.dmp
      Download
    • memory/1428-137-0x0000000000000000-mapping.dmp
      Download
    • memory/1464-155-0x0000000000000000-mapping.dmp
      Download
    • memory/2080-152-0x0000000000000000-mapping.dmp
      Download
    • memory/2436-167-0x0000000000000000-mapping.dmp
      Download
    • memory/2532-135-0x0000000075020000-0x00000000755D1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2532-132-0x0000000000000000-mapping.dmp
      Download
    • memory/2532-146-0x0000000075020000-0x00000000755D1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2960-158-0x0000000000000000-mapping.dmp
      Download
    • memory/3048-157-0x0000000000000000-mapping.dmp
      Download
    • memory/3144-162-0x0000000000561000-0x000000000056D000-memory.dmp
      Filesize

      48KB

      Download
    • memory/3144-161-0x0000000000000000-mapping.dmp
      Download
    • memory/3280-130-0x0000000075020000-0x00000000755D1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3280-131-0x0000000075020000-0x00000000755D1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3280-144-0x0000000075020000-0x00000000755D1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3448-159-0x0000000000000000-mapping.dmp
      Download
    • memory/3460-149-0x0000000000000000-mapping.dmp
      Download
    • memory/3620-153-0x0000000000000000-mapping.dmp
      Download
    • memory/3888-156-0x0000000000000000-mapping.dmp
      Download
    • memory/4048-165-0x0000000000000000-mapping.dmp
      Download
    • memory/4080-163-0x0000000000000000-mapping.dmp
      Download
    • memory/4116-154-0x0000000000000000-mapping.dmp
      Download
    • memory/4272-160-0x0000000000000000-mapping.dmp
      Download
    • memory/4320-164-0x0000000000000000-mapping.dmp
      Download
    • memory/4432-169-0x0000000000000000-mapping.dmp
      Download
    • memory/4648-145-0x0000000000000000-mapping.dmp
      Download
    • memory/4836-136-0x0000000000000000-mapping.dmp
      Download