Analysis
-
max time kernel
164s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 05:40
Static task
static1
Behavioral task
behavioral1
Sample
3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe
Resource
win10v2004-20220414-en
General
-
Target
3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe
-
Size
1.4MB
-
MD5
5e045da5143cb22634f71ab931e1ee46
-
SHA1
a3c226344a934a7635757dfed37fc510039cedb0
-
SHA256
3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0
-
SHA512
722771a4a5dca75d5d85e06bfca4054563334ff53bbf36a0ac636b8976eb7b0d8be2068653750f1a8dafa7d893fb250deba6e6daa60a6225b258f3bb0bdd9e80
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" sysmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\307393\\sysmon.exe\"" sysmon.exe -
Executes dropped EXE 2 IoCs
pid Process 4512 sysmon.exe 4124 sysmon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\307393\\sysmon.exe\"" sysmon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2860 set thread context of 1584 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 78 PID 4512 set thread context of 4124 4512 sysmon.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 4512 sysmon.exe 4512 sysmon.exe 4512 sysmon.exe 4512 sysmon.exe 4512 sysmon.exe 4512 sysmon.exe 4512 sysmon.exe 4512 sysmon.exe 4512 sysmon.exe 4512 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 1584 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 1584 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe 4124 sysmon.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 4512 sysmon.exe 4512 sysmon.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1584 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4124 sysmon.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2860 wrote to memory of 1584 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 78 PID 2860 wrote to memory of 1584 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 78 PID 2860 wrote to memory of 1584 2860 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 78 PID 1584 wrote to memory of 4512 1584 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 81 PID 1584 wrote to memory of 4512 1584 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 81 PID 1584 wrote to memory of 4512 1584 3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe 81 PID 4512 wrote to memory of 4124 4512 sysmon.exe 82 PID 4512 wrote to memory of 4124 4512 sysmon.exe 82 PID 4512 wrote to memory of 4124 4512 sysmon.exe 82 PID 4124 wrote to memory of 1584 4124 sysmon.exe 78 PID 4124 wrote to memory of 1584 4124 sysmon.exe 78 PID 4124 wrote to memory of 1584 4124 sysmon.exe 78 PID 4124 wrote to memory of 1584 4124 sysmon.exe 78 PID 4124 wrote to memory of 1584 4124 sysmon.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe"C:\Users\Admin\AppData\Local\Temp\3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe"C:\Users\Admin\AppData\Local\Temp\3eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\ProgramData\307393\sysmon.exe"C:\ProgramData\307393\sysmon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\ProgramData\307393\sysmon.exe"C:\ProgramData\307393\sysmon.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD55e045da5143cb22634f71ab931e1ee46
SHA1a3c226344a934a7635757dfed37fc510039cedb0
SHA2563eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0
SHA512722771a4a5dca75d5d85e06bfca4054563334ff53bbf36a0ac636b8976eb7b0d8be2068653750f1a8dafa7d893fb250deba6e6daa60a6225b258f3bb0bdd9e80
-
Filesize
1.4MB
MD55e045da5143cb22634f71ab931e1ee46
SHA1a3c226344a934a7635757dfed37fc510039cedb0
SHA2563eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0
SHA512722771a4a5dca75d5d85e06bfca4054563334ff53bbf36a0ac636b8976eb7b0d8be2068653750f1a8dafa7d893fb250deba6e6daa60a6225b258f3bb0bdd9e80
-
Filesize
1.4MB
MD55e045da5143cb22634f71ab931e1ee46
SHA1a3c226344a934a7635757dfed37fc510039cedb0
SHA2563eb7945613b579e82e8377fc0097e42fe6bc64047da17683bc9b317c412be9b0
SHA512722771a4a5dca75d5d85e06bfca4054563334ff53bbf36a0ac636b8976eb7b0d8be2068653750f1a8dafa7d893fb250deba6e6daa60a6225b258f3bb0bdd9e80