Analysis

  • max time kernel
    150s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    14-07-2022 07:14

General

  • Target

    4745f3dc2e5442fa507481521616bf34cce9ffc0cf61aa294270849211b1d1be.exe

  • Size

    573KB

  • MD5

    4d8c3bbe432078a30d62aa760079fbcf

  • SHA1

    a58d821eda9181fcd487b08d244bd33a67aad775

  • SHA256

    4745f3dc2e5442fa507481521616bf34cce9ffc0cf61aa294270849211b1d1be

  • SHA512

    3312293b27a8a2b412f2888069d933883ab39fd30368bd73990d1146a790ff6b348c424ebf8d73c9f8fb725f03d408b44dd68187977a140e7cd52bfab1a04c0a

Score
10/10

Malware Config

Signatures

  • Luminosity

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4745f3dc2e5442fa507481521616bf34cce9ffc0cf61aa294270849211b1d1be.exe
    "C:\Users\Admin\AppData\Local\Temp\4745f3dc2e5442fa507481521616bf34cce9ffc0cf61aa294270849211b1d1be.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Update\JTKVKVCKFYKCCCGCCTyfuflyfuyuUYFUFUYU" /XML "C:\Users\Admin\AppData\Local\Temp\z778"
      2⤵
      • Creates scheduled task(s)
      PID:1948
    • C:\Users\Admin\AppData\Local\Temp\4745f3dc2e5442fa507481521616bf34cce9ffc0cf61aa294270849211b1d1be.exe
      "C:\Users\Admin\AppData\Local\Temp\4745f3dc2e5442fa507481521616bf34cce9ffc0cf61aa294270849211b1d1be.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:584

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\z778

    Filesize

    1KB

    MD5

    7df6668345efb0b3a550af2cc4353067

    SHA1

    9e2da8c883da2a974c8d94f773a565491f8608d7

    SHA256

    7d5f7acd53feaee884a67f603b5256a61ffa5288995228d80ad22e0c9f4bbe56

    SHA512

    a2ba0301e79a753272e39d4d420eb7c7b347a5a5c8f6269cddc06be0fa4027ab6ecc8da640aaf2a909f103789a44f5e5dd4e3a94b276595354f36099bb2f4274

  • memory/584-66-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/584-76-0x0000000074590000-0x0000000074B3B000-memory.dmp

    Filesize

    5.7MB

  • memory/584-74-0x0000000074590000-0x0000000074B3B000-memory.dmp

    Filesize

    5.7MB

  • memory/584-59-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/584-60-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/584-62-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/584-72-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/584-70-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1884-54-0x0000000075E51000-0x0000000075E53000-memory.dmp

    Filesize

    8KB

  • memory/1884-56-0x0000000074590000-0x0000000074B3B000-memory.dmp

    Filesize

    5.7MB

  • memory/1884-55-0x0000000074590000-0x0000000074B3B000-memory.dmp

    Filesize

    5.7MB

  • memory/1884-75-0x0000000000A85000-0x0000000000A96000-memory.dmp

    Filesize

    68KB