Analysis
-
max time kernel
163s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 18:42
Static task
static1
Behavioral task
behavioral1
Sample
5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe
Resource
win10v2004-20220722-en
General
-
Target
5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe
-
Size
631KB
-
MD5
760c7ab3a4fef37d342cae926c2a035f
-
SHA1
a60e42682cf18b4a40446657c36c21a650b39d8e
-
SHA256
5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e
-
SHA512
4e3def883030f7e41db6df960d0f2f7d65e4cacf8668fef95cb1eececcffe1a355665ff4961fc75df4eacd8e0472310790c35d0e7b75d2a1ea406fd0f9757f31
Malware Config
Signatures
-
Luminosity 2 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
description ioc pid Process File created C:\Program Files (x86)\Client\client.exe RegAsm.exe 444 schtasks.exe -
Executes dropped EXE 3 IoCs
pid Process 3808 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation BsBhvScan.exe Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation bthserv.exe -
Suspicious use of SetThreadContext 13 IoCs
description pid Process procid_target PID 4688 set thread context of 2796 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 84 PID 2412 set thread context of 2984 2412 bthserv.exe 90 PID 2412 set thread context of 2132 2412 bthserv.exe 94 PID 2412 set thread context of 2116 2412 bthserv.exe 96 PID 2412 set thread context of 4824 2412 bthserv.exe 101 PID 2412 set thread context of 4928 2412 bthserv.exe 103 PID 2412 set thread context of 3476 2412 bthserv.exe 107 PID 2412 set thread context of 1888 2412 bthserv.exe 110 PID 2412 set thread context of 4652 2412 bthserv.exe 111 PID 2412 set thread context of 4968 2412 bthserv.exe 112 PID 2412 set thread context of 4104 2412 bthserv.exe 113 PID 2412 set thread context of 2408 2412 bthserv.exe 114 PID 2412 set thread context of 4688 2412 bthserv.exe 116 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Client\client.exe RegAsm.exe File opened for modification C:\Program Files (x86)\Client\client.exe RegAsm.exe File created C:\Program Files (x86)\Client\client.exe.config RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 444 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 3808 BsBhvScan.exe 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 3808 BsBhvScan.exe 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 3808 BsBhvScan.exe 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 2412 bthserv.exe 2796 RegAsm.exe 2412 bthserv.exe 2412 bthserv.exe 2412 bthserv.exe 2412 bthserv.exe 2412 bthserv.exe 2796 RegAsm.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 1300 BsBhvScan.exe 2412 bthserv.exe 2796 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe Token: SeDebugPrivilege 3808 BsBhvScan.exe Token: SeDebugPrivilege 2412 bthserv.exe Token: SeDebugPrivilege 2796 RegAsm.exe Token: SeDebugPrivilege 1300 BsBhvScan.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2796 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4688 wrote to memory of 2796 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 84 PID 4688 wrote to memory of 2796 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 84 PID 4688 wrote to memory of 2796 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 84 PID 4688 wrote to memory of 2796 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 84 PID 4688 wrote to memory of 2796 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 84 PID 4688 wrote to memory of 2796 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 84 PID 4688 wrote to memory of 2796 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 84 PID 4688 wrote to memory of 2796 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 84 PID 4688 wrote to memory of 3808 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 85 PID 4688 wrote to memory of 3808 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 85 PID 4688 wrote to memory of 3808 4688 5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe 85 PID 3808 wrote to memory of 2412 3808 BsBhvScan.exe 88 PID 3808 wrote to memory of 2412 3808 BsBhvScan.exe 88 PID 3808 wrote to memory of 2412 3808 BsBhvScan.exe 88 PID 2412 wrote to memory of 2984 2412 bthserv.exe 90 PID 2412 wrote to memory of 2984 2412 bthserv.exe 90 PID 2412 wrote to memory of 2984 2412 bthserv.exe 90 PID 2412 wrote to memory of 2984 2412 bthserv.exe 90 PID 2412 wrote to memory of 2984 2412 bthserv.exe 90 PID 2412 wrote to memory of 2984 2412 bthserv.exe 90 PID 2412 wrote to memory of 2984 2412 bthserv.exe 90 PID 2412 wrote to memory of 2984 2412 bthserv.exe 90 PID 2412 wrote to memory of 1300 2412 bthserv.exe 91 PID 2412 wrote to memory of 1300 2412 bthserv.exe 91 PID 2412 wrote to memory of 1300 2412 bthserv.exe 91 PID 2412 wrote to memory of 2132 2412 bthserv.exe 94 PID 2412 wrote to memory of 2132 2412 bthserv.exe 94 PID 2412 wrote to memory of 2132 2412 bthserv.exe 94 PID 2412 wrote to memory of 2132 2412 bthserv.exe 94 PID 2412 wrote to memory of 2132 2412 bthserv.exe 94 PID 2412 wrote to memory of 2132 2412 bthserv.exe 94 PID 2412 wrote to memory of 2132 2412 bthserv.exe 94 PID 2412 wrote to memory of 2132 2412 bthserv.exe 94 PID 2796 wrote to memory of 2412 2796 RegAsm.exe 88 PID 2796 wrote to memory of 2412 2796 RegAsm.exe 88 PID 2796 wrote to memory of 2412 2796 RegAsm.exe 88 PID 2796 wrote to memory of 2412 2796 RegAsm.exe 88 PID 2796 wrote to memory of 2412 2796 RegAsm.exe 88 PID 2412 wrote to memory of 2116 2412 bthserv.exe 96 PID 2412 wrote to memory of 2116 2412 bthserv.exe 96 PID 2412 wrote to memory of 2116 2412 bthserv.exe 96 PID 2412 wrote to memory of 2116 2412 bthserv.exe 96 PID 2412 wrote to memory of 2116 2412 bthserv.exe 96 PID 2412 wrote to memory of 2116 2412 bthserv.exe 96 PID 2412 wrote to memory of 2116 2412 bthserv.exe 96 PID 2412 wrote to memory of 2116 2412 bthserv.exe 96 PID 2796 wrote to memory of 444 2796 RegAsm.exe 98 PID 2796 wrote to memory of 444 2796 RegAsm.exe 98 PID 2796 wrote to memory of 444 2796 RegAsm.exe 98 PID 2796 wrote to memory of 444 2796 RegAsm.exe 98 PID 2796 wrote to memory of 444 2796 RegAsm.exe 98 PID 2796 wrote to memory of 444 2796 RegAsm.exe 98 PID 2796 wrote to memory of 444 2796 RegAsm.exe 98 PID 2796 wrote to memory of 444 2796 RegAsm.exe 98 PID 2796 wrote to memory of 1300 2796 RegAsm.exe 91 PID 2796 wrote to memory of 1300 2796 RegAsm.exe 91 PID 2796 wrote to memory of 1300 2796 RegAsm.exe 91 PID 2796 wrote to memory of 1300 2796 RegAsm.exe 91 PID 2796 wrote to memory of 1300 2796 RegAsm.exe 91 PID 2412 wrote to memory of 4824 2412 bthserv.exe 101 PID 2412 wrote to memory of 4824 2412 bthserv.exe 101 PID 2412 wrote to memory of 4824 2412 bthserv.exe 101 PID 2412 wrote to memory of 4824 2412 bthserv.exe 101 PID 2412 wrote to memory of 4824 2412 bthserv.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe"C:\Users\Admin\AppData\Local\Temp\5ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Luminosity
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f3⤵
- Luminosity
- Creates scheduled task(s)
PID:444
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\BsBhvScan.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\BsBhvScan.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\bthserv.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\bthserv.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵PID:2984
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\BsBhvScan.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\BsBhvScan.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵PID:2132
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵PID:2116
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵PID:4824
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵PID:4928
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵PID:3476
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵PID:1888
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵PID:4652
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵PID:4968
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵PID:4104
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵PID:2408
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"4⤵PID:4688
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
Filesize
181B
MD50366f988e5ea426d80338070d8fa241b
SHA1153b90af59d0598a0d5f5e083cb7ff24e2f7adcf
SHA256325b14941e79aeb570eb4062714d446f70b51db3c14fa58c5d2f90c8dafe3c3e
SHA512563a39c5958ae6f507e37923959a8a2608c7e9a6f338053edc142d8038849043c6050df2946116876102704ff14d6b36314aca468d91a7f3279754df2aba0bc2
-
Filesize
128B
MD5a5dcc7c9c08af7dddd82be5b036a4416
SHA14f998ca1526d199e355ffb435bae111a2779b994
SHA256e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5
SHA51256035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a
-
Filesize
500B
MD5cd991a60e00c49bba98089de1b56f509
SHA13181283228c2285342b2244398025118846634ed
SHA256326247147e7f240e4ec62029ad27b0b017577ee998381c21e0862b14e5228edc
SHA5126118b622cda5061273ee3f9f60d175449f0b69a09e81d74baf47e17148473fe4ae924b98b01a0c4aca4dc3daf7d57c1e3c029d954aba858f2a15043f10747ba9
-
Filesize
8KB
MD556da270bbd70f986ca0ffe23d904986f
SHA1ce0c63d9da9e6812000d1bc2723161d2f9f09429
SHA256555726bb227402ace35ec78cb0812b6fc53fd998994e650a910318407eb2012f
SHA5122ca827860820165af0f6b0f4b407c91d34c995046f574ca1921d058f8f383cf8e643d048295bc433616714c870d9039a1f582bc30e9be7d3a49a117a600a1cc6
-
Filesize
8KB
MD556da270bbd70f986ca0ffe23d904986f
SHA1ce0c63d9da9e6812000d1bc2723161d2f9f09429
SHA256555726bb227402ace35ec78cb0812b6fc53fd998994e650a910318407eb2012f
SHA5122ca827860820165af0f6b0f4b407c91d34c995046f574ca1921d058f8f383cf8e643d048295bc433616714c870d9039a1f582bc30e9be7d3a49a117a600a1cc6
-
Filesize
8KB
MD556da270bbd70f986ca0ffe23d904986f
SHA1ce0c63d9da9e6812000d1bc2723161d2f9f09429
SHA256555726bb227402ace35ec78cb0812b6fc53fd998994e650a910318407eb2012f
SHA5122ca827860820165af0f6b0f4b407c91d34c995046f574ca1921d058f8f383cf8e643d048295bc433616714c870d9039a1f582bc30e9be7d3a49a117a600a1cc6
-
Filesize
8KB
MD556da270bbd70f986ca0ffe23d904986f
SHA1ce0c63d9da9e6812000d1bc2723161d2f9f09429
SHA256555726bb227402ace35ec78cb0812b6fc53fd998994e650a910318407eb2012f
SHA5122ca827860820165af0f6b0f4b407c91d34c995046f574ca1921d058f8f383cf8e643d048295bc433616714c870d9039a1f582bc30e9be7d3a49a117a600a1cc6
-
Filesize
631KB
MD5760c7ab3a4fef37d342cae926c2a035f
SHA1a60e42682cf18b4a40446657c36c21a650b39d8e
SHA2565ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e
SHA5124e3def883030f7e41db6df960d0f2f7d65e4cacf8668fef95cb1eececcffe1a355665ff4961fc75df4eacd8e0472310790c35d0e7b75d2a1ea406fd0f9757f31
-
Filesize
631KB
MD5760c7ab3a4fef37d342cae926c2a035f
SHA1a60e42682cf18b4a40446657c36c21a650b39d8e
SHA2565ef6194fb3933d672ef6eabfe3d5dcac757ad90cb60b843f6b1d51b869e1c67e
SHA5124e3def883030f7e41db6df960d0f2f7d65e4cacf8668fef95cb1eececcffe1a355665ff4961fc75df4eacd8e0472310790c35d0e7b75d2a1ea406fd0f9757f31