Analysis

  • max time kernel
    147s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2022 23:33

General

  • Target

    3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe

  • Size

    222KB

  • MD5

    6a3bdf1d8367c7a0f89a57b5a5e59c50

  • SHA1

    4c78f1c1ebecc5877fb60cebc99c26c04284c226

  • SHA256

    3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130

  • SHA512

    cd27703b64a41630c4b4189c4730a87c5ac4ba6fc79d55610dc77024c62986f7579770594bbfbbb4ac715fada73768c50de59348f3b7da41a418955b10a819c2

  • SSDEEP

    3072:8U4f+fkjZt7fF0L2vMCDiu0Y8RxwLRMcR9aBeWvfxLWDwHeWJ2NJucbPvJ1nlYZC:81i+f3uBmLbR9JWJWmJYJuEvPr

Malware Config

Signatures

  • Luminosity

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe
    "C:\Users\Admin\AppData\Local\Temp\3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\ProgramData\868744\Teamspeak Plugin.exe
      "C:\ProgramData\868744\Teamspeak Plugin.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:960

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\868744\Teamspeak Plugin.exe

    Filesize

    222KB

    MD5

    6a3bdf1d8367c7a0f89a57b5a5e59c50

    SHA1

    4c78f1c1ebecc5877fb60cebc99c26c04284c226

    SHA256

    3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130

    SHA512

    cd27703b64a41630c4b4189c4730a87c5ac4ba6fc79d55610dc77024c62986f7579770594bbfbbb4ac715fada73768c50de59348f3b7da41a418955b10a819c2

  • C:\ProgramData\868744\Teamspeak Plugin.exe

    Filesize

    222KB

    MD5

    6a3bdf1d8367c7a0f89a57b5a5e59c50

    SHA1

    4c78f1c1ebecc5877fb60cebc99c26c04284c226

    SHA256

    3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130

    SHA512

    cd27703b64a41630c4b4189c4730a87c5ac4ba6fc79d55610dc77024c62986f7579770594bbfbbb4ac715fada73768c50de59348f3b7da41a418955b10a819c2

  • \ProgramData\868744\Teamspeak Plugin.exe

    Filesize

    222KB

    MD5

    6a3bdf1d8367c7a0f89a57b5a5e59c50

    SHA1

    4c78f1c1ebecc5877fb60cebc99c26c04284c226

    SHA256

    3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130

    SHA512

    cd27703b64a41630c4b4189c4730a87c5ac4ba6fc79d55610dc77024c62986f7579770594bbfbbb4ac715fada73768c50de59348f3b7da41a418955b10a819c2

  • \ProgramData\868744\Teamspeak Plugin.exe

    Filesize

    222KB

    MD5

    6a3bdf1d8367c7a0f89a57b5a5e59c50

    SHA1

    4c78f1c1ebecc5877fb60cebc99c26c04284c226

    SHA256

    3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130

    SHA512

    cd27703b64a41630c4b4189c4730a87c5ac4ba6fc79d55610dc77024c62986f7579770594bbfbbb4ac715fada73768c50de59348f3b7da41a418955b10a819c2

  • memory/960-63-0x00000000744F0000-0x0000000074A9B000-memory.dmp

    Filesize

    5.7MB

  • memory/960-64-0x00000000744F0000-0x0000000074A9B000-memory.dmp

    Filesize

    5.7MB

  • memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

    Filesize

    8KB

  • memory/1672-55-0x00000000744F0000-0x0000000074A9B000-memory.dmp

    Filesize

    5.7MB

  • memory/1672-62-0x00000000744F0000-0x0000000074A9B000-memory.dmp

    Filesize

    5.7MB

  • memory/1672-65-0x0000000000710000-0x0000000000727000-memory.dmp

    Filesize

    92KB

  • memory/1672-72-0x0000000000710000-0x0000000000727000-memory.dmp

    Filesize

    92KB

  • memory/1672-74-0x0000000000710000-0x0000000000727000-memory.dmp

    Filesize

    92KB

  • memory/1672-75-0x00000000744F0000-0x0000000074A9B000-memory.dmp

    Filesize

    5.7MB