Analysis
-
max time kernel
147s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 23:33
Static task
static1
Behavioral task
behavioral1
Sample
3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe
Resource
win10v2004-20220901-en
General
-
Target
3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe
-
Size
222KB
-
MD5
6a3bdf1d8367c7a0f89a57b5a5e59c50
-
SHA1
4c78f1c1ebecc5877fb60cebc99c26c04284c226
-
SHA256
3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130
-
SHA512
cd27703b64a41630c4b4189c4730a87c5ac4ba6fc79d55610dc77024c62986f7579770594bbfbbb4ac715fada73768c50de59348f3b7da41a418955b10a819c2
-
SSDEEP
3072:8U4f+fkjZt7fF0L2vMCDiu0Y8RxwLRMcR9aBeWvfxLWDwHeWJ2NJucbPvJ1nlYZC:81i+f3uBmLbR9JWJWmJYJuEvPr
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" Teamspeak Plugin.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\868744\\Teamspeak Plugin.exe\"" Teamspeak Plugin.exe -
Executes dropped EXE 1 IoCs
pid Process 960 Teamspeak Plugin.exe -
Loads dropped DLL 2 IoCs
pid Process 1672 3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe 1672 3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Teamspeak Plugin = "\"C:\\ProgramData\\868744\\Teamspeak Plugin.exe\"" Teamspeak Plugin.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe Teamspeak Plugin.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe Teamspeak Plugin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 960 Teamspeak Plugin.exe 960 Teamspeak Plugin.exe 960 Teamspeak Plugin.exe 960 Teamspeak Plugin.exe 960 Teamspeak Plugin.exe 1672 3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe 960 Teamspeak Plugin.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1672 3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 960 Teamspeak Plugin.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 960 Teamspeak Plugin.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1672 wrote to memory of 960 1672 3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe 28 PID 1672 wrote to memory of 960 1672 3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe 28 PID 1672 wrote to memory of 960 1672 3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe 28 PID 1672 wrote to memory of 960 1672 3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe 28 PID 960 wrote to memory of 1672 960 Teamspeak Plugin.exe 26 PID 960 wrote to memory of 1672 960 Teamspeak Plugin.exe 26 PID 960 wrote to memory of 1672 960 Teamspeak Plugin.exe 26 PID 960 wrote to memory of 1672 960 Teamspeak Plugin.exe 26 PID 960 wrote to memory of 1672 960 Teamspeak Plugin.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe"C:\Users\Admin\AppData\Local\Temp\3c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\ProgramData\868744\Teamspeak Plugin.exe"C:\ProgramData\868744\Teamspeak Plugin.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD56a3bdf1d8367c7a0f89a57b5a5e59c50
SHA14c78f1c1ebecc5877fb60cebc99c26c04284c226
SHA2563c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130
SHA512cd27703b64a41630c4b4189c4730a87c5ac4ba6fc79d55610dc77024c62986f7579770594bbfbbb4ac715fada73768c50de59348f3b7da41a418955b10a819c2
-
Filesize
222KB
MD56a3bdf1d8367c7a0f89a57b5a5e59c50
SHA14c78f1c1ebecc5877fb60cebc99c26c04284c226
SHA2563c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130
SHA512cd27703b64a41630c4b4189c4730a87c5ac4ba6fc79d55610dc77024c62986f7579770594bbfbbb4ac715fada73768c50de59348f3b7da41a418955b10a819c2
-
Filesize
222KB
MD56a3bdf1d8367c7a0f89a57b5a5e59c50
SHA14c78f1c1ebecc5877fb60cebc99c26c04284c226
SHA2563c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130
SHA512cd27703b64a41630c4b4189c4730a87c5ac4ba6fc79d55610dc77024c62986f7579770594bbfbbb4ac715fada73768c50de59348f3b7da41a418955b10a819c2
-
Filesize
222KB
MD56a3bdf1d8367c7a0f89a57b5a5e59c50
SHA14c78f1c1ebecc5877fb60cebc99c26c04284c226
SHA2563c25d30d67337013406e7155b35ee19fb646af4e46e437e940aae8c08d8ca130
SHA512cd27703b64a41630c4b4189c4730a87c5ac4ba6fc79d55610dc77024c62986f7579770594bbfbbb4ac715fada73768c50de59348f3b7da41a418955b10a819c2