Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 01:47
Static task
static1
Behavioral task
behavioral1
Sample
c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe
Resource
win10v2004-20220901-en
General
-
Target
c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe
-
Size
169KB
-
MD5
418d0256f14d3f9b015ec27212ce3780
-
SHA1
8fcc57804cfef696487ed168aeb1aaae979642b4
-
SHA256
c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289
-
SHA512
dec392c2a931258389f41b8f9d76256ef56a196f86491a6713360442dfa5f66118d8861066738849445e83c22e51944608ea5aaad0ef433bbc97b23ebd6ba97a
-
SSDEEP
3072:2mpoVuPJRNCcCn2W5Y/8hFJm9SMQ1Fdl1SVExPedn4TZJg8dbSjjyxbkjM9:oP7zE974FdEWwC3xbGM
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" repair.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\791146\\repair.exe\"" repair.exe -
Executes dropped EXE 2 IoCs
pid Process 600 repair.exe 776 repair.exe -
Loads dropped DLL 2 IoCs
pid Process 960 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 960 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Mechanic = "\"C:\\ProgramData\\791146\\repair.exe\"" repair.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe repair.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe repair.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1632 set thread context of 960 1632 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 28 PID 600 set thread context of 776 600 repair.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1632 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 600 repair.exe 776 repair.exe 776 repair.exe 776 repair.exe 776 repair.exe 776 repair.exe 776 repair.exe 776 repair.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 960 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1632 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe Token: SeDebugPrivilege 600 repair.exe Token: SeDebugPrivilege 776 repair.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 776 repair.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1632 wrote to memory of 960 1632 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 28 PID 1632 wrote to memory of 960 1632 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 28 PID 1632 wrote to memory of 960 1632 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 28 PID 1632 wrote to memory of 960 1632 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 28 PID 1632 wrote to memory of 960 1632 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 28 PID 1632 wrote to memory of 960 1632 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 28 PID 1632 wrote to memory of 960 1632 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 28 PID 1632 wrote to memory of 960 1632 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 28 PID 1632 wrote to memory of 960 1632 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 28 PID 960 wrote to memory of 600 960 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 30 PID 960 wrote to memory of 600 960 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 30 PID 960 wrote to memory of 600 960 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 30 PID 960 wrote to memory of 600 960 c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe 30 PID 600 wrote to memory of 776 600 repair.exe 31 PID 600 wrote to memory of 776 600 repair.exe 31 PID 600 wrote to memory of 776 600 repair.exe 31 PID 600 wrote to memory of 776 600 repair.exe 31 PID 600 wrote to memory of 776 600 repair.exe 31 PID 600 wrote to memory of 776 600 repair.exe 31 PID 600 wrote to memory of 776 600 repair.exe 31 PID 600 wrote to memory of 776 600 repair.exe 31 PID 600 wrote to memory of 776 600 repair.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe"C:\Users\Admin\AppData\Local\Temp\c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe"C:\Users\Admin\AppData\Local\Temp\c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:960 -
C:\ProgramData\791146\repair.exe"C:\ProgramData\791146\repair.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600 -
C:\ProgramData\791146\repair.exe"C:\ProgramData\791146\repair.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:776
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5418d0256f14d3f9b015ec27212ce3780
SHA18fcc57804cfef696487ed168aeb1aaae979642b4
SHA256c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289
SHA512dec392c2a931258389f41b8f9d76256ef56a196f86491a6713360442dfa5f66118d8861066738849445e83c22e51944608ea5aaad0ef433bbc97b23ebd6ba97a
-
Filesize
169KB
MD5418d0256f14d3f9b015ec27212ce3780
SHA18fcc57804cfef696487ed168aeb1aaae979642b4
SHA256c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289
SHA512dec392c2a931258389f41b8f9d76256ef56a196f86491a6713360442dfa5f66118d8861066738849445e83c22e51944608ea5aaad0ef433bbc97b23ebd6ba97a
-
Filesize
169KB
MD5418d0256f14d3f9b015ec27212ce3780
SHA18fcc57804cfef696487ed168aeb1aaae979642b4
SHA256c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289
SHA512dec392c2a931258389f41b8f9d76256ef56a196f86491a6713360442dfa5f66118d8861066738849445e83c22e51944608ea5aaad0ef433bbc97b23ebd6ba97a
-
Filesize
169KB
MD5418d0256f14d3f9b015ec27212ce3780
SHA18fcc57804cfef696487ed168aeb1aaae979642b4
SHA256c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289
SHA512dec392c2a931258389f41b8f9d76256ef56a196f86491a6713360442dfa5f66118d8861066738849445e83c22e51944608ea5aaad0ef433bbc97b23ebd6ba97a
-
Filesize
169KB
MD5418d0256f14d3f9b015ec27212ce3780
SHA18fcc57804cfef696487ed168aeb1aaae979642b4
SHA256c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289
SHA512dec392c2a931258389f41b8f9d76256ef56a196f86491a6713360442dfa5f66118d8861066738849445e83c22e51944608ea5aaad0ef433bbc97b23ebd6ba97a