Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-10-2022 19:52
Static task
static1
Behavioral task
behavioral1
Sample
8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe
Resource
win10v2004-20220901-en
General
-
Target
8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe
-
Size
168KB
-
MD5
aa7814ec18864f0b90a1100a624cb1fd
-
SHA1
81f5af5bb7b98d4f4901330aadce275cf8529453
-
SHA256
8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c
-
SHA512
7e91a074fe75c9629148a77897afac05433d0e5d99d30683e0c60f58a840002b1c309c5623ab0d862f7b52bdb8be41cd2e0b3ebc14235cad2a65985214a6f288
-
SSDEEP
3072:bk5zdU9Qy3RDAMx4k3HeSUNz2Pbjc7bN5nzI9CUTjcqyCKGBp2gGrND0GU:w5zd8RDr6zSAqPbjMbnzpWIqvKGtg
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\862021\\explorer.exe\"" explorer.exe -
Executes dropped EXE 2 IoCs
pid Process 1948 explorer.exe 808 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 740 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 740 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\explorer = "\"C:\\ProgramData\\862021\\explorer.exe\"" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe explorer.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2020 set thread context of 740 2020 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 26 PID 1948 set thread context of 808 1948 explorer.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2020 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 1948 explorer.exe 808 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 740 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2020 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe Token: SeDebugPrivilege 1948 explorer.exe Token: SeDebugPrivilege 808 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 808 explorer.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2020 wrote to memory of 740 2020 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 26 PID 2020 wrote to memory of 740 2020 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 26 PID 2020 wrote to memory of 740 2020 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 26 PID 2020 wrote to memory of 740 2020 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 26 PID 2020 wrote to memory of 740 2020 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 26 PID 2020 wrote to memory of 740 2020 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 26 PID 2020 wrote to memory of 740 2020 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 26 PID 2020 wrote to memory of 740 2020 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 26 PID 2020 wrote to memory of 740 2020 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 26 PID 740 wrote to memory of 1948 740 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 28 PID 740 wrote to memory of 1948 740 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 28 PID 740 wrote to memory of 1948 740 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 28 PID 740 wrote to memory of 1948 740 8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe 28 PID 1948 wrote to memory of 808 1948 explorer.exe 29 PID 1948 wrote to memory of 808 1948 explorer.exe 29 PID 1948 wrote to memory of 808 1948 explorer.exe 29 PID 1948 wrote to memory of 808 1948 explorer.exe 29 PID 1948 wrote to memory of 808 1948 explorer.exe 29 PID 1948 wrote to memory of 808 1948 explorer.exe 29 PID 1948 wrote to memory of 808 1948 explorer.exe 29 PID 1948 wrote to memory of 808 1948 explorer.exe 29 PID 1948 wrote to memory of 808 1948 explorer.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe"C:\Users\Admin\AppData\Local\Temp\8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe"C:\Users\Admin\AppData\Local\Temp\8f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:740 -
C:\ProgramData\862021\explorer.exe"C:\ProgramData\862021\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\ProgramData\862021\explorer.exe"C:\ProgramData\862021\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:808
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5aa7814ec18864f0b90a1100a624cb1fd
SHA181f5af5bb7b98d4f4901330aadce275cf8529453
SHA2568f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c
SHA5127e91a074fe75c9629148a77897afac05433d0e5d99d30683e0c60f58a840002b1c309c5623ab0d862f7b52bdb8be41cd2e0b3ebc14235cad2a65985214a6f288
-
Filesize
168KB
MD5aa7814ec18864f0b90a1100a624cb1fd
SHA181f5af5bb7b98d4f4901330aadce275cf8529453
SHA2568f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c
SHA5127e91a074fe75c9629148a77897afac05433d0e5d99d30683e0c60f58a840002b1c309c5623ab0d862f7b52bdb8be41cd2e0b3ebc14235cad2a65985214a6f288
-
Filesize
168KB
MD5aa7814ec18864f0b90a1100a624cb1fd
SHA181f5af5bb7b98d4f4901330aadce275cf8529453
SHA2568f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c
SHA5127e91a074fe75c9629148a77897afac05433d0e5d99d30683e0c60f58a840002b1c309c5623ab0d862f7b52bdb8be41cd2e0b3ebc14235cad2a65985214a6f288
-
Filesize
168KB
MD5aa7814ec18864f0b90a1100a624cb1fd
SHA181f5af5bb7b98d4f4901330aadce275cf8529453
SHA2568f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c
SHA5127e91a074fe75c9629148a77897afac05433d0e5d99d30683e0c60f58a840002b1c309c5623ab0d862f7b52bdb8be41cd2e0b3ebc14235cad2a65985214a6f288
-
Filesize
168KB
MD5aa7814ec18864f0b90a1100a624cb1fd
SHA181f5af5bb7b98d4f4901330aadce275cf8529453
SHA2568f9828956b3a0894dfe5fdd3f0e9ca5919f30f6a9eedb8c52b818808c757f72c
SHA5127e91a074fe75c9629148a77897afac05433d0e5d99d30683e0c60f58a840002b1c309c5623ab0d862f7b52bdb8be41cd2e0b3ebc14235cad2a65985214a6f288