Analysis
-
max time kernel
189s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
13-10-2022 17:09
General
-
Target
76197d7e8b5862d215563cded0ac38354a27306b69ffca8e451d7369abc088e7.exe
-
Size
248KB
-
MD5
79ba3a3666976d7b8c14ec98c7a2bed0
-
SHA1
b7607e097c70dcb5e96df839b1eeb8c3c240133f
-
SHA256
76197d7e8b5862d215563cded0ac38354a27306b69ffca8e451d7369abc088e7
-
SHA512
e8fd1b0130d166130a4fb4ad062066784453dff17afd4da0cbd09669abd497c98816c3cecb9fd9f5729845004922fa89fb785a6244e6586d59f1fbb3199295ec
-
SSDEEP
3072:KU4f+fkjZt7fF0L2vMCDiu0Y8RxwLRMcR9aBeWvfxLWDwjeWJ2NJucbPvJ1nlYZC:K1i+f3uBmLbR9JWJWqJYJuEvPr
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\76197d7e8b5862d215563cded0ac38354a27306b69ffca8e451d7369abc088e7.exe"C:\Users\Admin\AppData\Local\Temp\76197d7e8b5862d215563cded0ac38354a27306b69ffca8e451d7369abc088e7.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\446814\sysmon.exe"C:\ProgramData\446814\sysmon.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD579ba3a3666976d7b8c14ec98c7a2bed0
SHA1b7607e097c70dcb5e96df839b1eeb8c3c240133f
SHA25676197d7e8b5862d215563cded0ac38354a27306b69ffca8e451d7369abc088e7
SHA512e8fd1b0130d166130a4fb4ad062066784453dff17afd4da0cbd09669abd497c98816c3cecb9fd9f5729845004922fa89fb785a6244e6586d59f1fbb3199295ec
-
Filesize
248KB
MD579ba3a3666976d7b8c14ec98c7a2bed0
SHA1b7607e097c70dcb5e96df839b1eeb8c3c240133f
SHA25676197d7e8b5862d215563cded0ac38354a27306b69ffca8e451d7369abc088e7
SHA512e8fd1b0130d166130a4fb4ad062066784453dff17afd4da0cbd09669abd497c98816c3cecb9fd9f5729845004922fa89fb785a6244e6586d59f1fbb3199295ec
-
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
5.7MB