Analysis
-
max time kernel
149s -
max time network
187s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-10-2022 18:04
Static task
static1
Behavioral task
behavioral1
Sample
5c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb.exe
Resource
win10v2004-20220901-en
General
-
Target
5c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb.exe
-
Size
222KB
-
MD5
5841268e79074fa7aa7f5832442d2920
-
SHA1
7b8aeae3f2e5e31cdf14c78625ae08529ec75f82
-
SHA256
5c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb
-
SHA512
9bc9ef85208e9edd1a3a9f13c0fd00d71d0f288c329a6affbea28953ad21790120c4d6df1138d836bb09eea51de21d42c4cd7e2fab7bb651e129f5792a477201
-
SSDEEP
3072:8U4f+fkjZt7fF0L2vMCDiu0Y8RxwLRMcR9aBeWvfxLWDwueWJ2NJucbPvJ1nlYZC:81i+f3uBmLbR9JWJWTJYJuEvPr
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" client.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\852132\\client.exe\"" client.exe -
Executes dropped EXE 1 IoCs
pid Process 1452 client.exe -
Loads dropped DLL 2 IoCs
pid Process 1508 5c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb.exe 1508 5c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Luminosity Client = "\"C:\\ProgramData\\852132\\client.exe\"" client.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe client.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1452 client.exe 1452 client.exe 1452 client.exe 1452 client.exe 1452 client.exe 1508 5c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1508 5c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1452 client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1452 client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1508 wrote to memory of 1452 1508 5c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb.exe 28 PID 1508 wrote to memory of 1452 1508 5c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb.exe 28 PID 1508 wrote to memory of 1452 1508 5c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb.exe 28 PID 1508 wrote to memory of 1452 1508 5c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb.exe 28 PID 1452 wrote to memory of 1508 1452 client.exe 14 PID 1452 wrote to memory of 1508 1452 client.exe 14 PID 1452 wrote to memory of 1508 1452 client.exe 14 PID 1452 wrote to memory of 1508 1452 client.exe 14 PID 1452 wrote to memory of 1508 1452 client.exe 14
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb.exe"C:\Users\Admin\AppData\Local\Temp\5c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\ProgramData\852132\client.exe"C:\ProgramData\852132\client.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD55841268e79074fa7aa7f5832442d2920
SHA17b8aeae3f2e5e31cdf14c78625ae08529ec75f82
SHA2565c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb
SHA5129bc9ef85208e9edd1a3a9f13c0fd00d71d0f288c329a6affbea28953ad21790120c4d6df1138d836bb09eea51de21d42c4cd7e2fab7bb651e129f5792a477201
-
Filesize
222KB
MD55841268e79074fa7aa7f5832442d2920
SHA17b8aeae3f2e5e31cdf14c78625ae08529ec75f82
SHA2565c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb
SHA5129bc9ef85208e9edd1a3a9f13c0fd00d71d0f288c329a6affbea28953ad21790120c4d6df1138d836bb09eea51de21d42c4cd7e2fab7bb651e129f5792a477201
-
Filesize
222KB
MD55841268e79074fa7aa7f5832442d2920
SHA17b8aeae3f2e5e31cdf14c78625ae08529ec75f82
SHA2565c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb
SHA5129bc9ef85208e9edd1a3a9f13c0fd00d71d0f288c329a6affbea28953ad21790120c4d6df1138d836bb09eea51de21d42c4cd7e2fab7bb651e129f5792a477201
-
Filesize
222KB
MD55841268e79074fa7aa7f5832442d2920
SHA17b8aeae3f2e5e31cdf14c78625ae08529ec75f82
SHA2565c0824f97919d56e61c2c5995208906dbdae45d402ba51041588fa9bc8d088cb
SHA5129bc9ef85208e9edd1a3a9f13c0fd00d71d0f288c329a6affbea28953ad21790120c4d6df1138d836bb09eea51de21d42c4cd7e2fab7bb651e129f5792a477201