Analysis
-
max time kernel
170s -
max time network
102s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-10-2022 20:55
Static task
static1
Behavioral task
behavioral1
Sample
ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe
Resource
win10v2004-20220812-en
General
-
Target
ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe
-
Size
1.3MB
-
MD5
80af64b3c090e36be9a8844c51d1c460
-
SHA1
0c6fbc16668df5773f4d8ea8ae5cd84538d561d5
-
SHA256
ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb
-
SHA512
f3bc54bbbf7b843e3eacce5520d643c8584415f01bc5bdcd02a3b5aaf977e70e3755673feabbd1a8d68c1e396ba0e9e22d9957657f9cd3065e7102f9cca27bea
-
SSDEEP
24576:ftb20pkaCqT5TBWgNQ7aPA5Hp3njAceNBjsytM1+VAfQpx6A:cVg5tQ7aPCHp3E5YgqK5
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" helper.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\246981\\helper.exe\"" helper.exe -
Executes dropped EXE 3 IoCs
pid Process 536 helper.exe 676 helper.exe 1812 helper.exe -
Loads dropped DLL 1 IoCs
pid Process 1232 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Computer Helper = "\"C:\\ProgramData\\246981\\helper.exe\"" helper.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000013300-76.dat autoit_exe behavioral1/files/0x0007000000013300-78.dat autoit_exe behavioral1/files/0x0007000000013300-80.dat autoit_exe behavioral1/files/0x0007000000013300-82.dat autoit_exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe helper.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe helper.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2020 set thread context of 1232 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 33 PID 536 set thread context of 1812 536 helper.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 536 helper.exe 1812 helper.exe 1812 helper.exe -
Suspicious behavior: RenamesItself 3 IoCs
pid Process 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 1232 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1812 helper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1812 helper.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1972 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 28 PID 2020 wrote to memory of 1972 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 28 PID 2020 wrote to memory of 1972 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 28 PID 2020 wrote to memory of 1972 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 28 PID 2020 wrote to memory of 1004 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 29 PID 2020 wrote to memory of 1004 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 29 PID 2020 wrote to memory of 1004 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 29 PID 2020 wrote to memory of 1004 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 29 PID 2020 wrote to memory of 612 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 30 PID 2020 wrote to memory of 612 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 30 PID 2020 wrote to memory of 612 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 30 PID 2020 wrote to memory of 612 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 30 PID 2020 wrote to memory of 1460 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 31 PID 2020 wrote to memory of 1460 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 31 PID 2020 wrote to memory of 1460 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 31 PID 2020 wrote to memory of 1460 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 31 PID 2020 wrote to memory of 1208 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 32 PID 2020 wrote to memory of 1208 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 32 PID 2020 wrote to memory of 1208 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 32 PID 2020 wrote to memory of 1208 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 32 PID 2020 wrote to memory of 1232 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 33 PID 2020 wrote to memory of 1232 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 33 PID 2020 wrote to memory of 1232 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 33 PID 2020 wrote to memory of 1232 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 33 PID 2020 wrote to memory of 1232 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 33 PID 2020 wrote to memory of 1232 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 33 PID 2020 wrote to memory of 1232 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 33 PID 2020 wrote to memory of 1232 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 33 PID 2020 wrote to memory of 1232 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 33 PID 2020 wrote to memory of 1232 2020 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 33 PID 1232 wrote to memory of 536 1232 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 35 PID 1232 wrote to memory of 536 1232 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 35 PID 1232 wrote to memory of 536 1232 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 35 PID 1232 wrote to memory of 536 1232 ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe 35 PID 536 wrote to memory of 676 536 helper.exe 36 PID 536 wrote to memory of 676 536 helper.exe 36 PID 536 wrote to memory of 676 536 helper.exe 36 PID 536 wrote to memory of 676 536 helper.exe 36 PID 536 wrote to memory of 1812 536 helper.exe 37 PID 536 wrote to memory of 1812 536 helper.exe 37 PID 536 wrote to memory of 1812 536 helper.exe 37 PID 536 wrote to memory of 1812 536 helper.exe 37 PID 536 wrote to memory of 1812 536 helper.exe 37 PID 536 wrote to memory of 1812 536 helper.exe 37 PID 536 wrote to memory of 1812 536 helper.exe 37 PID 536 wrote to memory of 1812 536 helper.exe 37 PID 536 wrote to memory of 1812 536 helper.exe 37 PID 536 wrote to memory of 1812 536 helper.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe"C:\Users\Admin\AppData\Local\Temp\ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exeC:\Users\Admin\AppData\Local\Temp\ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe2⤵PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exeC:\Users\Admin\AppData\Local\Temp\ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe2⤵PID:1004
-
-
C:\Users\Admin\AppData\Local\Temp\ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exeC:\Users\Admin\AppData\Local\Temp\ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe2⤵PID:612
-
-
C:\Users\Admin\AppData\Local\Temp\ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exeC:\Users\Admin\AppData\Local\Temp\ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe2⤵PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exeC:\Users\Admin\AppData\Local\Temp\ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe2⤵PID:1208
-
-
C:\Users\Admin\AppData\Local\Temp\ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exeC:\Users\Admin\AppData\Local\Temp\ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe2⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\ProgramData\246981\helper.exe"C:\ProgramData\246981\helper.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536 -
C:\ProgramData\246981\helper.exeC:\ProgramData\246981\helper.exe4⤵
- Executes dropped EXE
PID:676
-
-
C:\ProgramData\246981\helper.exeC:\ProgramData\246981\helper.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1812
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD580af64b3c090e36be9a8844c51d1c460
SHA10c6fbc16668df5773f4d8ea8ae5cd84538d561d5
SHA256ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb
SHA512f3bc54bbbf7b843e3eacce5520d643c8584415f01bc5bdcd02a3b5aaf977e70e3755673feabbd1a8d68c1e396ba0e9e22d9957657f9cd3065e7102f9cca27bea
-
Filesize
1.3MB
MD580af64b3c090e36be9a8844c51d1c460
SHA10c6fbc16668df5773f4d8ea8ae5cd84538d561d5
SHA256ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb
SHA512f3bc54bbbf7b843e3eacce5520d643c8584415f01bc5bdcd02a3b5aaf977e70e3755673feabbd1a8d68c1e396ba0e9e22d9957657f9cd3065e7102f9cca27bea
-
Filesize
1.3MB
MD580af64b3c090e36be9a8844c51d1c460
SHA10c6fbc16668df5773f4d8ea8ae5cd84538d561d5
SHA256ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb
SHA512f3bc54bbbf7b843e3eacce5520d643c8584415f01bc5bdcd02a3b5aaf977e70e3755673feabbd1a8d68c1e396ba0e9e22d9957657f9cd3065e7102f9cca27bea
-
Filesize
104KB
MD542ccd69a3be9618d329de0ea0fde3a81
SHA147e9897f303496eb9cd5883f9cdb283b6eee65d3
SHA25614137fcc8697e967b251fd0fafbdf79af8db4c1a67f2eafe53756e3ad80a9bef
SHA51233d95b20ce606441c89dbc575c8e884196a19db056ffd9d54a5e0c57f3928b0d064b6270e4abf033046606e0456156faba3f3a8e6a353e924a7461e61e46bfae
-
C:\Users\Admin\AppData\Local\Temp\ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb.exe
Filesize104KB
MD542ccd69a3be9618d329de0ea0fde3a81
SHA147e9897f303496eb9cd5883f9cdb283b6eee65d3
SHA25614137fcc8697e967b251fd0fafbdf79af8db4c1a67f2eafe53756e3ad80a9bef
SHA51233d95b20ce606441c89dbc575c8e884196a19db056ffd9d54a5e0c57f3928b0d064b6270e4abf033046606e0456156faba3f3a8e6a353e924a7461e61e46bfae
-
Filesize
1.3MB
MD580af64b3c090e36be9a8844c51d1c460
SHA10c6fbc16668df5773f4d8ea8ae5cd84538d561d5
SHA256ca3e806d6d5d39b9d7eb79faaae309c5a2c129719c161fa0e0a99fd6e04a26eb
SHA512f3bc54bbbf7b843e3eacce5520d643c8584415f01bc5bdcd02a3b5aaf977e70e3755673feabbd1a8d68c1e396ba0e9e22d9957657f9cd3065e7102f9cca27bea