Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-10-2022 18:19
Static task
static1
Behavioral task
behavioral1
Sample
9f59250b4a03bce4e6aca0b006b5616bd3a858dd3ed7dfb6dddc28c1ff4cf3df.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9f59250b4a03bce4e6aca0b006b5616bd3a858dd3ed7dfb6dddc28c1ff4cf3df.exe
Resource
win10v2004-20220812-en
General
-
Target
9f59250b4a03bce4e6aca0b006b5616bd3a858dd3ed7dfb6dddc28c1ff4cf3df.exe
-
Size
248KB
-
MD5
4ac08c2772f3b5f15124e72b7a8bd480
-
SHA1
9816c7327db73b374bd5f215c35db4f4e0c58d10
-
SHA256
9f59250b4a03bce4e6aca0b006b5616bd3a858dd3ed7dfb6dddc28c1ff4cf3df
-
SHA512
746d6be247dffa98359fdbe4c0c7be05493480d6668c905bb19c2249eac8bd61e3248b7d2abcdadf47897e45310181d08a4976eca7142f46aa9cd89982fd0185
-
SSDEEP
3072:KU4f+fkjZt7fF0L2vMCDiu0Y8RxwLRMcR9aBeWvfxLWDw0eWJ2NJucbPvJ1nlYZC:K1i+f3uBmLbR9JWJWZJYJuEvPr
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\411890\\repair.exe\"" repair.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" repair.exe -
Executes dropped EXE 1 IoCs
pid Process 4336 repair.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 9f59250b4a03bce4e6aca0b006b5616bd3a858dd3ed7dfb6dddc28c1ff4cf3df.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Mechanic = "\"C:\\ProgramData\\411890\\repair.exe\"" repair.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe repair.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe repair.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 2144 9f59250b4a03bce4e6aca0b006b5616bd3a858dd3ed7dfb6dddc28c1ff4cf3df.exe 2144 9f59250b4a03bce4e6aca0b006b5616bd3a858dd3ed7dfb6dddc28c1ff4cf3df.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe 4336 repair.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2144 9f59250b4a03bce4e6aca0b006b5616bd3a858dd3ed7dfb6dddc28c1ff4cf3df.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4336 repair.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4336 repair.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2144 wrote to memory of 4336 2144 9f59250b4a03bce4e6aca0b006b5616bd3a858dd3ed7dfb6dddc28c1ff4cf3df.exe 81 PID 2144 wrote to memory of 4336 2144 9f59250b4a03bce4e6aca0b006b5616bd3a858dd3ed7dfb6dddc28c1ff4cf3df.exe 81 PID 2144 wrote to memory of 4336 2144 9f59250b4a03bce4e6aca0b006b5616bd3a858dd3ed7dfb6dddc28c1ff4cf3df.exe 81 PID 4336 wrote to memory of 2144 4336 repair.exe 80 PID 4336 wrote to memory of 2144 4336 repair.exe 80 PID 4336 wrote to memory of 2144 4336 repair.exe 80 PID 4336 wrote to memory of 2144 4336 repair.exe 80 PID 4336 wrote to memory of 2144 4336 repair.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f59250b4a03bce4e6aca0b006b5616bd3a858dd3ed7dfb6dddc28c1ff4cf3df.exe"C:\Users\Admin\AppData\Local\Temp\9f59250b4a03bce4e6aca0b006b5616bd3a858dd3ed7dfb6dddc28c1ff4cf3df.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\ProgramData\411890\repair.exe"C:\ProgramData\411890\repair.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD54ac08c2772f3b5f15124e72b7a8bd480
SHA19816c7327db73b374bd5f215c35db4f4e0c58d10
SHA2569f59250b4a03bce4e6aca0b006b5616bd3a858dd3ed7dfb6dddc28c1ff4cf3df
SHA512746d6be247dffa98359fdbe4c0c7be05493480d6668c905bb19c2249eac8bd61e3248b7d2abcdadf47897e45310181d08a4976eca7142f46aa9cd89982fd0185
-
Filesize
248KB
MD54ac08c2772f3b5f15124e72b7a8bd480
SHA19816c7327db73b374bd5f215c35db4f4e0c58d10
SHA2569f59250b4a03bce4e6aca0b006b5616bd3a858dd3ed7dfb6dddc28c1ff4cf3df
SHA512746d6be247dffa98359fdbe4c0c7be05493480d6668c905bb19c2249eac8bd61e3248b7d2abcdadf47897e45310181d08a4976eca7142f46aa9cd89982fd0185