Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
21-10-2022 19:12
Static task
static1
Behavioral task
behavioral1
Sample
03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe
Resource
win10v2004-20220901-en
General
-
Target
03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe
-
Size
225KB
-
MD5
7698bebc450e6133f1f4c11764651b10
-
SHA1
9927ab3e8c0ee56ccbcb1f93d5f0376966f26e15
-
SHA256
03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db
-
SHA512
0b8ded747b2eb249d686592b5b8ed162915ab3218c5d61096a1ac66b87a926f0ff9ed73ad382c81721e0b5a8bfea4fc0254e76449870c1d7c357ae67c0e63f0d
-
SSDEEP
3072:5U4f+fkjZt7fF0L2vMCDiu0Y8RxwLRMcR9aBeWvfxLWDwZeWJ2NJucbPvJ1nlYZU:51i+f3uBmLbR9JWJWYJYJuEvPrl6
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\650577\\repair.exe\"" repair.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" repair.exe -
Executes dropped EXE 1 IoCs
pid Process 3972 repair.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Mechanic = "\"C:\\ProgramData\\650577\\repair.exe\"" repair.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\clientsvr.exe repair.exe File created C:\Windows\SysWOW64\clientsvr.exe repair.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 4796 03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe 4796 03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe 3972 repair.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4796 03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3972 repair.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3972 repair.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4796 wrote to memory of 3972 4796 03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe 86 PID 4796 wrote to memory of 3972 4796 03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe 86 PID 4796 wrote to memory of 3972 4796 03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe 86 PID 3972 wrote to memory of 4796 3972 repair.exe 81 PID 3972 wrote to memory of 4796 3972 repair.exe 81 PID 3972 wrote to memory of 4796 3972 repair.exe 81 PID 3972 wrote to memory of 4796 3972 repair.exe 81 PID 3972 wrote to memory of 4796 3972 repair.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe"C:\Users\Admin\AppData\Local\Temp\03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\ProgramData\650577\repair.exe"C:\ProgramData\650577\repair.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3972
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225KB
MD57698bebc450e6133f1f4c11764651b10
SHA19927ab3e8c0ee56ccbcb1f93d5f0376966f26e15
SHA25603ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db
SHA5120b8ded747b2eb249d686592b5b8ed162915ab3218c5d61096a1ac66b87a926f0ff9ed73ad382c81721e0b5a8bfea4fc0254e76449870c1d7c357ae67c0e63f0d
-
Filesize
225KB
MD57698bebc450e6133f1f4c11764651b10
SHA19927ab3e8c0ee56ccbcb1f93d5f0376966f26e15
SHA25603ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db
SHA5120b8ded747b2eb249d686592b5b8ed162915ab3218c5d61096a1ac66b87a926f0ff9ed73ad382c81721e0b5a8bfea4fc0254e76449870c1d7c357ae67c0e63f0d