Overview

overview

10

Static

static

1370288057...f2.exe

windows7-x64

10

1370288057...f2.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2022 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    137028805716af9899e2052184800cf04663821b636c99dc7e2f5b597133ddf2.exe

  • Size

    222KB

  • MD5

    0c4a1cf69322ae92ec30940d0bd71310

  • SHA1

    79f429078d912e42fbd0cd98e62ffdcee5618a28

  • SHA256

    137028805716af9899e2052184800cf04663821b636c99dc7e2f5b597133ddf2

  • SHA512

    500ee0d98a2136870dc3d9c527d57233ced08e7a39f3b969dbba12ee7cc0c2dc6cebde0c9b4404032660e8a5dde48dccb18facdb8d942d7be753b123c18f2328

  • SSDEEP

    3072:8U4f+fkjZt7fF0L2vMCDiu0Y8RxwLRMcR9aBeWvfxLWDwceWJ2NJucbPvJ1nlYZC:81i+f3uBmLbR9JWJW5JYJuEvPr

Score
10/10
luminositypersistencerat

Malware Config

Signatures

  • Luminosity

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    ratluminosity
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\137028805716af9899e2052184800cf04663821b636c99dc7e2f5b597133ddf2.exe
    "C:\Users\Admin\AppData\Local\Temp\137028805716af9899e2052184800cf04663821b636c99dc7e2f5b597133ddf2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\ProgramData\569263\client.exe
      "C:\ProgramData\569263\client.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1700

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\569263\client.exe
    Filesize

    222KB

    MD5

    0c4a1cf69322ae92ec30940d0bd71310

    SHA1

    79f429078d912e42fbd0cd98e62ffdcee5618a28

    SHA256

    137028805716af9899e2052184800cf04663821b636c99dc7e2f5b597133ddf2

    SHA512

    500ee0d98a2136870dc3d9c527d57233ced08e7a39f3b969dbba12ee7cc0c2dc6cebde0c9b4404032660e8a5dde48dccb18facdb8d942d7be753b123c18f2328

    Download Submit

  • C:\ProgramData\569263\client.exe
    Filesize

    222KB

    MD5

    0c4a1cf69322ae92ec30940d0bd71310

    SHA1

    79f429078d912e42fbd0cd98e62ffdcee5618a28

    SHA256

    137028805716af9899e2052184800cf04663821b636c99dc7e2f5b597133ddf2

    SHA512

    500ee0d98a2136870dc3d9c527d57233ced08e7a39f3b969dbba12ee7cc0c2dc6cebde0c9b4404032660e8a5dde48dccb18facdb8d942d7be753b123c18f2328

    Download Submit

  • \ProgramData\569263\client.exe
    Filesize

    222KB

    MD5

    0c4a1cf69322ae92ec30940d0bd71310

    SHA1

    79f429078d912e42fbd0cd98e62ffdcee5618a28

    SHA256

    137028805716af9899e2052184800cf04663821b636c99dc7e2f5b597133ddf2

    SHA512

    500ee0d98a2136870dc3d9c527d57233ced08e7a39f3b969dbba12ee7cc0c2dc6cebde0c9b4404032660e8a5dde48dccb18facdb8d942d7be753b123c18f2328

    Download Submit

  • \ProgramData\569263\client.exe
    Filesize

    222KB

    MD5

    0c4a1cf69322ae92ec30940d0bd71310

    SHA1

    79f429078d912e42fbd0cd98e62ffdcee5618a28

    SHA256

    137028805716af9899e2052184800cf04663821b636c99dc7e2f5b597133ddf2

    SHA512

    500ee0d98a2136870dc3d9c527d57233ced08e7a39f3b969dbba12ee7cc0c2dc6cebde0c9b4404032660e8a5dde48dccb18facdb8d942d7be753b123c18f2328

    Download Submit

  • memory/1468-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1468-55-0x0000000074F30000-0x00000000754DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1468-63-0x0000000074F30000-0x00000000754DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1468-65-0x0000000074F30000-0x00000000754DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1700-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1700-62-0x0000000074F30000-0x00000000754DB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1700-64-0x0000000074F30000-0x00000000754DB000-memory.dmp

    Filesize

    5.7MB

    Download