Analysis
-
max time kernel
147s -
max time network
74s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 13:06
Static task
static1
Behavioral task
behavioral1
Sample
b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe
Resource
win10v2004-20220812-en
General
-
Target
b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe
-
Size
269KB
-
MD5
ff3be7a2ec1d2452f08de1feec2deb2f
-
SHA1
b842e504a0e84e44ae7b876f3543cf6f2dcae6a9
-
SHA256
b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712
-
SHA512
14469a2bd770cb38f29c8db885ce4ddc10b32cbf64fb62787570cd1347d22d6c0bfb589f3524948ab50c556783970666331ce722a72770c8a7b5225cb7117db8
-
SSDEEP
6144:YltHeS9enNwHqOu5Dx7tZrRbl+pXOV7yKM+mvSFz9jEhHMIVq1rl:AtHeNn2KOiJZrRJ+0V72+19jqsIVq1B
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\517631\\server.exe\"" server.exe -
Executes dropped EXE 3 IoCs
pid Process 1152 zTZLPwuOqJ.exe 1884 tmp31E.tmp.exe 316 server.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zTZLPwuOqJ.url b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe -
Loads dropped DLL 5 IoCs
pid Process 1164 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe 1152 zTZLPwuOqJ.exe 1152 zTZLPwuOqJ.exe 1884 tmp31E.tmp.exe 1884 tmp31E.tmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\microsoft update = "\"C:\\ProgramData\\517631\\server.exe\"" server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe server.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1880 PING.EXE 828 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 316 server.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1164 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe Token: SeDebugPrivilege 1152 zTZLPwuOqJ.exe Token: SeDebugPrivilege 316 server.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 316 server.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1164 wrote to memory of 1604 1164 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe 27 PID 1164 wrote to memory of 1604 1164 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe 27 PID 1164 wrote to memory of 1604 1164 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe 27 PID 1164 wrote to memory of 1604 1164 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe 27 PID 1604 wrote to memory of 828 1604 cmd.exe 29 PID 1604 wrote to memory of 828 1604 cmd.exe 29 PID 1604 wrote to memory of 828 1604 cmd.exe 29 PID 1604 wrote to memory of 828 1604 cmd.exe 29 PID 1164 wrote to memory of 1152 1164 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe 30 PID 1164 wrote to memory of 1152 1164 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe 30 PID 1164 wrote to memory of 1152 1164 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe 30 PID 1164 wrote to memory of 1152 1164 b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe 30 PID 1152 wrote to memory of 1588 1152 zTZLPwuOqJ.exe 31 PID 1152 wrote to memory of 1588 1152 zTZLPwuOqJ.exe 31 PID 1152 wrote to memory of 1588 1152 zTZLPwuOqJ.exe 31 PID 1152 wrote to memory of 1588 1152 zTZLPwuOqJ.exe 31 PID 1588 wrote to memory of 1880 1588 cmd.exe 33 PID 1588 wrote to memory of 1880 1588 cmd.exe 33 PID 1588 wrote to memory of 1880 1588 cmd.exe 33 PID 1588 wrote to memory of 1880 1588 cmd.exe 33 PID 1152 wrote to memory of 1884 1152 zTZLPwuOqJ.exe 34 PID 1152 wrote to memory of 1884 1152 zTZLPwuOqJ.exe 34 PID 1152 wrote to memory of 1884 1152 zTZLPwuOqJ.exe 34 PID 1152 wrote to memory of 1884 1152 zTZLPwuOqJ.exe 34 PID 1884 wrote to memory of 316 1884 tmp31E.tmp.exe 36 PID 1884 wrote to memory of 316 1884 tmp31E.tmp.exe 36 PID 1884 wrote to memory of 316 1884 tmp31E.tmp.exe 36 PID 1884 wrote to memory of 316 1884 tmp31E.tmp.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe"C:\Users\Admin\AppData\Local\Temp\b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c PING 8.8.8.8 -n 10 > nul2⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\PING.EXEPING 8.8.8.8 -n 103⤵
- Runs ping.exe
PID:828
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\zTZLPwuOqJ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\zTZLPwuOqJ.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c PING 8.8.8.8 -n 10 > nul3⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\PING.EXEPING 8.8.8.8 -n 104⤵
- Runs ping.exe
PID:1880
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp31E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp31E.tmp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\ProgramData\517631\server.exe"C:\ProgramData\517631\server.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:316
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD5a40fe2a8fd22909db1e64d47820f7e7a
SHA1319648067cd94d2144209afc54e1f941fffa66d1
SHA25629fe5df448b8b33fdf3c210e21a2ba8bcba016023b8c0c3f49e531430edf17bc
SHA512520450105f630f9b78fbb319720a430efc95b569e0eef598fc5ab718a90093adadf13b6badc7c0a68f108a2861581b44b3c29e76355e7bea017b20272aa269e7
-
Filesize
222KB
MD5a40fe2a8fd22909db1e64d47820f7e7a
SHA1319648067cd94d2144209afc54e1f941fffa66d1
SHA25629fe5df448b8b33fdf3c210e21a2ba8bcba016023b8c0c3f49e531430edf17bc
SHA512520450105f630f9b78fbb319720a430efc95b569e0eef598fc5ab718a90093adadf13b6badc7c0a68f108a2861581b44b3c29e76355e7bea017b20272aa269e7
-
Filesize
222KB
MD5a40fe2a8fd22909db1e64d47820f7e7a
SHA1319648067cd94d2144209afc54e1f941fffa66d1
SHA25629fe5df448b8b33fdf3c210e21a2ba8bcba016023b8c0c3f49e531430edf17bc
SHA512520450105f630f9b78fbb319720a430efc95b569e0eef598fc5ab718a90093adadf13b6badc7c0a68f108a2861581b44b3c29e76355e7bea017b20272aa269e7
-
Filesize
222KB
MD5a40fe2a8fd22909db1e64d47820f7e7a
SHA1319648067cd94d2144209afc54e1f941fffa66d1
SHA25629fe5df448b8b33fdf3c210e21a2ba8bcba016023b8c0c3f49e531430edf17bc
SHA512520450105f630f9b78fbb319720a430efc95b569e0eef598fc5ab718a90093adadf13b6badc7c0a68f108a2861581b44b3c29e76355e7bea017b20272aa269e7
-
Filesize
269KB
MD5ff3be7a2ec1d2452f08de1feec2deb2f
SHA1b842e504a0e84e44ae7b876f3543cf6f2dcae6a9
SHA256b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712
SHA51214469a2bd770cb38f29c8db885ce4ddc10b32cbf64fb62787570cd1347d22d6c0bfb589f3524948ab50c556783970666331ce722a72770c8a7b5225cb7117db8
-
Filesize
269KB
MD5ff3be7a2ec1d2452f08de1feec2deb2f
SHA1b842e504a0e84e44ae7b876f3543cf6f2dcae6a9
SHA256b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712
SHA51214469a2bd770cb38f29c8db885ce4ddc10b32cbf64fb62787570cd1347d22d6c0bfb589f3524948ab50c556783970666331ce722a72770c8a7b5225cb7117db8
-
Filesize
222KB
MD5a40fe2a8fd22909db1e64d47820f7e7a
SHA1319648067cd94d2144209afc54e1f941fffa66d1
SHA25629fe5df448b8b33fdf3c210e21a2ba8bcba016023b8c0c3f49e531430edf17bc
SHA512520450105f630f9b78fbb319720a430efc95b569e0eef598fc5ab718a90093adadf13b6badc7c0a68f108a2861581b44b3c29e76355e7bea017b20272aa269e7
-
Filesize
222KB
MD5a40fe2a8fd22909db1e64d47820f7e7a
SHA1319648067cd94d2144209afc54e1f941fffa66d1
SHA25629fe5df448b8b33fdf3c210e21a2ba8bcba016023b8c0c3f49e531430edf17bc
SHA512520450105f630f9b78fbb319720a430efc95b569e0eef598fc5ab718a90093adadf13b6badc7c0a68f108a2861581b44b3c29e76355e7bea017b20272aa269e7
-
Filesize
222KB
MD5a40fe2a8fd22909db1e64d47820f7e7a
SHA1319648067cd94d2144209afc54e1f941fffa66d1
SHA25629fe5df448b8b33fdf3c210e21a2ba8bcba016023b8c0c3f49e531430edf17bc
SHA512520450105f630f9b78fbb319720a430efc95b569e0eef598fc5ab718a90093adadf13b6badc7c0a68f108a2861581b44b3c29e76355e7bea017b20272aa269e7
-
Filesize
222KB
MD5a40fe2a8fd22909db1e64d47820f7e7a
SHA1319648067cd94d2144209afc54e1f941fffa66d1
SHA25629fe5df448b8b33fdf3c210e21a2ba8bcba016023b8c0c3f49e531430edf17bc
SHA512520450105f630f9b78fbb319720a430efc95b569e0eef598fc5ab718a90093adadf13b6badc7c0a68f108a2861581b44b3c29e76355e7bea017b20272aa269e7
-
Filesize
269KB
MD5ff3be7a2ec1d2452f08de1feec2deb2f
SHA1b842e504a0e84e44ae7b876f3543cf6f2dcae6a9
SHA256b0243b6fdfc0c1ad296299bc4424a13cc2c7c9808bf331c07041261d06c9b712
SHA51214469a2bd770cb38f29c8db885ce4ddc10b32cbf64fb62787570cd1347d22d6c0bfb589f3524948ab50c556783970666331ce722a72770c8a7b5225cb7117db8