Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 13:29
Static task
static1
Behavioral task
behavioral1
Sample
189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe
Resource
win10v2004-20220812-en
General
-
Target
189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe
-
Size
402KB
-
MD5
da12d3c00497b8527b7943e3579e52d9
-
SHA1
9f7489fc7b6171eadc37cf813bd81c6482e101f0
-
SHA256
189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec
-
SHA512
7648a29785771f1c5551968e6f09c0b636ec60022efdafd5689c37791cf28ad801b9f0f064f2973c93b5be4b8d2cabbd8d2691e939d225f2456fb3861b8e071e
-
SSDEEP
6144:8C0O/wK2CBCy0PlwYsmF/rM2SckT/06DCd:OjKeyPQF/rMJT/0
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" helper.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\445779\\helper.exe\"" helper.exe -
Executes dropped EXE 3 IoCs
pid Process 1060 helper.exe 1292 helper.exe 1204 helper.exe -
Loads dropped DLL 2 IoCs
pid Process 980 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 980 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Computer Helper = "\"C:\\ProgramData\\445779\\helper.exe\"" helper.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe helper.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe helper.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1048 set thread context of 980 1048 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 28 PID 1060 set thread context of 1204 1060 helper.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1060 helper.exe 1060 helper.exe 1204 helper.exe 1204 helper.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 980 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1048 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe Token: SeDebugPrivilege 1060 helper.exe Token: SeDebugPrivilege 1204 helper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1204 helper.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1048 wrote to memory of 980 1048 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 28 PID 1048 wrote to memory of 980 1048 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 28 PID 1048 wrote to memory of 980 1048 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 28 PID 1048 wrote to memory of 980 1048 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 28 PID 1048 wrote to memory of 980 1048 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 28 PID 1048 wrote to memory of 980 1048 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 28 PID 1048 wrote to memory of 980 1048 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 28 PID 1048 wrote to memory of 980 1048 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 28 PID 1048 wrote to memory of 980 1048 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 28 PID 980 wrote to memory of 1060 980 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 29 PID 980 wrote to memory of 1060 980 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 29 PID 980 wrote to memory of 1060 980 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 29 PID 980 wrote to memory of 1060 980 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 29 PID 1060 wrote to memory of 1292 1060 helper.exe 30 PID 1060 wrote to memory of 1292 1060 helper.exe 30 PID 1060 wrote to memory of 1292 1060 helper.exe 30 PID 1060 wrote to memory of 1292 1060 helper.exe 30 PID 1060 wrote to memory of 1204 1060 helper.exe 31 PID 1060 wrote to memory of 1204 1060 helper.exe 31 PID 1060 wrote to memory of 1204 1060 helper.exe 31 PID 1060 wrote to memory of 1204 1060 helper.exe 31 PID 1060 wrote to memory of 1204 1060 helper.exe 31 PID 1060 wrote to memory of 1204 1060 helper.exe 31 PID 1060 wrote to memory of 1204 1060 helper.exe 31 PID 1060 wrote to memory of 1204 1060 helper.exe 31 PID 1060 wrote to memory of 1204 1060 helper.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe"C:\Users\Admin\AppData\Local\Temp\189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe"C:\Users\Admin\AppData\Local\Temp\189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:980 -
C:\ProgramData\445779\helper.exe"C:\ProgramData\445779\helper.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\ProgramData\445779\helper.exe"C:\ProgramData\445779\helper.exe"4⤵
- Executes dropped EXE
PID:1292
-
-
C:\ProgramData\445779\helper.exe"C:\ProgramData\445779\helper.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1204
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
402KB
MD5da12d3c00497b8527b7943e3579e52d9
SHA19f7489fc7b6171eadc37cf813bd81c6482e101f0
SHA256189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec
SHA5127648a29785771f1c5551968e6f09c0b636ec60022efdafd5689c37791cf28ad801b9f0f064f2973c93b5be4b8d2cabbd8d2691e939d225f2456fb3861b8e071e
-
Filesize
402KB
MD5da12d3c00497b8527b7943e3579e52d9
SHA19f7489fc7b6171eadc37cf813bd81c6482e101f0
SHA256189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec
SHA5127648a29785771f1c5551968e6f09c0b636ec60022efdafd5689c37791cf28ad801b9f0f064f2973c93b5be4b8d2cabbd8d2691e939d225f2456fb3861b8e071e
-
Filesize
402KB
MD5da12d3c00497b8527b7943e3579e52d9
SHA19f7489fc7b6171eadc37cf813bd81c6482e101f0
SHA256189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec
SHA5127648a29785771f1c5551968e6f09c0b636ec60022efdafd5689c37791cf28ad801b9f0f064f2973c93b5be4b8d2cabbd8d2691e939d225f2456fb3861b8e071e
-
Filesize
402KB
MD5da12d3c00497b8527b7943e3579e52d9
SHA19f7489fc7b6171eadc37cf813bd81c6482e101f0
SHA256189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec
SHA5127648a29785771f1c5551968e6f09c0b636ec60022efdafd5689c37791cf28ad801b9f0f064f2973c93b5be4b8d2cabbd8d2691e939d225f2456fb3861b8e071e
-
Filesize
402KB
MD5da12d3c00497b8527b7943e3579e52d9
SHA19f7489fc7b6171eadc37cf813bd81c6482e101f0
SHA256189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec
SHA5127648a29785771f1c5551968e6f09c0b636ec60022efdafd5689c37791cf28ad801b9f0f064f2973c93b5be4b8d2cabbd8d2691e939d225f2456fb3861b8e071e
-
Filesize
402KB
MD5da12d3c00497b8527b7943e3579e52d9
SHA19f7489fc7b6171eadc37cf813bd81c6482e101f0
SHA256189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec
SHA5127648a29785771f1c5551968e6f09c0b636ec60022efdafd5689c37791cf28ad801b9f0f064f2973c93b5be4b8d2cabbd8d2691e939d225f2456fb3861b8e071e