Analysis
-
max time kernel
152s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 13:29
Static task
static1
Behavioral task
behavioral1
Sample
189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe
Resource
win10v2004-20220812-en
General
-
Target
189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe
-
Size
402KB
-
MD5
da12d3c00497b8527b7943e3579e52d9
-
SHA1
9f7489fc7b6171eadc37cf813bd81c6482e101f0
-
SHA256
189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec
-
SHA512
7648a29785771f1c5551968e6f09c0b636ec60022efdafd5689c37791cf28ad801b9f0f064f2973c93b5be4b8d2cabbd8d2691e939d225f2456fb3861b8e071e
-
SSDEEP
6144:8C0O/wK2CBCy0PlwYsmF/rM2SckT/06DCd:OjKeyPQF/rMJT/0
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" helper.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\246457\\helper.exe\"" helper.exe -
Executes dropped EXE 3 IoCs
pid Process 3616 helper.exe 388 helper.exe 1876 helper.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Computer Helper = "\"C:\\ProgramData\\246457\\helper.exe\"" helper.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe helper.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe helper.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4120 set thread context of 2764 4120 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 84 PID 3616 set thread context of 1876 3616 helper.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3616 helper.exe 3616 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 2764 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 2764 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe 1876 helper.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2764 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4120 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe Token: SeDebugPrivilege 3616 helper.exe Token: SeDebugPrivilege 1876 helper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1876 helper.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4120 wrote to memory of 2764 4120 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 84 PID 4120 wrote to memory of 2764 4120 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 84 PID 4120 wrote to memory of 2764 4120 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 84 PID 4120 wrote to memory of 2764 4120 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 84 PID 4120 wrote to memory of 2764 4120 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 84 PID 4120 wrote to memory of 2764 4120 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 84 PID 4120 wrote to memory of 2764 4120 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 84 PID 4120 wrote to memory of 2764 4120 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 84 PID 2764 wrote to memory of 3616 2764 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 86 PID 2764 wrote to memory of 3616 2764 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 86 PID 2764 wrote to memory of 3616 2764 189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe 86 PID 3616 wrote to memory of 388 3616 helper.exe 87 PID 3616 wrote to memory of 388 3616 helper.exe 87 PID 3616 wrote to memory of 388 3616 helper.exe 87 PID 3616 wrote to memory of 1876 3616 helper.exe 88 PID 3616 wrote to memory of 1876 3616 helper.exe 88 PID 3616 wrote to memory of 1876 3616 helper.exe 88 PID 3616 wrote to memory of 1876 3616 helper.exe 88 PID 3616 wrote to memory of 1876 3616 helper.exe 88 PID 3616 wrote to memory of 1876 3616 helper.exe 88 PID 3616 wrote to memory of 1876 3616 helper.exe 88 PID 3616 wrote to memory of 1876 3616 helper.exe 88 PID 1876 wrote to memory of 2764 1876 helper.exe 84 PID 1876 wrote to memory of 2764 1876 helper.exe 84 PID 1876 wrote to memory of 2764 1876 helper.exe 84 PID 1876 wrote to memory of 2764 1876 helper.exe 84 PID 1876 wrote to memory of 2764 1876 helper.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe"C:\Users\Admin\AppData\Local\Temp\189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe"C:\Users\Admin\AppData\Local\Temp\189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\ProgramData\246457\helper.exe"C:\ProgramData\246457\helper.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\ProgramData\246457\helper.exe"C:\ProgramData\246457\helper.exe"4⤵
- Executes dropped EXE
PID:388
-
-
C:\ProgramData\246457\helper.exe"C:\ProgramData\246457\helper.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
402KB
MD5da12d3c00497b8527b7943e3579e52d9
SHA19f7489fc7b6171eadc37cf813bd81c6482e101f0
SHA256189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec
SHA5127648a29785771f1c5551968e6f09c0b636ec60022efdafd5689c37791cf28ad801b9f0f064f2973c93b5be4b8d2cabbd8d2691e939d225f2456fb3861b8e071e
-
Filesize
402KB
MD5da12d3c00497b8527b7943e3579e52d9
SHA19f7489fc7b6171eadc37cf813bd81c6482e101f0
SHA256189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec
SHA5127648a29785771f1c5551968e6f09c0b636ec60022efdafd5689c37791cf28ad801b9f0f064f2973c93b5be4b8d2cabbd8d2691e939d225f2456fb3861b8e071e
-
Filesize
402KB
MD5da12d3c00497b8527b7943e3579e52d9
SHA19f7489fc7b6171eadc37cf813bd81c6482e101f0
SHA256189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec
SHA5127648a29785771f1c5551968e6f09c0b636ec60022efdafd5689c37791cf28ad801b9f0f064f2973c93b5be4b8d2cabbd8d2691e939d225f2456fb3861b8e071e
-
Filesize
402KB
MD5da12d3c00497b8527b7943e3579e52d9
SHA19f7489fc7b6171eadc37cf813bd81c6482e101f0
SHA256189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec
SHA5127648a29785771f1c5551968e6f09c0b636ec60022efdafd5689c37791cf28ad801b9f0f064f2973c93b5be4b8d2cabbd8d2691e939d225f2456fb3861b8e071e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\189c62dc575e463968cae907673b30170b261ab707c804d244c8b79e1f4be8ec.exe.log
Filesize411B
MD5e2eedda50223a58e2bbe18223c9ceff4
SHA172653d8b29e2fbd683be979c4e0903e376352c46
SHA2567e1b081fe3a560b0fbc63fc97acdf2e42aaa7d291f0bdca4c3a527a19979f060
SHA512bbdd82180301cfe8b6cc4b03bef68e4587952e6d9428ac28e25f6f21afa516ebc425f80fbc5bede4240260f055423f647c68509674f4add73a6d582e5f39891a
-
Filesize
411B
MD5e2eedda50223a58e2bbe18223c9ceff4
SHA172653d8b29e2fbd683be979c4e0903e376352c46
SHA2567e1b081fe3a560b0fbc63fc97acdf2e42aaa7d291f0bdca4c3a527a19979f060
SHA512bbdd82180301cfe8b6cc4b03bef68e4587952e6d9428ac28e25f6f21afa516ebc425f80fbc5bede4240260f055423f647c68509674f4add73a6d582e5f39891a