Analysis
-
max time kernel
149s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 13:40
Static task
static1
Behavioral task
behavioral1
Sample
5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe
Resource
win10v2004-20220812-en
General
-
Target
5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe
-
Size
1.4MB
-
MD5
0f546e7eb4be1a79cd2e15f67cbe42b7
-
SHA1
bd706034409b6e6556920727c97e07eef28035f6
-
SHA256
5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338
-
SHA512
8f2ce5cf7285227590736e6ba2352b80c1bfcd49ba3f5c54e405c7a835c6ff5f75d2e57f4f6f31f87fb986227180d72a523aff62680815b1a2dcbb278e578f3d
-
SSDEEP
24576:ZRon1G/j+J1rUyv4iBImufwpH1RH17qhsaQO51HYrq/cHYIAmTXs0x/GphJq:Z8c/yHz/BfHRIUqcHBmb
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" sysmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\539545\\sysmon.exe\"" sysmon.exe -
Executes dropped EXE 2 IoCs
pid Process 1664 sysmon.exe 1048 sysmon.exe -
Loads dropped DLL 8 IoCs
pid Process 2044 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 1664 sysmon.exe 1664 sysmon.exe 1664 sysmon.exe 1664 sysmon.exe 1048 sysmon.exe 1048 sysmon.exe 1048 sysmon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\539545\\sysmon.exe\"" sysmon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1292 set thread context of 2044 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 27 PID 1664 set thread context of 1048 1664 sysmon.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 1664 sysmon.exe 1664 sysmon.exe 1664 sysmon.exe 1664 sysmon.exe 1048 sysmon.exe 1048 sysmon.exe 1048 sysmon.exe 1048 sysmon.exe 1048 sysmon.exe 2044 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 1048 sysmon.exe 1048 sysmon.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2044 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe Token: SeDebugPrivilege 1664 sysmon.exe Token: SeDebugPrivilege 1048 sysmon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1048 sysmon.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1292 wrote to memory of 2044 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 27 PID 1292 wrote to memory of 2044 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 27 PID 1292 wrote to memory of 2044 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 27 PID 1292 wrote to memory of 2044 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 27 PID 1292 wrote to memory of 2044 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 27 PID 1292 wrote to memory of 2044 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 27 PID 1292 wrote to memory of 2044 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 27 PID 1292 wrote to memory of 2044 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 27 PID 1292 wrote to memory of 2044 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 27 PID 1292 wrote to memory of 2044 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 27 PID 1292 wrote to memory of 2044 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 27 PID 1292 wrote to memory of 2044 1292 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 27 PID 2044 wrote to memory of 1664 2044 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 29 PID 2044 wrote to memory of 1664 2044 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 29 PID 2044 wrote to memory of 1664 2044 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 29 PID 2044 wrote to memory of 1664 2044 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 29 PID 2044 wrote to memory of 1664 2044 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 29 PID 2044 wrote to memory of 1664 2044 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 29 PID 2044 wrote to memory of 1664 2044 5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe 29 PID 1664 wrote to memory of 1048 1664 sysmon.exe 30 PID 1664 wrote to memory of 1048 1664 sysmon.exe 30 PID 1664 wrote to memory of 1048 1664 sysmon.exe 30 PID 1664 wrote to memory of 1048 1664 sysmon.exe 30 PID 1664 wrote to memory of 1048 1664 sysmon.exe 30 PID 1664 wrote to memory of 1048 1664 sysmon.exe 30 PID 1664 wrote to memory of 1048 1664 sysmon.exe 30 PID 1664 wrote to memory of 1048 1664 sysmon.exe 30 PID 1664 wrote to memory of 1048 1664 sysmon.exe 30 PID 1664 wrote to memory of 1048 1664 sysmon.exe 30 PID 1664 wrote to memory of 1048 1664 sysmon.exe 30 PID 1664 wrote to memory of 1048 1664 sysmon.exe 30 PID 1048 wrote to memory of 2044 1048 sysmon.exe 27 PID 1048 wrote to memory of 2044 1048 sysmon.exe 27 PID 1048 wrote to memory of 2044 1048 sysmon.exe 27 PID 1048 wrote to memory of 2044 1048 sysmon.exe 27 PID 1048 wrote to memory of 2044 1048 sysmon.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe"C:\Users\Admin\AppData\Local\Temp\5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exeC:\Users\Admin\AppData\Local\Temp\5176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338.exe2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\ProgramData\539545\sysmon.exe"C:\ProgramData\539545\sysmon.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\ProgramData\539545\sysmon.exeC:\ProgramData\539545\sysmon.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD50f546e7eb4be1a79cd2e15f67cbe42b7
SHA1bd706034409b6e6556920727c97e07eef28035f6
SHA2565176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338
SHA5128f2ce5cf7285227590736e6ba2352b80c1bfcd49ba3f5c54e405c7a835c6ff5f75d2e57f4f6f31f87fb986227180d72a523aff62680815b1a2dcbb278e578f3d
-
Filesize
1.4MB
MD50f546e7eb4be1a79cd2e15f67cbe42b7
SHA1bd706034409b6e6556920727c97e07eef28035f6
SHA2565176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338
SHA5128f2ce5cf7285227590736e6ba2352b80c1bfcd49ba3f5c54e405c7a835c6ff5f75d2e57f4f6f31f87fb986227180d72a523aff62680815b1a2dcbb278e578f3d
-
Filesize
1.4MB
MD50f546e7eb4be1a79cd2e15f67cbe42b7
SHA1bd706034409b6e6556920727c97e07eef28035f6
SHA2565176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338
SHA5128f2ce5cf7285227590736e6ba2352b80c1bfcd49ba3f5c54e405c7a835c6ff5f75d2e57f4f6f31f87fb986227180d72a523aff62680815b1a2dcbb278e578f3d
-
Filesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
Filesize
1.4MB
MD50f546e7eb4be1a79cd2e15f67cbe42b7
SHA1bd706034409b6e6556920727c97e07eef28035f6
SHA2565176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338
SHA5128f2ce5cf7285227590736e6ba2352b80c1bfcd49ba3f5c54e405c7a835c6ff5f75d2e57f4f6f31f87fb986227180d72a523aff62680815b1a2dcbb278e578f3d
-
Filesize
1.4MB
MD50f546e7eb4be1a79cd2e15f67cbe42b7
SHA1bd706034409b6e6556920727c97e07eef28035f6
SHA2565176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338
SHA5128f2ce5cf7285227590736e6ba2352b80c1bfcd49ba3f5c54e405c7a835c6ff5f75d2e57f4f6f31f87fb986227180d72a523aff62680815b1a2dcbb278e578f3d
-
Filesize
1.4MB
MD50f546e7eb4be1a79cd2e15f67cbe42b7
SHA1bd706034409b6e6556920727c97e07eef28035f6
SHA2565176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338
SHA5128f2ce5cf7285227590736e6ba2352b80c1bfcd49ba3f5c54e405c7a835c6ff5f75d2e57f4f6f31f87fb986227180d72a523aff62680815b1a2dcbb278e578f3d
-
Filesize
1.4MB
MD50f546e7eb4be1a79cd2e15f67cbe42b7
SHA1bd706034409b6e6556920727c97e07eef28035f6
SHA2565176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338
SHA5128f2ce5cf7285227590736e6ba2352b80c1bfcd49ba3f5c54e405c7a835c6ff5f75d2e57f4f6f31f87fb986227180d72a523aff62680815b1a2dcbb278e578f3d
-
Filesize
1.4MB
MD50f546e7eb4be1a79cd2e15f67cbe42b7
SHA1bd706034409b6e6556920727c97e07eef28035f6
SHA2565176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338
SHA5128f2ce5cf7285227590736e6ba2352b80c1bfcd49ba3f5c54e405c7a835c6ff5f75d2e57f4f6f31f87fb986227180d72a523aff62680815b1a2dcbb278e578f3d
-
Filesize
1.4MB
MD50f546e7eb4be1a79cd2e15f67cbe42b7
SHA1bd706034409b6e6556920727c97e07eef28035f6
SHA2565176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338
SHA5128f2ce5cf7285227590736e6ba2352b80c1bfcd49ba3f5c54e405c7a835c6ff5f75d2e57f4f6f31f87fb986227180d72a523aff62680815b1a2dcbb278e578f3d
-
Filesize
1.4MB
MD50f546e7eb4be1a79cd2e15f67cbe42b7
SHA1bd706034409b6e6556920727c97e07eef28035f6
SHA2565176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338
SHA5128f2ce5cf7285227590736e6ba2352b80c1bfcd49ba3f5c54e405c7a835c6ff5f75d2e57f4f6f31f87fb986227180d72a523aff62680815b1a2dcbb278e578f3d
-
Filesize
1.4MB
MD50f546e7eb4be1a79cd2e15f67cbe42b7
SHA1bd706034409b6e6556920727c97e07eef28035f6
SHA2565176d63c9ea432c992ba2cf7b50aa915d7c672af42bd237308654d2ce5c5a338
SHA5128f2ce5cf7285227590736e6ba2352b80c1bfcd49ba3f5c54e405c7a835c6ff5f75d2e57f4f6f31f87fb986227180d72a523aff62680815b1a2dcbb278e578f3d