Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-10-2022 13:37
Static task
static1
Behavioral task
behavioral1
Sample
0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe
Resource
win10v2004-20220812-en
General
-
Target
0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe
-
Size
231KB
-
MD5
5493afff685719b09cb135f27c237dd0
-
SHA1
def43e58679be5742104de3eb50f90447cc46463
-
SHA256
0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f
-
SHA512
9f318b1ddb88252acd3bca43ad5e6c7837556da43f61ae3843c71188fccb634be4d73164697d3604d6174e747c12bb4a1a01b7a4a2bfa683cd8c8d3c0037ea00
-
SSDEEP
6144:x4Rm3MhPgYFNuyEqs3uqPD9k9vK78pF/jOIj:x4RRhYYhERPPD8vK47KI
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\669859\\sysmon.exe\"" sysmon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" sysmon.exe -
Executes dropped EXE 2 IoCs
pid Process 1752 sysmon.exe 1944 sysmon.exe -
Loads dropped DLL 2 IoCs
pid Process 1536 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 1536 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\669859\\sysmon.exe\"" sysmon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 756 set thread context of 1536 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 28 PID 1752 set thread context of 1944 1752 sysmon.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 1752 sysmon.exe 1752 sysmon.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 1752 sysmon.exe 1752 sysmon.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 1752 sysmon.exe 1752 sysmon.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 1944 sysmon.exe 1752 sysmon.exe 1752 sysmon.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 1752 sysmon.exe 1752 sysmon.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 1944 sysmon.exe 1944 sysmon.exe 1944 sysmon.exe 1944 sysmon.exe 1752 sysmon.exe 1752 sysmon.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 1752 sysmon.exe 1752 sysmon.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 1752 sysmon.exe 1752 sysmon.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 1752 sysmon.exe 1752 sysmon.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 1752 sysmon.exe 1752 sysmon.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 1752 sysmon.exe 1752 sysmon.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 1752 sysmon.exe 1752 sysmon.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 1752 sysmon.exe 1752 sysmon.exe 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1536 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe Token: SeDebugPrivilege 1752 sysmon.exe Token: SeDebugPrivilege 1944 sysmon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1944 sysmon.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 756 wrote to memory of 1536 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 28 PID 756 wrote to memory of 1536 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 28 PID 756 wrote to memory of 1536 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 28 PID 756 wrote to memory of 1536 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 28 PID 756 wrote to memory of 1536 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 28 PID 756 wrote to memory of 1536 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 28 PID 756 wrote to memory of 1536 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 28 PID 756 wrote to memory of 1536 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 28 PID 756 wrote to memory of 1536 756 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 28 PID 1536 wrote to memory of 1752 1536 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 30 PID 1536 wrote to memory of 1752 1536 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 30 PID 1536 wrote to memory of 1752 1536 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 30 PID 1536 wrote to memory of 1752 1536 0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe 30 PID 1752 wrote to memory of 1944 1752 sysmon.exe 31 PID 1752 wrote to memory of 1944 1752 sysmon.exe 31 PID 1752 wrote to memory of 1944 1752 sysmon.exe 31 PID 1752 wrote to memory of 1944 1752 sysmon.exe 31 PID 1752 wrote to memory of 1944 1752 sysmon.exe 31 PID 1752 wrote to memory of 1944 1752 sysmon.exe 31 PID 1752 wrote to memory of 1944 1752 sysmon.exe 31 PID 1752 wrote to memory of 1944 1752 sysmon.exe 31 PID 1752 wrote to memory of 1944 1752 sysmon.exe 31 PID 1944 wrote to memory of 1752 1944 sysmon.exe 30 PID 1944 wrote to memory of 1752 1944 sysmon.exe 30 PID 1944 wrote to memory of 1752 1944 sysmon.exe 30 PID 1944 wrote to memory of 1752 1944 sysmon.exe 30 PID 1944 wrote to memory of 1752 1944 sysmon.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe"C:\Users\Admin\AppData\Local\Temp\0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe"C:\Users\Admin\AppData\Local\Temp\0598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\ProgramData\669859\sysmon.exe"C:\ProgramData\669859\sysmon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\ProgramData\669859\sysmon.exe"C:\ProgramData\669859\sysmon.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD55493afff685719b09cb135f27c237dd0
SHA1def43e58679be5742104de3eb50f90447cc46463
SHA2560598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f
SHA5129f318b1ddb88252acd3bca43ad5e6c7837556da43f61ae3843c71188fccb634be4d73164697d3604d6174e747c12bb4a1a01b7a4a2bfa683cd8c8d3c0037ea00
-
Filesize
231KB
MD55493afff685719b09cb135f27c237dd0
SHA1def43e58679be5742104de3eb50f90447cc46463
SHA2560598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f
SHA5129f318b1ddb88252acd3bca43ad5e6c7837556da43f61ae3843c71188fccb634be4d73164697d3604d6174e747c12bb4a1a01b7a4a2bfa683cd8c8d3c0037ea00
-
Filesize
231KB
MD55493afff685719b09cb135f27c237dd0
SHA1def43e58679be5742104de3eb50f90447cc46463
SHA2560598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f
SHA5129f318b1ddb88252acd3bca43ad5e6c7837556da43f61ae3843c71188fccb634be4d73164697d3604d6174e747c12bb4a1a01b7a4a2bfa683cd8c8d3c0037ea00
-
Filesize
231KB
MD55493afff685719b09cb135f27c237dd0
SHA1def43e58679be5742104de3eb50f90447cc46463
SHA2560598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f
SHA5129f318b1ddb88252acd3bca43ad5e6c7837556da43f61ae3843c71188fccb634be4d73164697d3604d6174e747c12bb4a1a01b7a4a2bfa683cd8c8d3c0037ea00
-
Filesize
231KB
MD55493afff685719b09cb135f27c237dd0
SHA1def43e58679be5742104de3eb50f90447cc46463
SHA2560598bac7ca1d0f2aa27167d0bc3d89140e3e8742d6e6caa09646e0f13940527f
SHA5129f318b1ddb88252acd3bca43ad5e6c7837556da43f61ae3843c71188fccb634be4d73164697d3604d6174e747c12bb4a1a01b7a4a2bfa683cd8c8d3c0037ea00