Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 14:37
Static task
static1
Behavioral task
behavioral1
Sample
b0844dbcd6eb29418e04843cc69e61f90afbcc250d60f402dcdb815392cdd71d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b0844dbcd6eb29418e04843cc69e61f90afbcc250d60f402dcdb815392cdd71d.exe
Resource
win10v2004-20220812-en
General
-
Target
b0844dbcd6eb29418e04843cc69e61f90afbcc250d60f402dcdb815392cdd71d.exe
-
Size
222KB
-
MD5
83b9b884a0228470ebc1511fe82163d0
-
SHA1
f05a70ac20fd3518a761663d39635ee0f5048b33
-
SHA256
b0844dbcd6eb29418e04843cc69e61f90afbcc250d60f402dcdb815392cdd71d
-
SHA512
962e7d95a8ab7b4f894abe6f5452949f52c6f0b65a0aa5487231ac1c398c6d3a0631bd7287618faa475ef0035755d2a3e76404bc722034bb0455ef62bb7ba297
-
SSDEEP
3072:8U4f+fkjZt7fF0L2vMCDiu0Y8RxwLRMcR9aBeWvfxLWDwieWJ2NJucbPvJ1nlYZC:81i+f3uBmLbR9JWJWPJYJuEvPr
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" helper.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\918368\\helper.exe\"" helper.exe -
Executes dropped EXE 1 IoCs
pid Process 2188 helper.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation b0844dbcd6eb29418e04843cc69e61f90afbcc250d60f402dcdb815392cdd71d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Computer Helper = "\"C:\\ProgramData\\918368\\helper.exe\"" helper.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe helper.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe helper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 5104 b0844dbcd6eb29418e04843cc69e61f90afbcc250d60f402dcdb815392cdd71d.exe 5104 b0844dbcd6eb29418e04843cc69e61f90afbcc250d60f402dcdb815392cdd71d.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe 2188 helper.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5104 b0844dbcd6eb29418e04843cc69e61f90afbcc250d60f402dcdb815392cdd71d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2188 helper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2188 helper.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5104 wrote to memory of 2188 5104 b0844dbcd6eb29418e04843cc69e61f90afbcc250d60f402dcdb815392cdd71d.exe 82 PID 5104 wrote to memory of 2188 5104 b0844dbcd6eb29418e04843cc69e61f90afbcc250d60f402dcdb815392cdd71d.exe 82 PID 5104 wrote to memory of 2188 5104 b0844dbcd6eb29418e04843cc69e61f90afbcc250d60f402dcdb815392cdd71d.exe 82 PID 2188 wrote to memory of 5104 2188 helper.exe 81 PID 2188 wrote to memory of 5104 2188 helper.exe 81 PID 2188 wrote to memory of 5104 2188 helper.exe 81 PID 2188 wrote to memory of 5104 2188 helper.exe 81 PID 2188 wrote to memory of 5104 2188 helper.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0844dbcd6eb29418e04843cc69e61f90afbcc250d60f402dcdb815392cdd71d.exe"C:\Users\Admin\AppData\Local\Temp\b0844dbcd6eb29418e04843cc69e61f90afbcc250d60f402dcdb815392cdd71d.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\ProgramData\918368\helper.exe"C:\ProgramData\918368\helper.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD583b9b884a0228470ebc1511fe82163d0
SHA1f05a70ac20fd3518a761663d39635ee0f5048b33
SHA256b0844dbcd6eb29418e04843cc69e61f90afbcc250d60f402dcdb815392cdd71d
SHA512962e7d95a8ab7b4f894abe6f5452949f52c6f0b65a0aa5487231ac1c398c6d3a0631bd7287618faa475ef0035755d2a3e76404bc722034bb0455ef62bb7ba297
-
Filesize
222KB
MD583b9b884a0228470ebc1511fe82163d0
SHA1f05a70ac20fd3518a761663d39635ee0f5048b33
SHA256b0844dbcd6eb29418e04843cc69e61f90afbcc250d60f402dcdb815392cdd71d
SHA512962e7d95a8ab7b4f894abe6f5452949f52c6f0b65a0aa5487231ac1c398c6d3a0631bd7287618faa475ef0035755d2a3e76404bc722034bb0455ef62bb7ba297