luminosity | 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
Size

431KB
MD5

2deb3534a31770471cd1f20c6eaa70f0
SHA1

b1f507a3b30f4f8ff588ec3c9eee4607e76da950
SHA256

9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc
SHA512

fd126297afa6c3676c01a7069b635b2912f84bafdfc4a72b15902c2ff4b371c96c049a4c1999a72043dd58586ca032c63510bead91d87cdb94ba9c3606c4673d
SSDEEP

12288:dhx6uCzDcKIfUEOpPDc7Tlr67EWascC1nbDUF:dhAZIfBoyTlhYQ

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

sysmon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	sysmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\428702\\sysmon.exe\""	sysmon.exe

Executes dropped EXE 2 IoCs

Processes:

sysmon.exesysmon.exe

pid process

1704 sysmon.exe
972 sysmon.exe

pid	process
1704	sysmon.exe
972	sysmon.exe

Loads dropped DLL 2 IoCs

Processes:

9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe

pid	process
1488	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
1488	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sysmon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\428702\\sysmon.exe\""	sysmon.exe

Drops file in System32 directory 2 IoCs

Processes:

sysmon.exe

description ioc process

File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe
File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	sysmon.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	sysmon.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exesysmon.exe

description	pid	process	target process
PID 1288 set thread context of 1488	1288	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
PID 1704 set thread context of 972	1704	sysmon.exe	sysmon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

sysmon.exe

pid process

972 sysmon.exe
972 sysmon.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe

pid process

1488 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe

pid	process
972	sysmon.exe
972	sysmon.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exesysmon.exesysmon.exe

description	pid	process
Token: SeDebugPrivilege	1288	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
Token: SeDebugPrivilege	1704	sysmon.exe
Token: SeDebugPrivilege	972	sysmon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sysmon.exe

pid process

972 sysmon.exe

pid	process
972	sysmon.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exesysmon.exe

description	pid	process	target process
PID 1288 wrote to memory of 1488	1288	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
PID 1288 wrote to memory of 1488	1288	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
PID 1288 wrote to memory of 1488	1288	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
PID 1288 wrote to memory of 1488	1288	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
PID 1288 wrote to memory of 1488	1288	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
PID 1288 wrote to memory of 1488	1288	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
PID 1288 wrote to memory of 1488	1288	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
PID 1288 wrote to memory of 1488	1288	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
PID 1288 wrote to memory of 1488	1288	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
PID 1488 wrote to memory of 1704	1488	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe	sysmon.exe
PID 1488 wrote to memory of 1704	1488	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe	sysmon.exe
PID 1488 wrote to memory of 1704	1488	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe	sysmon.exe
PID 1488 wrote to memory of 1704	1488	9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe	sysmon.exe
PID 1704 wrote to memory of 972	1704	sysmon.exe	sysmon.exe
PID 1704 wrote to memory of 972	1704	sysmon.exe	sysmon.exe
PID 1704 wrote to memory of 972	1704	sysmon.exe	sysmon.exe
PID 1704 wrote to memory of 972	1704	sysmon.exe	sysmon.exe
PID 1704 wrote to memory of 972	1704	sysmon.exe	sysmon.exe
PID 1704 wrote to memory of 972	1704	sysmon.exe	sysmon.exe
PID 1704 wrote to memory of 972	1704	sysmon.exe	sysmon.exe
PID 1704 wrote to memory of 972	1704	sysmon.exe	sysmon.exe
PID 1704 wrote to memory of 972	1704	sysmon.exe	sysmon.exe

C:\Users\Admin\AppData\Local\Temp\9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
"C:\Users\Admin\AppData\Local\Temp\9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
  "C:\Users\Admin\AppData\Local\Temp\9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\ProgramData\428702\sysmon.exe
    "C:\ProgramData\428702\sysmon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\ProgramData\428702\sysmon.exe
      "C:\ProgramData\428702\sysmon.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\428702\sysmon.exe

Filesize
431KB

MD5
2deb3534a31770471cd1f20c6eaa70f0

SHA1
b1f507a3b30f4f8ff588ec3c9eee4607e76da950

SHA256
9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc

SHA512
fd126297afa6c3676c01a7069b635b2912f84bafdfc4a72b15902c2ff4b371c96c049a4c1999a72043dd58586ca032c63510bead91d87cdb94ba9c3606c4673d

Download Submit
C:\ProgramData\428702\sysmon.exe

Filesize
431KB

MD5
2deb3534a31770471cd1f20c6eaa70f0

SHA1
b1f507a3b30f4f8ff588ec3c9eee4607e76da950

SHA256
9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc

SHA512
fd126297afa6c3676c01a7069b635b2912f84bafdfc4a72b15902c2ff4b371c96c049a4c1999a72043dd58586ca032c63510bead91d87cdb94ba9c3606c4673d

Download Submit
C:\ProgramData\428702\sysmon.exe

Filesize
431KB

MD5
2deb3534a31770471cd1f20c6eaa70f0

SHA1
b1f507a3b30f4f8ff588ec3c9eee4607e76da950

SHA256
9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc

SHA512
fd126297afa6c3676c01a7069b635b2912f84bafdfc4a72b15902c2ff4b371c96c049a4c1999a72043dd58586ca032c63510bead91d87cdb94ba9c3606c4673d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_3E19707BBCF153AEAF419B98E434FB2D

Filesize
1KB

MD5
a07148b4799d44bd85f3c5b20f9491cb

SHA1
efb87e06b56f9898bf7bcd2fc56df3761777f852

SHA256
b6ab1dead0fe4b6752f38ca9dc65b657846e3632e729f113c953c0f771f12ec5

SHA512
5eb81f25d2563437ed27258367b30827eb263df8ff966f8bf1640a7ad130f5cbc46b2c91cf137542bbd0feab11a27e750a81df615b9e057abfd68907bd3a6c99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F

Filesize
834B

MD5
2f9af8e0d783cfa432c7041713c8f5ee

SHA1
974e325ade4fd9e3f450913e8269c78d1ef4836a

SHA256
b4c71719b03d24adf1b8d89707cdf20e2b0be78c58686d78c340da6fd3a00eb3

SHA512
3ccb5b22dd0cb7e4841b4979d1c0aa6e921925cc9a187c88d67d6e2f19285ed4acc30424c7e481b61e215bdae8af9d4bdc9c17fada508ff0385cd9d456968c72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_3E19707BBCF153AEAF419B98E434FB2D

Filesize
404B

MD5
c83fda276f6ef960f5ab5b42f45f0e10

SHA1
ab9fa41423a2d31ef2266c0db20ee6a81861e7fe

SHA256
feee0e64e2dd9efc0b78da068046db6f3c1ff0941d1b3cf6ae729366fb764c9c

SHA512
9942ac00381f107aaddb85e5662f5479e0f254b5b36e66f8438c1b4ba3d9b5bf054d29cb13ef6fc94c6e1d17724d677110ce8b22aa04773072b2e9e21abd9cf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6

Filesize
404B

MD5
22f806386a97300c323732e2d9f5aa11

SHA1
de5be08399bd92882a2b14920f6f6b8193edc5f9

SHA256
1b64aa6d880fd84c73b0e5f96acef72e9ea1376d9cae29512c064776d7340114

SHA512
8c5191abcddfa8f022aebc3e10f96cf16e4c56e6153bb248c1eaa3e592ca41f8006a333e5ae48b0da568809be81b8bb112f8da68ba37897358c7780af6373614

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F

Filesize
188B

MD5
246631610c1c4d63b589f72e89c2e9b1

SHA1
6ff17ed8b8f2e68690f39e015c1337bf0eb458a2

SHA256
6bb5d190ecad4763277c8d104003c19b27acd608e5b48bcf6f337c0fa2b372a6

SHA512
8780acd1be25461581b635eb37b7ad228e7f7d97753e0fee93ecfa29fbaf05deb55bb7d76e76ca5880663016ea084a61dcab2f8381f4d555f2329960b318db86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f232be450a2b50f9acfdf1e76f3a7c87

SHA1
8fa64fbe4ef28411e31032c6e1cefbd58478a1b7

SHA256
a48b66e6096e0a9a999f52bea4df135a1737b9f95533fdb3e8e99d35c240fe5c

SHA512
9698e6d192763768d387b5402dd2ec83e5e1f9e0398f00d036fdc988a26216bca843ff672f15f981c33732b6655ba9abcbb0ea0ac998c73016748d135d2c9cff

Download Submit
\ProgramData\428702\sysmon.exe

Filesize
431KB

MD5
2deb3534a31770471cd1f20c6eaa70f0

SHA1
b1f507a3b30f4f8ff588ec3c9eee4607e76da950

SHA256
9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc

SHA512
fd126297afa6c3676c01a7069b635b2912f84bafdfc4a72b15902c2ff4b371c96c049a4c1999a72043dd58586ca032c63510bead91d87cdb94ba9c3606c4673d

Download Submit
\ProgramData\428702\sysmon.exe

Filesize
431KB

MD5
2deb3534a31770471cd1f20c6eaa70f0

SHA1
b1f507a3b30f4f8ff588ec3c9eee4607e76da950

SHA256
9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc

SHA512
fd126297afa6c3676c01a7069b635b2912f84bafdfc4a72b15902c2ff4b371c96c049a4c1999a72043dd58586ca032c63510bead91d87cdb94ba9c3606c4673d

Download Submit
memory/972-93-0x000000000045CF0E-mapping.dmp

Download
memory/972-103-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/972-101-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-56-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/1288-65-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/1288-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1288-55-0x00000000745E0000-0x0000000074B8B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-62-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1488-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1488-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1488-68-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1488-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1488-63-0x000000000045CF0E-mapping.dmp

Download
memory/1488-86-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/1488-70-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/1488-102-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/1488-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1704-73-0x0000000000000000-mapping.dmp

Download
memory/1704-96-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/1704-85-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download