Analysis
-
max time kernel
187s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2022 11:11
Static task
static1
Behavioral task
behavioral1
Sample
9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
Resource
win10v2004-20220812-en
General
-
Target
9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe
-
Size
431KB
-
MD5
2deb3534a31770471cd1f20c6eaa70f0
-
SHA1
b1f507a3b30f4f8ff588ec3c9eee4607e76da950
-
SHA256
9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc
-
SHA512
fd126297afa6c3676c01a7069b635b2912f84bafdfc4a72b15902c2ff4b371c96c049a4c1999a72043dd58586ca032c63510bead91d87cdb94ba9c3606c4673d
-
SSDEEP
12288:dhx6uCzDcKIfUEOpPDc7Tlr67EWascC1nbDUF:dhAZIfBoyTlhYQ
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\352168\\sysmon.exe\"" sysmon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" sysmon.exe -
Executes dropped EXE 3 IoCs
pid Process 4948 sysmon.exe 4476 sysmon.exe 3156 sysmon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\352168\\sysmon.exe\"" sysmon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1120 set thread context of 2164 1120 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe 82 PID 4948 set thread context of 3156 4948 sysmon.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4948 sysmon.exe 4948 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe 3156 sysmon.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2164 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1120 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe Token: SeDebugPrivilege 4948 sysmon.exe Token: SeDebugPrivilege 3156 sysmon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3156 sysmon.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1120 wrote to memory of 2164 1120 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe 82 PID 1120 wrote to memory of 2164 1120 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe 82 PID 1120 wrote to memory of 2164 1120 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe 82 PID 1120 wrote to memory of 2164 1120 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe 82 PID 1120 wrote to memory of 2164 1120 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe 82 PID 1120 wrote to memory of 2164 1120 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe 82 PID 1120 wrote to memory of 2164 1120 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe 82 PID 1120 wrote to memory of 2164 1120 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe 82 PID 2164 wrote to memory of 4948 2164 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe 83 PID 2164 wrote to memory of 4948 2164 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe 83 PID 2164 wrote to memory of 4948 2164 9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe 83 PID 4948 wrote to memory of 4476 4948 sysmon.exe 84 PID 4948 wrote to memory of 4476 4948 sysmon.exe 84 PID 4948 wrote to memory of 4476 4948 sysmon.exe 84 PID 4948 wrote to memory of 3156 4948 sysmon.exe 85 PID 4948 wrote to memory of 3156 4948 sysmon.exe 85 PID 4948 wrote to memory of 3156 4948 sysmon.exe 85 PID 4948 wrote to memory of 3156 4948 sysmon.exe 85 PID 4948 wrote to memory of 3156 4948 sysmon.exe 85 PID 4948 wrote to memory of 3156 4948 sysmon.exe 85 PID 4948 wrote to memory of 3156 4948 sysmon.exe 85 PID 4948 wrote to memory of 3156 4948 sysmon.exe 85 PID 3156 wrote to memory of 2164 3156 sysmon.exe 82 PID 3156 wrote to memory of 2164 3156 sysmon.exe 82 PID 3156 wrote to memory of 2164 3156 sysmon.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe"C:\Users\Admin\AppData\Local\Temp\9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe"C:\Users\Admin\AppData\Local\Temp\9974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc.exe"2⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\ProgramData\352168\sysmon.exe"C:\ProgramData\352168\sysmon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\ProgramData\352168\sysmon.exe"C:\ProgramData\352168\sysmon.exe"4⤵
- Executes dropped EXE
PID:4476
-
-
C:\ProgramData\352168\sysmon.exe"C:\ProgramData\352168\sysmon.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3156
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
431KB
MD52deb3534a31770471cd1f20c6eaa70f0
SHA1b1f507a3b30f4f8ff588ec3c9eee4607e76da950
SHA2569974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc
SHA512fd126297afa6c3676c01a7069b635b2912f84bafdfc4a72b15902c2ff4b371c96c049a4c1999a72043dd58586ca032c63510bead91d87cdb94ba9c3606c4673d
-
Filesize
431KB
MD52deb3534a31770471cd1f20c6eaa70f0
SHA1b1f507a3b30f4f8ff588ec3c9eee4607e76da950
SHA2569974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc
SHA512fd126297afa6c3676c01a7069b635b2912f84bafdfc4a72b15902c2ff4b371c96c049a4c1999a72043dd58586ca032c63510bead91d87cdb94ba9c3606c4673d
-
Filesize
431KB
MD52deb3534a31770471cd1f20c6eaa70f0
SHA1b1f507a3b30f4f8ff588ec3c9eee4607e76da950
SHA2569974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc
SHA512fd126297afa6c3676c01a7069b635b2912f84bafdfc4a72b15902c2ff4b371c96c049a4c1999a72043dd58586ca032c63510bead91d87cdb94ba9c3606c4673d
-
Filesize
431KB
MD52deb3534a31770471cd1f20c6eaa70f0
SHA1b1f507a3b30f4f8ff588ec3c9eee4607e76da950
SHA2569974e07dae1586afb8c8cc20099a8bea4581ac98f459f79a1a9f3c3963c02fcc
SHA512fd126297afa6c3676c01a7069b635b2912f84bafdfc4a72b15902c2ff4b371c96c049a4c1999a72043dd58586ca032c63510bead91d87cdb94ba9c3606c4673d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_3E19707BBCF153AEAF419B98E434FB2D
Filesize1KB
MD5a07148b4799d44bd85f3c5b20f9491cb
SHA1efb87e06b56f9898bf7bcd2fc56df3761777f852
SHA256b6ab1dead0fe4b6752f38ca9dc65b657846e3632e729f113c953c0f771f12ec5
SHA5125eb81f25d2563437ed27258367b30827eb263df8ff966f8bf1640a7ad130f5cbc46b2c91cf137542bbd0feab11a27e750a81df615b9e057abfd68907bd3a6c99
-
Filesize
834B
MD52f9af8e0d783cfa432c7041713c8f5ee
SHA1974e325ade4fd9e3f450913e8269c78d1ef4836a
SHA256b4c71719b03d24adf1b8d89707cdf20e2b0be78c58686d78c340da6fd3a00eb3
SHA5123ccb5b22dd0cb7e4841b4979d1c0aa6e921925cc9a187c88d67d6e2f19285ed4acc30424c7e481b61e215bdae8af9d4bdc9c17fada508ff0385cd9d456968c72
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_3E19707BBCF153AEAF419B98E434FB2D
Filesize404B
MD550f3ae043adbc2004ad3d795511a7c73
SHA16e6d75ccd394945903f55f83d52f65d92c821007
SHA25668d0024b4f861d7d170c6a04cba6c1c1a42f0b6e4e28d16de1e3cc0e10f82e59
SHA5127399464e058c40c50486d4e5771ba06ee79b0df8ece6d46e5adfa2dac7c36b5809ee74e373cf377100f9e6abd5b5c25bc1562432a3fb102fccc5f6eee9b38553
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F
Filesize188B
MD5b29b76938962708dde7d6e8f8e2c203a
SHA1c2855407904c120670f8677db26e7616aa35c816
SHA256cf0f82aa89abf77ddbfdd259ff44de855d44f0041c04d0a80bdc446890209ee2
SHA512014519091cfefb2f99983dd33a9291bded3c772e75c6b9136a904c497d793de19ba3f71bb1f0fc957a6c970730ab83996bfc6ca356437f42684904ff1ed833b6