Overview

overview

10

Static

static

4cf17e9cb4...96.exe

windows7-x64

10

4cf17e9cb4...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2022 02:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cf17e9cb40b51bfc98b414c42fa3692c032b3b19b0564c4a64153a1f6cdb696.exe

  • Size

    477KB

  • MD5

    4fe45ecf79d7897c852382f5dc547ce0

  • SHA1

    f0b4abee37a76b55f0a392690cc28a4ecee33dc8

  • SHA256

    4cf17e9cb40b51bfc98b414c42fa3692c032b3b19b0564c4a64153a1f6cdb696

  • SHA512

    4ba779a7351ad92d3e29d2bf36dc936c300b88adf46f93aae9ae2528be1af6557680057cdcb142853ee02e7382eb53b02e6b0cb4c7325c4a347f77f410b18f8b

  • SSDEEP

    12288:BNvnd35ukmZgSVJgvvFkrxFE74st49Vohr/49P4iK70djb14:Ph5ukm04sVhr/49PrKD

Score
10/10
luminositypersistencerat

Malware Config

Signatures

  • Luminosity

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    ratluminosity
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cf17e9cb40b51bfc98b414c42fa3692c032b3b19b0564c4a64153a1f6cdb696.exe
    "C:\Users\Admin\AppData\Local\Temp\4cf17e9cb40b51bfc98b414c42fa3692c032b3b19b0564c4a64153a1f6cdb696.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:736
    • C:\Users\Admin\AppData\Local\Temp\out.exe
      "C:\Users\Admin\AppData\Local\Temp\out.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\ProgramData\636746\svchost.exe
        "C:\ProgramData\636746\svchost.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:384

Network

  • flag-unknown
    DNS
    164.2.77.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    164.2.77.40.in-addr.arpa
    IN PTR
    Response
  • flag-unknown
    DNS
    maartin10.zapto.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    maartin10.zapto.org
    IN A
    Response
  • flag-unknown
    DNS
    maartin10.zapto.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    maartin10.zapto.org
    IN A
    Response
  • flag-unknown
    DNS
    f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa
    IN PTR
    Response
  • flag-unknown
    DNS
    maartin10.zapto.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    maartin10.zapto.org
    IN A
    Response
  • flag-unknown
    DNS
    maartin10.zapto.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    maartin10.zapto.org
    IN A
    Response
  • flag-unknown
    DNS
    maartin10.zapto.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    maartin10.zapto.org
    IN A
    Response
  • flag-unknown
    DNS
    maartin10.zapto.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    maartin10.zapto.org
    IN A
    Response
  • flag-unknown
    DNS
    maartin10.zapto.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    maartin10.zapto.org
    IN A
    Response
  • flag-unknown
    DNS
    maartin10.zapto.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    maartin10.zapto.org
    IN A
    Response
  • flag-unknown
    DNS
    maartin10.zapto.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    maartin10.zapto.org
    IN A
    Response
  • flag-unknown
    DNS
    maartin10.zapto.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    maartin10.zapto.org
    IN A
    Response
  • flag-unknown
    DNS
    maartin10.zapto.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    maartin10.zapto.org
    IN A
    Response
  • flag-unknown
    DNS
    maartin10.zapto.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    maartin10.zapto.org
    IN A
    Response
  • flag-unknown
    DNS
    maartin10.zapto.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    maartin10.zapto.org
    IN A
    Response
  • flag-unknown
    DNS
    maartin10.zapto.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    maartin10.zapto.org
    IN A
    Response
  • flag-unknown
    DNS
    maartin10.zapto.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    maartin10.zapto.org
    IN A
    Response
  • 52.242.97.97:443
    52 B
     1
  • 209.197.3.8:80
    260 B
     5
  • 72.21.81.240:80
    46 B
     40 B
     1
    1
  • 209.197.3.8:80
    260 B
     5
  • 93.184.220.29:80
    322 B
     7
  • 104.46.162.224:443
    322 B
     7
  • 209.197.3.8:80
    322 B
     7
  • 209.197.3.8:80
    322 B
     7
  • 209.197.3.8:80
    322 B
     7
  • 104.80.225.205:443
    322 B
     7
  • 8.8.8.8:53
    164.2.77.40.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    164.2.77.40.in-addr.arpa

  • 8.8.8.8:53
    maartin10.zapto.org
    dns
    svchost.exe
    65 B
     125 B
     1
    1

    DNS Request

    maartin10.zapto.org

  • 8.8.8.8:53
    maartin10.zapto.org
    dns
    svchost.exe
    65 B
     125 B
     1
    1

    DNS Request

    maartin10.zapto.org

  • 8.8.8.8:53
    f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa
    dns
    118 B
     204 B
     1
    1

    DNS Request

    f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa

  • 8.8.8.8:53
    maartin10.zapto.org
    dns
    svchost.exe
    65 B
     125 B
     1
    1

    DNS Request

    maartin10.zapto.org

  • 8.8.8.8:53
    maartin10.zapto.org
    dns
    svchost.exe
    65 B
     125 B
     1
    1

    DNS Request

    maartin10.zapto.org

  • 8.8.8.8:53
    maartin10.zapto.org
    dns
    svchost.exe
    65 B
     125 B
     1
    1

    DNS Request

    maartin10.zapto.org

  • 8.8.8.8:53
    maartin10.zapto.org
    dns
    svchost.exe
    65 B
     125 B
     1
    1

    DNS Request

    maartin10.zapto.org

  • 8.8.8.8:53
    maartin10.zapto.org
    dns
    svchost.exe
    65 B
     125 B
     1
    1

    DNS Request

    maartin10.zapto.org

  • 8.8.8.8:53
    maartin10.zapto.org
    dns
    svchost.exe
    65 B
     125 B
     1
    1

    DNS Request

    maartin10.zapto.org

  • 8.8.8.8:53
    maartin10.zapto.org
    dns
    svchost.exe
    65 B
     125 B
     1
    1

    DNS Request

    maartin10.zapto.org

  • 8.8.8.8:53
    maartin10.zapto.org
    dns
    svchost.exe
    65 B
     125 B
     1
    1

    DNS Request

    maartin10.zapto.org

  • 8.8.8.8:53
    maartin10.zapto.org
    dns
    svchost.exe
    65 B
     125 B
     1
    1

    DNS Request

    maartin10.zapto.org

  • 8.8.8.8:53
    maartin10.zapto.org
    dns
    svchost.exe
    65 B
     125 B
     1
    1

    DNS Request

    maartin10.zapto.org

  • 8.8.8.8:53
    maartin10.zapto.org
    dns
    svchost.exe
    65 B
     125 B
     1
    1

    DNS Request

    maartin10.zapto.org

  • 8.8.8.8:53
    maartin10.zapto.org
    dns
    svchost.exe
    65 B
     125 B
     1
    1

    DNS Request

    maartin10.zapto.org

  • 8.8.8.8:53
    maartin10.zapto.org
    dns
    svchost.exe
    65 B
     125 B
     1
    1

    DNS Request

    maartin10.zapto.org

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\636746\svchost.exe
    Filesize

    222KB

    MD5

    731df28da903fdab197f766ab0339b65

    SHA1

    3ee6bba83a0842404ccd52ca21972bec3b398c32

    SHA256

    e882bbfe4f62dafc8075b6812749b6de656b4b90854eb6faf8bb5c9dccf13cb5

    SHA512

    94957325766dbb48145713715d0e2918645920379290273df1a37eb7f679ba80183bf27af94824d19ae2cef3c28d194948693142ce04b71891bba1a74744df5b

    Download Submit

  • C:\ProgramData\636746\svchost.exe
    Filesize

    222KB

    MD5

    731df28da903fdab197f766ab0339b65

    SHA1

    3ee6bba83a0842404ccd52ca21972bec3b398c32

    SHA256

    e882bbfe4f62dafc8075b6812749b6de656b4b90854eb6faf8bb5c9dccf13cb5

    SHA512

    94957325766dbb48145713715d0e2918645920379290273df1a37eb7f679ba80183bf27af94824d19ae2cef3c28d194948693142ce04b71891bba1a74744df5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\out.exe
    Filesize

    222KB

    MD5

    731df28da903fdab197f766ab0339b65

    SHA1

    3ee6bba83a0842404ccd52ca21972bec3b398c32

    SHA256

    e882bbfe4f62dafc8075b6812749b6de656b4b90854eb6faf8bb5c9dccf13cb5

    SHA512

    94957325766dbb48145713715d0e2918645920379290273df1a37eb7f679ba80183bf27af94824d19ae2cef3c28d194948693142ce04b71891bba1a74744df5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\out.exe
    Filesize

    222KB

    MD5

    731df28da903fdab197f766ab0339b65

    SHA1

    3ee6bba83a0842404ccd52ca21972bec3b398c32

    SHA256

    e882bbfe4f62dafc8075b6812749b6de656b4b90854eb6faf8bb5c9dccf13cb5

    SHA512

    94957325766dbb48145713715d0e2918645920379290273df1a37eb7f679ba80183bf27af94824d19ae2cef3c28d194948693142ce04b71891bba1a74744df5b

    Download Submit

  • memory/384-146-0x0000000074CA0000-0x0000000075251000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/384-141-0x0000000074CA0000-0x0000000075251000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/736-136-0x0000000074CA0000-0x0000000075251000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/736-132-0x0000000074CA0000-0x0000000075251000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5052-137-0x0000000074CA0000-0x0000000075251000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5052-142-0x00000000069B0000-0x00000000069C7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/5052-143-0x00000000069B0000-0x00000000069C7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/5052-144-0x00000000069B0000-0x00000000069C7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/5052-145-0x0000000074CA0000-0x0000000075251000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5052-147-0x0000000074CA0000-0x0000000075251000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.