Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2022 07:30
Static task
static1
Behavioral task
behavioral1
Sample
ce75c15a3459e4a32795571c89de2576f7bc3f3295f04ba2d52f8cb13404795e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ce75c15a3459e4a32795571c89de2576f7bc3f3295f04ba2d52f8cb13404795e.exe
Resource
win10v2004-20220901-en
General
-
Target
ce75c15a3459e4a32795571c89de2576f7bc3f3295f04ba2d52f8cb13404795e.exe
-
Size
365KB
-
MD5
3c9be28e4d4613c828ce09079cedbaf0
-
SHA1
3f3129c7b1d2a71c878cfa3a40d41807efb15fed
-
SHA256
ce75c15a3459e4a32795571c89de2576f7bc3f3295f04ba2d52f8cb13404795e
-
SHA512
0897f20a9cfa9c9afddc3a97220e994e263bb72891e58a91055d75f1870709d80bf4f55efd0703b32841587264b8103787ac3d8d6bd5c980e29abda444a321f7
-
SSDEEP
6144:WXV+JnRQtCJmM+mKwYpzyAtmLbR9JWJW+lU3hJ272Ja2P4337MqjrEVGPjk7ngIk:eAROuRvE0la2P4brEyjk7ngYsP
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" repair.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\307203\\repair.exe\"" repair.exe -
Executes dropped EXE 1 IoCs
pid Process 3300 repair.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ce75c15a3459e4a32795571c89de2576f7bc3f3295f04ba2d52f8cb13404795e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Mechanic = "\"C:\\ProgramData\\307203\\repair.exe\"" repair.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe repair.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe repair.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 4152 ce75c15a3459e4a32795571c89de2576f7bc3f3295f04ba2d52f8cb13404795e.exe 4152 ce75c15a3459e4a32795571c89de2576f7bc3f3295f04ba2d52f8cb13404795e.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe 3300 repair.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4152 ce75c15a3459e4a32795571c89de2576f7bc3f3295f04ba2d52f8cb13404795e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3300 repair.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3300 repair.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4152 wrote to memory of 3300 4152 ce75c15a3459e4a32795571c89de2576f7bc3f3295f04ba2d52f8cb13404795e.exe 81 PID 4152 wrote to memory of 3300 4152 ce75c15a3459e4a32795571c89de2576f7bc3f3295f04ba2d52f8cb13404795e.exe 81 PID 4152 wrote to memory of 3300 4152 ce75c15a3459e4a32795571c89de2576f7bc3f3295f04ba2d52f8cb13404795e.exe 81 PID 3300 wrote to memory of 4152 3300 repair.exe 80 PID 3300 wrote to memory of 4152 3300 repair.exe 80 PID 3300 wrote to memory of 4152 3300 repair.exe 80 PID 3300 wrote to memory of 4152 3300 repair.exe 80 PID 3300 wrote to memory of 4152 3300 repair.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce75c15a3459e4a32795571c89de2576f7bc3f3295f04ba2d52f8cb13404795e.exe"C:\Users\Admin\AppData\Local\Temp\ce75c15a3459e4a32795571c89de2576f7bc3f3295f04ba2d52f8cb13404795e.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\ProgramData\307203\repair.exe"C:\ProgramData\307203\repair.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3300
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
365KB
MD53c9be28e4d4613c828ce09079cedbaf0
SHA13f3129c7b1d2a71c878cfa3a40d41807efb15fed
SHA256ce75c15a3459e4a32795571c89de2576f7bc3f3295f04ba2d52f8cb13404795e
SHA5120897f20a9cfa9c9afddc3a97220e994e263bb72891e58a91055d75f1870709d80bf4f55efd0703b32841587264b8103787ac3d8d6bd5c980e29abda444a321f7
-
Filesize
365KB
MD53c9be28e4d4613c828ce09079cedbaf0
SHA13f3129c7b1d2a71c878cfa3a40d41807efb15fed
SHA256ce75c15a3459e4a32795571c89de2576f7bc3f3295f04ba2d52f8cb13404795e
SHA5120897f20a9cfa9c9afddc3a97220e994e263bb72891e58a91055d75f1870709d80bf4f55efd0703b32841587264b8103787ac3d8d6bd5c980e29abda444a321f7