Analysis
-
max time kernel
157s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 22:06
Static task
static1
Behavioral task
behavioral1
Sample
15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe
Resource
win10v2004-20220812-en
General
-
Target
15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe
-
Size
2.7MB
-
MD5
c8cf5b4e0b41f78a0578afd13d721fd1
-
SHA1
3c5fea380843bff19cf435322ec7a8a62d1ec3d4
-
SHA256
15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029
-
SHA512
f4bf2b8452a253aa45f64c6d05d3c7a1e8ec744a322892e1f03710129e43fa63f0064023341d37dd308be45c9385d50863d2b21461f82e94ba0e67526708c54e
-
SSDEEP
49152:eSBec0GPbErgBAmCke8D/MABBqVbKJ04TiSgviLoDbrBcp9:ecrzErgB+wM8IVmCiiLvxnrB
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" sysmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\285414\\sysmon.exe\"" sysmon.exe -
Executes dropped EXE 4 IoCs
pid Process 2108 File.exe 2504 sysmon.exe 224 File.exe 4992 sysmon.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation sysmon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\285414\\sysmon.exe\"" sysmon.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe File opened for modification C:\Windows\assembly\Desktop.ini 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3584 set thread context of 4928 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 83 PID 2504 set thread context of 4992 2504 sysmon.exe 88 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe File created C:\Windows\assembly\Desktop.ini 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe File opened for modification C:\Windows\assembly\Desktop.ini 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 2504 sysmon.exe 2504 sysmon.exe 2504 sysmon.exe 2504 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 2108 File.exe 2108 File.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4928 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 4928 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe 4992 sysmon.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4928 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe Token: 33 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe Token: SeIncBasePriorityPrivilege 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe Token: SeDebugPrivilege 2108 File.exe Token: SeDebugPrivilege 2504 sysmon.exe Token: 33 2504 sysmon.exe Token: SeIncBasePriorityPrivilege 2504 sysmon.exe Token: SeDebugPrivilege 224 File.exe Token: SeDebugPrivilege 4992 sysmon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4992 sysmon.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 3584 wrote to memory of 2108 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 82 PID 3584 wrote to memory of 2108 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 82 PID 3584 wrote to memory of 2108 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 82 PID 3584 wrote to memory of 4928 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 83 PID 3584 wrote to memory of 4928 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 83 PID 3584 wrote to memory of 4928 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 83 PID 3584 wrote to memory of 4928 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 83 PID 3584 wrote to memory of 4928 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 83 PID 3584 wrote to memory of 4928 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 83 PID 3584 wrote to memory of 4928 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 83 PID 3584 wrote to memory of 4928 3584 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 83 PID 4928 wrote to memory of 2504 4928 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 86 PID 4928 wrote to memory of 2504 4928 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 86 PID 4928 wrote to memory of 2504 4928 15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe 86 PID 2504 wrote to memory of 224 2504 sysmon.exe 87 PID 2504 wrote to memory of 224 2504 sysmon.exe 87 PID 2504 wrote to memory of 224 2504 sysmon.exe 87 PID 2504 wrote to memory of 4992 2504 sysmon.exe 88 PID 2504 wrote to memory of 4992 2504 sysmon.exe 88 PID 2504 wrote to memory of 4992 2504 sysmon.exe 88 PID 2504 wrote to memory of 4992 2504 sysmon.exe 88 PID 2504 wrote to memory of 4992 2504 sysmon.exe 88 PID 2504 wrote to memory of 4992 2504 sysmon.exe 88 PID 2504 wrote to memory of 4992 2504 sysmon.exe 88 PID 2504 wrote to memory of 4992 2504 sysmon.exe 88 PID 4992 wrote to memory of 2108 4992 sysmon.exe 82 PID 4992 wrote to memory of 2108 4992 sysmon.exe 82 PID 4992 wrote to memory of 2108 4992 sysmon.exe 82 PID 4992 wrote to memory of 2108 4992 sysmon.exe 82 PID 4992 wrote to memory of 2108 4992 sysmon.exe 82 PID 4992 wrote to memory of 4928 4992 sysmon.exe 83 PID 4992 wrote to memory of 4928 4992 sysmon.exe 83 PID 4992 wrote to memory of 4928 4992 sysmon.exe 83 PID 4992 wrote to memory of 4928 4992 sysmon.exe 83 PID 4992 wrote to memory of 4928 4992 sysmon.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe"C:\Users\Admin\AppData\Local\Temp\15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Users\Admin\AppData\Local\Temp\15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exeC:\Users\Admin\AppData\Local\Temp\15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\ProgramData\285414\sysmon.exe"C:\ProgramData\285414\sysmon.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
C:\ProgramData\285414\sysmon.exeC:\ProgramData\285414\sysmon.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5c8cf5b4e0b41f78a0578afd13d721fd1
SHA13c5fea380843bff19cf435322ec7a8a62d1ec3d4
SHA25615843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029
SHA512f4bf2b8452a253aa45f64c6d05d3c7a1e8ec744a322892e1f03710129e43fa63f0064023341d37dd308be45c9385d50863d2b21461f82e94ba0e67526708c54e
-
Filesize
2.7MB
MD5c8cf5b4e0b41f78a0578afd13d721fd1
SHA13c5fea380843bff19cf435322ec7a8a62d1ec3d4
SHA25615843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029
SHA512f4bf2b8452a253aa45f64c6d05d3c7a1e8ec744a322892e1f03710129e43fa63f0064023341d37dd308be45c9385d50863d2b21461f82e94ba0e67526708c54e
-
Filesize
2.7MB
MD5c8cf5b4e0b41f78a0578afd13d721fd1
SHA13c5fea380843bff19cf435322ec7a8a62d1ec3d4
SHA25615843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029
SHA512f4bf2b8452a253aa45f64c6d05d3c7a1e8ec744a322892e1f03710129e43fa63f0064023341d37dd308be45c9385d50863d2b21461f82e94ba0e67526708c54e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe.log
Filesize319B
MD5824ba7b7eed8b900a98dd25129c4cd83
SHA154478770b2158000ef365591d42977cb854453a1
SHA256d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03
SHA512ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e
-
Filesize
787KB
MD567f9e88c73d954bc23235a1d00bd2d2a
SHA10990308a9ebb602900e8a77615906d5b669792eb
SHA2568f9af964f56025b65831a1d2b9b66475423cee2e255ef6bd240955685c92bfbc
SHA512a3a4df2d6972c057b6da54fd18ac803368aa98a7e1e07e859d3c36585040f300537a27e508924f2a212a87119e2219031277a015c7e9db70ac0935778d58bf92
-
Filesize
787KB
MD567f9e88c73d954bc23235a1d00bd2d2a
SHA10990308a9ebb602900e8a77615906d5b669792eb
SHA2568f9af964f56025b65831a1d2b9b66475423cee2e255ef6bd240955685c92bfbc
SHA512a3a4df2d6972c057b6da54fd18ac803368aa98a7e1e07e859d3c36585040f300537a27e508924f2a212a87119e2219031277a015c7e9db70ac0935778d58bf92
-
Filesize
787KB
MD567f9e88c73d954bc23235a1d00bd2d2a
SHA10990308a9ebb602900e8a77615906d5b669792eb
SHA2568f9af964f56025b65831a1d2b9b66475423cee2e255ef6bd240955685c92bfbc
SHA512a3a4df2d6972c057b6da54fd18ac803368aa98a7e1e07e859d3c36585040f300537a27e508924f2a212a87119e2219031277a015c7e9db70ac0935778d58bf92
-
Filesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479