Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
26-11-2022 22:06
General
-
Target
66d60762a72239205e4dc4e2c3d2e662ae6462b9d675c094e5a6d771fe11a809.exe
-
Size
222KB
-
MD5
88a5eebc648221d89ee054dd1df207be
-
SHA1
ae66fdee2af58dca79f43e598421af3fa407bfab
-
SHA256
66d60762a72239205e4dc4e2c3d2e662ae6462b9d675c094e5a6d771fe11a809
-
SHA512
d306013c406131cdc3623322e37f0ef2f98afa023444c2d5fd30a69813524169264aa85eb8781e8fa207c3858afbd6c8093fb77385c71fe730ee6ac3d8c7dbb9
-
SSDEEP
3072:8U4f+fkjZt7fF0L2vMCDiu0Y8RxwLRMcR9aBeWvfxLWDwMeWJ2NJucbPvJ1nlYZC:81i+f3uBmLbR9JWJWtJYJuEvPr
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\66d60762a72239205e4dc4e2c3d2e662ae6462b9d675c094e5a6d771fe11a809.exe"C:\Users\Admin\AppData\Local\Temp\66d60762a72239205e4dc4e2c3d2e662ae6462b9d675c094e5a6d771fe11a809.exe"1⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\527263\defup.exe"C:\ProgramData\527263\defup.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD588a5eebc648221d89ee054dd1df207be
SHA1ae66fdee2af58dca79f43e598421af3fa407bfab
SHA25666d60762a72239205e4dc4e2c3d2e662ae6462b9d675c094e5a6d771fe11a809
SHA512d306013c406131cdc3623322e37f0ef2f98afa023444c2d5fd30a69813524169264aa85eb8781e8fa207c3858afbd6c8093fb77385c71fe730ee6ac3d8c7dbb9
-
Filesize
222KB
MD588a5eebc648221d89ee054dd1df207be
SHA1ae66fdee2af58dca79f43e598421af3fa407bfab
SHA25666d60762a72239205e4dc4e2c3d2e662ae6462b9d675c094e5a6d771fe11a809
SHA512d306013c406131cdc3623322e37f0ef2f98afa023444c2d5fd30a69813524169264aa85eb8781e8fa207c3858afbd6c8093fb77385c71fe730ee6ac3d8c7dbb9
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB