Analysis
-
max time kernel
165s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 22:08
Static task
static1
Behavioral task
behavioral1
Sample
c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe
Resource
win10v2004-20220812-en
General
-
Target
c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe
-
Size
420KB
-
MD5
082511600ec66244ec7ffe1a57c6f6ea
-
SHA1
f7a942011e8969fde4e196f496b497a5694e747f
-
SHA256
c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6
-
SHA512
3d8dbb120d10243af503f0d24ea225b281919046db21ac0f6cd980480d8e4e41ac5a53a1904011ac9161893c1cf550cdbf1cd7b9dca2c7e605475da84e839ea0
-
SSDEEP
12288:NWmWT0MI9WCedrA70Hd6lHnBhqITb3bDTt0BiOLzu3WT:MmWTE9WCSrGdtBtTbOBQ3
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" sysmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\394723\\sysmon.exe\"" sysmon.exe -
Executes dropped EXE 2 IoCs
pid Process 1188 sysmon.exe 2744 sysmon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\394723\\sysmon.exe\"" sysmon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 516 set thread context of 2072 516 c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe 81 PID 1188 set thread context of 2744 1188 sysmon.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2072 c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe 2072 c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe 2744 sysmon.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2072 c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2744 sysmon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2744 sysmon.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 516 wrote to memory of 2072 516 c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe 81 PID 516 wrote to memory of 2072 516 c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe 81 PID 516 wrote to memory of 2072 516 c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe 81 PID 516 wrote to memory of 2072 516 c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe 81 PID 516 wrote to memory of 2072 516 c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe 81 PID 516 wrote to memory of 2072 516 c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe 81 PID 516 wrote to memory of 2072 516 c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe 81 PID 516 wrote to memory of 2072 516 c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe 81 PID 2072 wrote to memory of 1188 2072 c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe 83 PID 2072 wrote to memory of 1188 2072 c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe 83 PID 2072 wrote to memory of 1188 2072 c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe 83 PID 1188 wrote to memory of 2744 1188 sysmon.exe 84 PID 1188 wrote to memory of 2744 1188 sysmon.exe 84 PID 1188 wrote to memory of 2744 1188 sysmon.exe 84 PID 1188 wrote to memory of 2744 1188 sysmon.exe 84 PID 1188 wrote to memory of 2744 1188 sysmon.exe 84 PID 1188 wrote to memory of 2744 1188 sysmon.exe 84 PID 1188 wrote to memory of 2744 1188 sysmon.exe 84 PID 1188 wrote to memory of 2744 1188 sysmon.exe 84 PID 2744 wrote to memory of 2072 2744 sysmon.exe 81 PID 2744 wrote to memory of 2072 2744 sysmon.exe 81 PID 2744 wrote to memory of 2072 2744 sysmon.exe 81 PID 2744 wrote to memory of 2072 2744 sysmon.exe 81 PID 2744 wrote to memory of 2072 2744 sysmon.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe"C:\Users\Admin\AppData\Local\Temp\c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Local\Temp\c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe"C:\Users\Admin\AppData\Local\Temp\c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\ProgramData\394723\sysmon.exe"C:\ProgramData\394723\sysmon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\ProgramData\394723\sysmon.exe"C:\ProgramData\394723\sysmon.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD5082511600ec66244ec7ffe1a57c6f6ea
SHA1f7a942011e8969fde4e196f496b497a5694e747f
SHA256c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6
SHA5123d8dbb120d10243af503f0d24ea225b281919046db21ac0f6cd980480d8e4e41ac5a53a1904011ac9161893c1cf550cdbf1cd7b9dca2c7e605475da84e839ea0
-
Filesize
420KB
MD5082511600ec66244ec7ffe1a57c6f6ea
SHA1f7a942011e8969fde4e196f496b497a5694e747f
SHA256c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6
SHA5123d8dbb120d10243af503f0d24ea225b281919046db21ac0f6cd980480d8e4e41ac5a53a1904011ac9161893c1cf550cdbf1cd7b9dca2c7e605475da84e839ea0
-
Filesize
420KB
MD5082511600ec66244ec7ffe1a57c6f6ea
SHA1f7a942011e8969fde4e196f496b497a5694e747f
SHA256c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6
SHA5123d8dbb120d10243af503f0d24ea225b281919046db21ac0f6cd980480d8e4e41ac5a53a1904011ac9161893c1cf550cdbf1cd7b9dca2c7e605475da84e839ea0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\c4c2fe92cb601c0cc6ac87b5541d7c1a462801942475351c4dfda26296faefa6.exe.log
Filesize411B
MD539582d3351c79bbe6b34c92b86bb2e15
SHA10a5bc37313778570ffd8b7664fd04380446641f3
SHA256a77ea8a3f342c18bc35e84d0c0255345ae259f80dd9ac4837760e5e4d5f593aa
SHA5124e6acca2e4fd55d3dcdcaba0155364dcf17924113f23bb58c895e0119a79906f4e3fd1950d1dbb405cc02509373a1e2057a46dbc364189779ae96abb19214283