Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 22:10
Static task
static1
Behavioral task
behavioral1
Sample
2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe
Resource
win10v2004-20221111-en
General
-
Target
2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe
-
Size
195KB
-
MD5
21dd8986af501f9fc28baabd8e186870
-
SHA1
1eda9f8e2692e61fbff86edc148339ca94790aaf
-
SHA256
2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
-
SHA512
c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
SSDEEP
6144:0aBUduaP4zzzVooBIwf1Jd+X5RU6UPxhBIP:VfaSJH5IzU6UPXB
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\479666\\csrd.exe\"" csrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" csrd.exe -
Executes dropped EXE 5 IoCs
pid Process 1760 csrd.exe 1576 csrd.exe 916 csrd.exe 1468 csrd.exe 1404 csrd.exe -
Loads dropped DLL 11 IoCs
pid Process 848 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 1760 csrd.exe 1760 csrd.exe 1760 csrd.exe 1760 csrd.exe 1760 csrd.exe 1760 csrd.exe 1760 csrd.exe 1404 csrd.exe 1404 csrd.exe 1404 csrd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\csrdLink = "\"C:\\ProgramData\\479666\\csrd.exe\"" csrd.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe csrd.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe csrd.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1092 set thread context of 848 1092 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 27 PID 1760 set thread context of 1404 1760 csrd.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1760 csrd.exe 1760 csrd.exe 1760 csrd.exe 1760 csrd.exe 1760 csrd.exe 1760 csrd.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 848 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1092 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe Token: SeDebugPrivilege 1760 csrd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1404 csrd.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1092 wrote to memory of 848 1092 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 27 PID 1092 wrote to memory of 848 1092 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 27 PID 1092 wrote to memory of 848 1092 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 27 PID 1092 wrote to memory of 848 1092 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 27 PID 1092 wrote to memory of 848 1092 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 27 PID 1092 wrote to memory of 848 1092 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 27 PID 1092 wrote to memory of 848 1092 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 27 PID 1092 wrote to memory of 848 1092 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 27 PID 1092 wrote to memory of 848 1092 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 27 PID 1092 wrote to memory of 848 1092 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 27 PID 1092 wrote to memory of 848 1092 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 27 PID 1092 wrote to memory of 848 1092 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 27 PID 848 wrote to memory of 1760 848 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 29 PID 848 wrote to memory of 1760 848 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 29 PID 848 wrote to memory of 1760 848 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 29 PID 848 wrote to memory of 1760 848 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 29 PID 848 wrote to memory of 1760 848 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 29 PID 848 wrote to memory of 1760 848 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 29 PID 848 wrote to memory of 1760 848 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe 29 PID 1760 wrote to memory of 1576 1760 csrd.exe 30 PID 1760 wrote to memory of 1576 1760 csrd.exe 30 PID 1760 wrote to memory of 1576 1760 csrd.exe 30 PID 1760 wrote to memory of 1576 1760 csrd.exe 30 PID 1760 wrote to memory of 1576 1760 csrd.exe 30 PID 1760 wrote to memory of 1576 1760 csrd.exe 30 PID 1760 wrote to memory of 1576 1760 csrd.exe 30 PID 1760 wrote to memory of 916 1760 csrd.exe 31 PID 1760 wrote to memory of 916 1760 csrd.exe 31 PID 1760 wrote to memory of 916 1760 csrd.exe 31 PID 1760 wrote to memory of 916 1760 csrd.exe 31 PID 1760 wrote to memory of 916 1760 csrd.exe 31 PID 1760 wrote to memory of 916 1760 csrd.exe 31 PID 1760 wrote to memory of 916 1760 csrd.exe 31 PID 1760 wrote to memory of 1468 1760 csrd.exe 32 PID 1760 wrote to memory of 1468 1760 csrd.exe 32 PID 1760 wrote to memory of 1468 1760 csrd.exe 32 PID 1760 wrote to memory of 1468 1760 csrd.exe 32 PID 1760 wrote to memory of 1468 1760 csrd.exe 32 PID 1760 wrote to memory of 1468 1760 csrd.exe 32 PID 1760 wrote to memory of 1468 1760 csrd.exe 32 PID 1760 wrote to memory of 1404 1760 csrd.exe 33 PID 1760 wrote to memory of 1404 1760 csrd.exe 33 PID 1760 wrote to memory of 1404 1760 csrd.exe 33 PID 1760 wrote to memory of 1404 1760 csrd.exe 33 PID 1760 wrote to memory of 1404 1760 csrd.exe 33 PID 1760 wrote to memory of 1404 1760 csrd.exe 33 PID 1760 wrote to memory of 1404 1760 csrd.exe 33 PID 1760 wrote to memory of 1404 1760 csrd.exe 33 PID 1760 wrote to memory of 1404 1760 csrd.exe 33 PID 1760 wrote to memory of 1404 1760 csrd.exe 33 PID 1760 wrote to memory of 1404 1760 csrd.exe 33 PID 1760 wrote to memory of 1404 1760 csrd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe"C:\Users\Admin\AppData\Local\Temp\2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe"C:\Users\Admin\AppData\Local\Temp\2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:848 -
C:\ProgramData\479666\csrd.exe"C:\ProgramData\479666\csrd.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\ProgramData\479666\csrd.exe"C:\ProgramData\479666\csrd.exe"4⤵
- Executes dropped EXE
PID:1576
-
-
C:\ProgramData\479666\csrd.exe"C:\ProgramData\479666\csrd.exe"4⤵
- Executes dropped EXE
PID:916
-
-
C:\ProgramData\479666\csrd.exe"C:\ProgramData\479666\csrd.exe"4⤵
- Executes dropped EXE
PID:1468
-
-
C:\ProgramData\479666\csrd.exe"C:\ProgramData\479666\csrd.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1404
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
-
Filesize
195KB
MD521dd8986af501f9fc28baabd8e186870
SHA11eda9f8e2692e61fbff86edc148339ca94790aaf
SHA2562d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a