Analysis
-
max time kernel
199s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 23:07
Static task
static1
Behavioral task
behavioral1
Sample
1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe
Resource
win10v2004-20220812-en
General
-
Target
1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe
-
Size
365KB
-
MD5
d1de202b733c21c1c1a972d27dd3332d
-
SHA1
f694ed67d9923bfbd05d9d04b476b9f96c87b9d4
-
SHA256
1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0
-
SHA512
8fb320aa3687e2cf8fc7b60d2e42b95b64ce4e9cd2c31eda94b9c7f79df300a879df9fdbdc24ecd9b73b4312991177c3829b6b053862a76c69461d1006d3705a
-
SSDEEP
6144:WXV+JnRQtCJmM+mKwYpzyAtmLbR9JWJW0lU3hJ272Ja2P4337MqjrEVGPjk7ngIk:eAROuRvEala2P4brEyjk7ngYsP
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
dllnh.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" dllnh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\441201\\dllnh.exe\"" dllnh.exe -
Executes dropped EXE 1 IoCs
Processes:
dllnh.exepid process 4820 dllnh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dllnh.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Systnh = "\"C:\\ProgramData\\441201\\dllnh.exe\"" dllnh.exe -
Drops file in System32 directory 2 IoCs
Processes:
dllnh.exedescription ioc process File created C:\Windows\SysWOW64\clientsvr.exe dllnh.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe dllnh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dllnh.exe1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exepid process 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 2560 1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe 2560 1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe 4820 dllnh.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exepid process 2560 1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dllnh.exedescription pid process Token: SeDebugPrivilege 4820 dllnh.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dllnh.exepid process 4820 dllnh.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exedllnh.exedescription pid process target process PID 2560 wrote to memory of 4820 2560 1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe dllnh.exe PID 2560 wrote to memory of 4820 2560 1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe dllnh.exe PID 2560 wrote to memory of 4820 2560 1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe dllnh.exe PID 4820 wrote to memory of 2560 4820 dllnh.exe 1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe PID 4820 wrote to memory of 2560 4820 dllnh.exe 1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe PID 4820 wrote to memory of 2560 4820 dllnh.exe 1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe PID 4820 wrote to memory of 2560 4820 dllnh.exe 1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe PID 4820 wrote to memory of 2560 4820 dllnh.exe 1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe"C:\Users\Admin\AppData\Local\Temp\1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\ProgramData\441201\dllnh.exe"C:\ProgramData\441201\dllnh.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\441201\dllnh.exeFilesize
365KB
MD5d1de202b733c21c1c1a972d27dd3332d
SHA1f694ed67d9923bfbd05d9d04b476b9f96c87b9d4
SHA2561c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0
SHA5128fb320aa3687e2cf8fc7b60d2e42b95b64ce4e9cd2c31eda94b9c7f79df300a879df9fdbdc24ecd9b73b4312991177c3829b6b053862a76c69461d1006d3705a
-
C:\ProgramData\441201\dllnh.exeFilesize
365KB
MD5d1de202b733c21c1c1a972d27dd3332d
SHA1f694ed67d9923bfbd05d9d04b476b9f96c87b9d4
SHA2561c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0
SHA5128fb320aa3687e2cf8fc7b60d2e42b95b64ce4e9cd2c31eda94b9c7f79df300a879df9fdbdc24ecd9b73b4312991177c3829b6b053862a76c69461d1006d3705a
-
memory/2560-132-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/2560-133-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/2560-139-0x00000000068A0000-0x00000000068B7000-memory.dmpFilesize
92KB
-
memory/2560-140-0x00000000068A0000-0x00000000068B7000-memory.dmpFilesize
92KB
-
memory/2560-137-0x00000000068A0000-0x00000000068B7000-memory.dmpFilesize
92KB
-
memory/2560-142-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/4820-134-0x0000000000000000-mapping.dmp
-
memory/4820-138-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/4820-141-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB