Analysis
-
max time kernel
199s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-11-2022 23:07
General
-
Target
1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe
-
Size
365KB
-
MD5
d1de202b733c21c1c1a972d27dd3332d
-
SHA1
f694ed67d9923bfbd05d9d04b476b9f96c87b9d4
-
SHA256
1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0
-
SHA512
8fb320aa3687e2cf8fc7b60d2e42b95b64ce4e9cd2c31eda94b9c7f79df300a879df9fdbdc24ecd9b73b4312991177c3829b6b053862a76c69461d1006d3705a
-
SSDEEP
6144:WXV+JnRQtCJmM+mKwYpzyAtmLbR9JWJW0lU3hJ272Ja2P4337MqjrEVGPjk7ngIk:eAROuRvEala2P4brEyjk7ngYsP
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe"C:\Users\Admin\AppData\Local\Temp\1c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\441201\dllnh.exe"C:\ProgramData\441201\dllnh.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\441201\dllnh.exeFilesize
365KB
MD5d1de202b733c21c1c1a972d27dd3332d
SHA1f694ed67d9923bfbd05d9d04b476b9f96c87b9d4
SHA2561c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0
SHA5128fb320aa3687e2cf8fc7b60d2e42b95b64ce4e9cd2c31eda94b9c7f79df300a879df9fdbdc24ecd9b73b4312991177c3829b6b053862a76c69461d1006d3705a
-
C:\ProgramData\441201\dllnh.exeFilesize
365KB
MD5d1de202b733c21c1c1a972d27dd3332d
SHA1f694ed67d9923bfbd05d9d04b476b9f96c87b9d4
SHA2561c1a3ff73a2792558b5828fe6b0e16dc195391b76e51ee3002b0641c4414e9c0
SHA5128fb320aa3687e2cf8fc7b60d2e42b95b64ce4e9cd2c31eda94b9c7f79df300a879df9fdbdc24ecd9b73b4312991177c3829b6b053862a76c69461d1006d3705a
-
memory/2560-132-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/2560-133-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/2560-139-0x00000000068A0000-0x00000000068B7000-memory.dmpFilesize
92KB
-
memory/2560-140-0x00000000068A0000-0x00000000068B7000-memory.dmpFilesize
92KB
-
memory/2560-137-0x00000000068A0000-0x00000000068B7000-memory.dmpFilesize
92KB
-
memory/2560-142-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/4820-134-0x0000000000000000-mapping.dmp
-
memory/4820-138-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/4820-141-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB