Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 22:22
Static task
static1
Behavioral task
behavioral1
Sample
2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe
Resource
win10v2004-20221111-en
General
-
Target
2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe
-
Size
275KB
-
MD5
6d59d1accc909953d5cd432b00f2e76c
-
SHA1
eb20fecde052bcb04d125366c17ea70c30f32122
-
SHA256
2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d
-
SHA512
50c8ee12a132d9e7803024974e9a73ceb0ef9948f64d922a80d5c8c12b9356100ab72a0d4496d1d9a35c8d70eb28f612a907636608032c03571e8afc53b19add
-
SSDEEP
6144:q3nDTWuBwEyoqMuOLOMVjHjNEy2/4moMkElP3tAi3lCCRNMxNF+:cnPWNEyoqMuAOMVjDNE/43+AYz
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" client.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\123277\\client.exe\"" client.exe -
Executes dropped EXE 6 IoCs
pid Process 1032 client.exe 1228 client.exe 932 client.exe 1720 client.exe 1572 client.exe 1632 client.exe -
Loads dropped DLL 7 IoCs
pid Process 1116 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 1116 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 1032 client.exe 1032 client.exe 1032 client.exe 1032 client.exe 1032 client.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Luminosity Client = "\"C:\\ProgramData\\123277\\client.exe\"" client.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe client.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe client.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1468 set thread context of 1116 1468 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 27 PID 1032 set thread context of 932 1032 client.exe 31 PID 1032 set thread context of 1720 1032 client.exe 32 PID 1032 set thread context of 1572 1032 client.exe 33 PID 1032 set thread context of 1632 1032 client.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1032 client.exe 1032 client.exe 932 client.exe 932 client.exe 932 client.exe 932 client.exe 932 client.exe 1032 client.exe 1468 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 1468 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 932 client.exe 932 client.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1116 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1468 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe Token: SeDebugPrivilege 1032 client.exe Token: SeDebugPrivilege 932 client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 932 client.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 1468 wrote to memory of 1116 1468 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 27 PID 1468 wrote to memory of 1116 1468 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 27 PID 1468 wrote to memory of 1116 1468 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 27 PID 1468 wrote to memory of 1116 1468 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 27 PID 1468 wrote to memory of 1116 1468 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 27 PID 1468 wrote to memory of 1116 1468 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 27 PID 1468 wrote to memory of 1116 1468 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 27 PID 1468 wrote to memory of 1116 1468 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 27 PID 1468 wrote to memory of 1116 1468 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 27 PID 1116 wrote to memory of 1032 1116 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 29 PID 1116 wrote to memory of 1032 1116 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 29 PID 1116 wrote to memory of 1032 1116 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 29 PID 1116 wrote to memory of 1032 1116 2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe 29 PID 1032 wrote to memory of 1228 1032 client.exe 30 PID 1032 wrote to memory of 1228 1032 client.exe 30 PID 1032 wrote to memory of 1228 1032 client.exe 30 PID 1032 wrote to memory of 1228 1032 client.exe 30 PID 1032 wrote to memory of 932 1032 client.exe 31 PID 1032 wrote to memory of 932 1032 client.exe 31 PID 1032 wrote to memory of 932 1032 client.exe 31 PID 1032 wrote to memory of 932 1032 client.exe 31 PID 1032 wrote to memory of 932 1032 client.exe 31 PID 1032 wrote to memory of 932 1032 client.exe 31 PID 1032 wrote to memory of 932 1032 client.exe 31 PID 1032 wrote to memory of 932 1032 client.exe 31 PID 1032 wrote to memory of 932 1032 client.exe 31 PID 932 wrote to memory of 1032 932 client.exe 29 PID 932 wrote to memory of 1032 932 client.exe 29 PID 932 wrote to memory of 1032 932 client.exe 29 PID 932 wrote to memory of 1032 932 client.exe 29 PID 932 wrote to memory of 1032 932 client.exe 29 PID 1032 wrote to memory of 1720 1032 client.exe 32 PID 1032 wrote to memory of 1720 1032 client.exe 32 PID 1032 wrote to memory of 1720 1032 client.exe 32 PID 1032 wrote to memory of 1720 1032 client.exe 32 PID 1032 wrote to memory of 1720 1032 client.exe 32 PID 1032 wrote to memory of 1720 1032 client.exe 32 PID 1032 wrote to memory of 1720 1032 client.exe 32 PID 1032 wrote to memory of 1720 1032 client.exe 32 PID 1032 wrote to memory of 1720 1032 client.exe 32 PID 1032 wrote to memory of 1572 1032 client.exe 33 PID 1032 wrote to memory of 1572 1032 client.exe 33 PID 1032 wrote to memory of 1572 1032 client.exe 33 PID 1032 wrote to memory of 1572 1032 client.exe 33 PID 1032 wrote to memory of 1572 1032 client.exe 33 PID 1032 wrote to memory of 1572 1032 client.exe 33 PID 1032 wrote to memory of 1572 1032 client.exe 33 PID 1032 wrote to memory of 1572 1032 client.exe 33 PID 1032 wrote to memory of 1572 1032 client.exe 33 PID 1032 wrote to memory of 1632 1032 client.exe 34 PID 1032 wrote to memory of 1632 1032 client.exe 34 PID 1032 wrote to memory of 1632 1032 client.exe 34 PID 1032 wrote to memory of 1632 1032 client.exe 34 PID 1032 wrote to memory of 1632 1032 client.exe 34 PID 1032 wrote to memory of 1632 1032 client.exe 34 PID 1032 wrote to memory of 1632 1032 client.exe 34 PID 1032 wrote to memory of 1632 1032 client.exe 34 PID 1032 wrote to memory of 1632 1032 client.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe"C:\Users\Admin\AppData\Local\Temp\2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe"C:\Users\Admin\AppData\Local\Temp\2541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\ProgramData\123277\client.exe"C:\ProgramData\123277\client.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\ProgramData\123277\client.exe"C:\ProgramData\123277\client.exe"4⤵
- Executes dropped EXE
PID:1228
-
-
C:\ProgramData\123277\client.exe"C:\ProgramData\123277\client.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:932
-
-
C:\ProgramData\123277\client.exe"C:\ProgramData\123277\client.exe"4⤵
- Executes dropped EXE
PID:1720
-
-
C:\ProgramData\123277\client.exe"C:\ProgramData\123277\client.exe"4⤵
- Executes dropped EXE
PID:1572
-
-
C:\ProgramData\123277\client.exe"C:\ProgramData\123277\client.exe"4⤵
- Executes dropped EXE
PID:1632
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
275KB
MD56d59d1accc909953d5cd432b00f2e76c
SHA1eb20fecde052bcb04d125366c17ea70c30f32122
SHA2562541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d
SHA51250c8ee12a132d9e7803024974e9a73ceb0ef9948f64d922a80d5c8c12b9356100ab72a0d4496d1d9a35c8d70eb28f612a907636608032c03571e8afc53b19add
-
Filesize
275KB
MD56d59d1accc909953d5cd432b00f2e76c
SHA1eb20fecde052bcb04d125366c17ea70c30f32122
SHA2562541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d
SHA51250c8ee12a132d9e7803024974e9a73ceb0ef9948f64d922a80d5c8c12b9356100ab72a0d4496d1d9a35c8d70eb28f612a907636608032c03571e8afc53b19add
-
Filesize
275KB
MD56d59d1accc909953d5cd432b00f2e76c
SHA1eb20fecde052bcb04d125366c17ea70c30f32122
SHA2562541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d
SHA51250c8ee12a132d9e7803024974e9a73ceb0ef9948f64d922a80d5c8c12b9356100ab72a0d4496d1d9a35c8d70eb28f612a907636608032c03571e8afc53b19add
-
Filesize
275KB
MD56d59d1accc909953d5cd432b00f2e76c
SHA1eb20fecde052bcb04d125366c17ea70c30f32122
SHA2562541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d
SHA51250c8ee12a132d9e7803024974e9a73ceb0ef9948f64d922a80d5c8c12b9356100ab72a0d4496d1d9a35c8d70eb28f612a907636608032c03571e8afc53b19add
-
Filesize
275KB
MD56d59d1accc909953d5cd432b00f2e76c
SHA1eb20fecde052bcb04d125366c17ea70c30f32122
SHA2562541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d
SHA51250c8ee12a132d9e7803024974e9a73ceb0ef9948f64d922a80d5c8c12b9356100ab72a0d4496d1d9a35c8d70eb28f612a907636608032c03571e8afc53b19add
-
Filesize
275KB
MD56d59d1accc909953d5cd432b00f2e76c
SHA1eb20fecde052bcb04d125366c17ea70c30f32122
SHA2562541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d
SHA51250c8ee12a132d9e7803024974e9a73ceb0ef9948f64d922a80d5c8c12b9356100ab72a0d4496d1d9a35c8d70eb28f612a907636608032c03571e8afc53b19add
-
Filesize
275KB
MD56d59d1accc909953d5cd432b00f2e76c
SHA1eb20fecde052bcb04d125366c17ea70c30f32122
SHA2562541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d
SHA51250c8ee12a132d9e7803024974e9a73ceb0ef9948f64d922a80d5c8c12b9356100ab72a0d4496d1d9a35c8d70eb28f612a907636608032c03571e8afc53b19add
-
Filesize
275KB
MD56d59d1accc909953d5cd432b00f2e76c
SHA1eb20fecde052bcb04d125366c17ea70c30f32122
SHA2562541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d
SHA51250c8ee12a132d9e7803024974e9a73ceb0ef9948f64d922a80d5c8c12b9356100ab72a0d4496d1d9a35c8d70eb28f612a907636608032c03571e8afc53b19add
-
Filesize
275KB
MD56d59d1accc909953d5cd432b00f2e76c
SHA1eb20fecde052bcb04d125366c17ea70c30f32122
SHA2562541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d
SHA51250c8ee12a132d9e7803024974e9a73ceb0ef9948f64d922a80d5c8c12b9356100ab72a0d4496d1d9a35c8d70eb28f612a907636608032c03571e8afc53b19add
-
Filesize
275KB
MD56d59d1accc909953d5cd432b00f2e76c
SHA1eb20fecde052bcb04d125366c17ea70c30f32122
SHA2562541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d
SHA51250c8ee12a132d9e7803024974e9a73ceb0ef9948f64d922a80d5c8c12b9356100ab72a0d4496d1d9a35c8d70eb28f612a907636608032c03571e8afc53b19add
-
Filesize
275KB
MD56d59d1accc909953d5cd432b00f2e76c
SHA1eb20fecde052bcb04d125366c17ea70c30f32122
SHA2562541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d
SHA51250c8ee12a132d9e7803024974e9a73ceb0ef9948f64d922a80d5c8c12b9356100ab72a0d4496d1d9a35c8d70eb28f612a907636608032c03571e8afc53b19add
-
Filesize
275KB
MD56d59d1accc909953d5cd432b00f2e76c
SHA1eb20fecde052bcb04d125366c17ea70c30f32122
SHA2562541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d
SHA51250c8ee12a132d9e7803024974e9a73ceb0ef9948f64d922a80d5c8c12b9356100ab72a0d4496d1d9a35c8d70eb28f612a907636608032c03571e8afc53b19add
-
Filesize
275KB
MD56d59d1accc909953d5cd432b00f2e76c
SHA1eb20fecde052bcb04d125366c17ea70c30f32122
SHA2562541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d
SHA51250c8ee12a132d9e7803024974e9a73ceb0ef9948f64d922a80d5c8c12b9356100ab72a0d4496d1d9a35c8d70eb28f612a907636608032c03571e8afc53b19add
-
Filesize
275KB
MD56d59d1accc909953d5cd432b00f2e76c
SHA1eb20fecde052bcb04d125366c17ea70c30f32122
SHA2562541c264f978c2a42ff31696ee4290a9c1a0e18c6734fda36736692bb514205d
SHA51250c8ee12a132d9e7803024974e9a73ceb0ef9948f64d922a80d5c8c12b9356100ab72a0d4496d1d9a35c8d70eb28f612a907636608032c03571e8afc53b19add