Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 22:22
Static task
static1
Behavioral task
behavioral1
Sample
faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe
Resource
win10v2004-20220812-en
General
-
Target
faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe
-
Size
1.3MB
-
MD5
7374806d72b5da2104c65ac32d0459d1
-
SHA1
87fd7d69c3d55b2e37cc2ac88f4bcb23f641a6a9
-
SHA256
faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3
-
SHA512
b633ac38f8ce8b7cd840f2671d0a51e200a611d400df01c3f32d444752e9d6aa72a5d994fdb89ab2f2d146149566742a9736b1923ed5af225ea2299f65629b28
-
SSDEEP
24576:LYAMeEYhr2HqCKGEGQkwYMiaPeH2jj5zksQF0fR0y1bx4b3DZ:UOS7tE+5TITlgL0fiy74bzZ
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" sysmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\391400\\sysmon.exe\"" sysmon.exe -
Executes dropped EXE 2 IoCs
pid Process 364 sysmon.exe 1548 sysmon.exe -
Loads dropped DLL 2 IoCs
pid Process 1612 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 1612 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\391400\\sysmon.exe\"" sysmon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1972 set thread context of 1612 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 28 PID 364 set thread context of 1548 364 sysmon.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 364 sysmon.exe 364 sysmon.exe 364 sysmon.exe 364 sysmon.exe 1548 sysmon.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1612 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe Token: 33 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe Token: SeIncBasePriorityPrivilege 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe Token: SeDebugPrivilege 364 sysmon.exe Token: 33 364 sysmon.exe Token: SeIncBasePriorityPrivilege 364 sysmon.exe Token: SeDebugPrivilege 1548 sysmon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1548 sysmon.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1612 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 28 PID 1972 wrote to memory of 1612 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 28 PID 1972 wrote to memory of 1612 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 28 PID 1972 wrote to memory of 1612 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 28 PID 1972 wrote to memory of 1612 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 28 PID 1972 wrote to memory of 1612 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 28 PID 1972 wrote to memory of 1612 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 28 PID 1972 wrote to memory of 1612 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 28 PID 1972 wrote to memory of 1612 1972 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 28 PID 1612 wrote to memory of 364 1612 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 30 PID 1612 wrote to memory of 364 1612 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 30 PID 1612 wrote to memory of 364 1612 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 30 PID 1612 wrote to memory of 364 1612 faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe 30 PID 364 wrote to memory of 1548 364 sysmon.exe 31 PID 364 wrote to memory of 1548 364 sysmon.exe 31 PID 364 wrote to memory of 1548 364 sysmon.exe 31 PID 364 wrote to memory of 1548 364 sysmon.exe 31 PID 364 wrote to memory of 1548 364 sysmon.exe 31 PID 364 wrote to memory of 1548 364 sysmon.exe 31 PID 364 wrote to memory of 1548 364 sysmon.exe 31 PID 364 wrote to memory of 1548 364 sysmon.exe 31 PID 364 wrote to memory of 1548 364 sysmon.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe"C:\Users\Admin\AppData\Local\Temp\faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exeC:\Users\Admin\AppData\Local\Temp\faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3.exe2⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\ProgramData\391400\sysmon.exe"C:\ProgramData\391400\sysmon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364 -
C:\ProgramData\391400\sysmon.exeC:\ProgramData\391400\sysmon.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1548
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD57374806d72b5da2104c65ac32d0459d1
SHA187fd7d69c3d55b2e37cc2ac88f4bcb23f641a6a9
SHA256faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3
SHA512b633ac38f8ce8b7cd840f2671d0a51e200a611d400df01c3f32d444752e9d6aa72a5d994fdb89ab2f2d146149566742a9736b1923ed5af225ea2299f65629b28
-
Filesize
1.3MB
MD57374806d72b5da2104c65ac32d0459d1
SHA187fd7d69c3d55b2e37cc2ac88f4bcb23f641a6a9
SHA256faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3
SHA512b633ac38f8ce8b7cd840f2671d0a51e200a611d400df01c3f32d444752e9d6aa72a5d994fdb89ab2f2d146149566742a9736b1923ed5af225ea2299f65629b28
-
Filesize
1.3MB
MD57374806d72b5da2104c65ac32d0459d1
SHA187fd7d69c3d55b2e37cc2ac88f4bcb23f641a6a9
SHA256faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3
SHA512b633ac38f8ce8b7cd840f2671d0a51e200a611d400df01c3f32d444752e9d6aa72a5d994fdb89ab2f2d146149566742a9736b1923ed5af225ea2299f65629b28
-
Filesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
Filesize
1.3MB
MD57374806d72b5da2104c65ac32d0459d1
SHA187fd7d69c3d55b2e37cc2ac88f4bcb23f641a6a9
SHA256faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3
SHA512b633ac38f8ce8b7cd840f2671d0a51e200a611d400df01c3f32d444752e9d6aa72a5d994fdb89ab2f2d146149566742a9736b1923ed5af225ea2299f65629b28
-
Filesize
1.3MB
MD57374806d72b5da2104c65ac32d0459d1
SHA187fd7d69c3d55b2e37cc2ac88f4bcb23f641a6a9
SHA256faed4a7405b67a9a4a2cd97e3348841ed960bafae6c0c7e191570b1d982630c3
SHA512b633ac38f8ce8b7cd840f2671d0a51e200a611d400df01c3f32d444752e9d6aa72a5d994fdb89ab2f2d146149566742a9736b1923ed5af225ea2299f65629b28