Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 22:30
Static task
static1
Behavioral task
behavioral1
Sample
13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
Resource
win10v2004-20220901-en
General
-
Target
13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe
-
Size
320KB
-
MD5
6c4bdfefea58c80aa75fbd60517771ee
-
SHA1
fc2b61c9d7d2e2a20aaf0efd7a7f6419608d0181
-
SHA256
13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731
-
SHA512
4bd68f43060082efb3858794eafb183acd6143184ee54f8c35055c7d7b6fafbbd5a42c7be532a10a317f9b67b0a32d8ccde08dabecdbdad7462012374d0db3e0
-
SSDEEP
6144:EKkdLgjO+EQT1XZqJWi+2NsQuM/L6R1RbKfmhH3TX82ZmhXIWgNkHbSO147qPsP:EKkVgjT5Zv2seuxK+hXT/Zm2CWO14mP+
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" sysmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\995290\\sysmon.exe\"" sysmon.exe -
Executes dropped EXE 2 IoCs
pid Process 4772 sysmon.exe 2648 sysmon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\995290\\sysmon.exe\"" sysmon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4800 set thread context of 4972 4800 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 80 PID 4772 set thread context of 2648 4772 sysmon.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 4972 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 4972 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 4772 sysmon.exe 4772 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 4800 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 4800 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe 2648 sysmon.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4972 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4800 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe Token: SeDebugPrivilege 4772 sysmon.exe Token: SeDebugPrivilege 2648 sysmon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2648 sysmon.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 4800 wrote to memory of 4972 4800 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 80 PID 4800 wrote to memory of 4972 4800 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 80 PID 4800 wrote to memory of 4972 4800 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 80 PID 4800 wrote to memory of 4972 4800 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 80 PID 4800 wrote to memory of 4972 4800 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 80 PID 4800 wrote to memory of 4972 4800 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 80 PID 4800 wrote to memory of 4972 4800 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 80 PID 4800 wrote to memory of 4972 4800 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 80 PID 4972 wrote to memory of 4772 4972 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 81 PID 4972 wrote to memory of 4772 4972 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 81 PID 4972 wrote to memory of 4772 4972 13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe 81 PID 4772 wrote to memory of 2648 4772 sysmon.exe 87 PID 4772 wrote to memory of 2648 4772 sysmon.exe 87 PID 4772 wrote to memory of 2648 4772 sysmon.exe 87 PID 4772 wrote to memory of 2648 4772 sysmon.exe 87 PID 4772 wrote to memory of 2648 4772 sysmon.exe 87 PID 4772 wrote to memory of 2648 4772 sysmon.exe 87 PID 4772 wrote to memory of 2648 4772 sysmon.exe 87 PID 4772 wrote to memory of 2648 4772 sysmon.exe 87 PID 2648 wrote to memory of 4972 2648 sysmon.exe 80 PID 2648 wrote to memory of 4972 2648 sysmon.exe 80 PID 2648 wrote to memory of 4972 2648 sysmon.exe 80 PID 2648 wrote to memory of 4972 2648 sysmon.exe 80 PID 2648 wrote to memory of 4972 2648 sysmon.exe 80 PID 2648 wrote to memory of 4772 2648 sysmon.exe 81 PID 2648 wrote to memory of 4772 2648 sysmon.exe 81 PID 2648 wrote to memory of 4772 2648 sysmon.exe 81 PID 2648 wrote to memory of 4772 2648 sysmon.exe 81 PID 2648 wrote to memory of 4772 2648 sysmon.exe 81 PID 2648 wrote to memory of 4800 2648 sysmon.exe 79 PID 2648 wrote to memory of 4800 2648 sysmon.exe 79 PID 2648 wrote to memory of 4800 2648 sysmon.exe 79 PID 2648 wrote to memory of 4800 2648 sysmon.exe 79 PID 2648 wrote to memory of 4800 2648 sysmon.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe"C:\Users\Admin\AppData\Local\Temp\13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe"C:\Users\Admin\AppData\Local\Temp\13555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\ProgramData\995290\sysmon.exe"C:\ProgramData\995290\sysmon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\ProgramData\995290\sysmon.exe"C:\ProgramData\995290\sysmon.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD56c4bdfefea58c80aa75fbd60517771ee
SHA1fc2b61c9d7d2e2a20aaf0efd7a7f6419608d0181
SHA25613555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731
SHA5124bd68f43060082efb3858794eafb183acd6143184ee54f8c35055c7d7b6fafbbd5a42c7be532a10a317f9b67b0a32d8ccde08dabecdbdad7462012374d0db3e0
-
Filesize
320KB
MD56c4bdfefea58c80aa75fbd60517771ee
SHA1fc2b61c9d7d2e2a20aaf0efd7a7f6419608d0181
SHA25613555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731
SHA5124bd68f43060082efb3858794eafb183acd6143184ee54f8c35055c7d7b6fafbbd5a42c7be532a10a317f9b67b0a32d8ccde08dabecdbdad7462012374d0db3e0
-
Filesize
320KB
MD56c4bdfefea58c80aa75fbd60517771ee
SHA1fc2b61c9d7d2e2a20aaf0efd7a7f6419608d0181
SHA25613555c418c3ba30588aa27a66714f5c091dc1abba859ce7d6d144268833e1731
SHA5124bd68f43060082efb3858794eafb183acd6143184ee54f8c35055c7d7b6fafbbd5a42c7be532a10a317f9b67b0a32d8ccde08dabecdbdad7462012374d0db3e0