Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-11-2022 22:56
General
-
Target
b74aa3ea836a85ea0e646352f2216b8a834be47b002e04ba88259219a9c13829.exe
-
Size
365KB
-
MD5
51bc28907f8d8027e3121c3064ef60f6
-
SHA1
34eb9c2ae598062071362eb8acb06acafddb936a
-
SHA256
b74aa3ea836a85ea0e646352f2216b8a834be47b002e04ba88259219a9c13829
-
SHA512
81a68646a515d96c7c2c1bcf670c54631efbb605d867660086c096b52afa411040947b1f7712e90e93fca58491c7535a78be6c3bc3dd31ee46e551a730343d9c
-
SSDEEP
6144:WXV+JnRQtCJmM+mKwYpzyAtmLbR9JWJWJlU3hJ272Ja2P4337MqjrEVGPjk7ngIk:eAROuRvEPla2P4brEyjk7ngYsP
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b74aa3ea836a85ea0e646352f2216b8a834be47b002e04ba88259219a9c13829.exe"C:\Users\Admin\AppData\Local\Temp\b74aa3ea836a85ea0e646352f2216b8a834be47b002e04ba88259219a9c13829.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\178832\LiveChat.exe"C:\ProgramData\178832\LiveChat.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
365KB
MD551bc28907f8d8027e3121c3064ef60f6
SHA134eb9c2ae598062071362eb8acb06acafddb936a
SHA256b74aa3ea836a85ea0e646352f2216b8a834be47b002e04ba88259219a9c13829
SHA51281a68646a515d96c7c2c1bcf670c54631efbb605d867660086c096b52afa411040947b1f7712e90e93fca58491c7535a78be6c3bc3dd31ee46e551a730343d9c
-
Filesize
365KB
MD551bc28907f8d8027e3121c3064ef60f6
SHA134eb9c2ae598062071362eb8acb06acafddb936a
SHA256b74aa3ea836a85ea0e646352f2216b8a834be47b002e04ba88259219a9c13829
SHA51281a68646a515d96c7c2c1bcf670c54631efbb605d867660086c096b52afa411040947b1f7712e90e93fca58491c7535a78be6c3bc3dd31ee46e551a730343d9c
-
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
5.7MB