Analysis
-
max time kernel
193s -
max time network
248s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 13:57
Static task
static1
Behavioral task
behavioral1
Sample
ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe
Resource
win10v2004-20220812-en
General
-
Target
ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe
-
Size
362KB
-
MD5
6e3cf25df78c855156761cea3155462f
-
SHA1
0e5af76cda2f4a4ffa22486b3a73ca80b36980b8
-
SHA256
ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42
-
SHA512
85b4b69268a453659c7c28b2def0bc6c7e41bfb672425c6fd3dd9d23e92bbc744b1e388aa80d6a07ee4a315a8d2e300e0482a2a0b131f28605968db3abd66624
-
SSDEEP
6144:y8LU7dZMuhAwR95/m7RmqJSkGWpYE/bmoSoZhN2i/0Qc2k0L9CZq:RU7diuhP1/oRTS8jmoXBsjh6wZq
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" helper.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\252276\\helper.exe\"" helper.exe -
Executes dropped EXE 3 IoCs
pid Process 3716 helper.exe 5084 helper.exe 2356 helper.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u70abLaaceN3n2w4 = "C:\\Users\\Admin\\AppData\\Roaming\\PBKimsnuPa5WIi3K\\BE2Y67Y4ku7k.exe" ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u70abLaaceN3n2w4CY = "C:\\Users\\Admin\\AppData\\Roaming\\PBKimsnuPa5WIi3K\\CYC7naLTpRmH.exe" helper.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Computer Helper = "\"C:\\ProgramData\\252276\\helper.exe\"" helper.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\clientsvr.exe helper.exe File created C:\Windows\SysWOW64\clientsvr.exe helper.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3124 set thread context of 4680 3124 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 81 PID 3716 set thread context of 2356 3716 helper.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3124 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 3124 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 3716 helper.exe 3716 helper.exe 3716 helper.exe 3716 helper.exe 3716 helper.exe 3716 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 4680 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 4680 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe 2356 helper.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4680 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3124 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe Token: SeDebugPrivilege 3716 helper.exe Token: SeDebugPrivilege 2356 helper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2356 helper.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3124 wrote to memory of 4680 3124 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 81 PID 3124 wrote to memory of 4680 3124 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 81 PID 3124 wrote to memory of 4680 3124 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 81 PID 3124 wrote to memory of 4680 3124 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 81 PID 3124 wrote to memory of 4680 3124 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 81 PID 3124 wrote to memory of 4680 3124 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 81 PID 3124 wrote to memory of 4680 3124 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 81 PID 3124 wrote to memory of 4680 3124 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 81 PID 4680 wrote to memory of 3716 4680 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 82 PID 4680 wrote to memory of 3716 4680 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 82 PID 4680 wrote to memory of 3716 4680 ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe 82 PID 3716 wrote to memory of 5084 3716 helper.exe 83 PID 3716 wrote to memory of 5084 3716 helper.exe 83 PID 3716 wrote to memory of 5084 3716 helper.exe 83 PID 3716 wrote to memory of 2356 3716 helper.exe 84 PID 3716 wrote to memory of 2356 3716 helper.exe 84 PID 3716 wrote to memory of 2356 3716 helper.exe 84 PID 3716 wrote to memory of 2356 3716 helper.exe 84 PID 3716 wrote to memory of 2356 3716 helper.exe 84 PID 3716 wrote to memory of 2356 3716 helper.exe 84 PID 3716 wrote to memory of 2356 3716 helper.exe 84 PID 3716 wrote to memory of 2356 3716 helper.exe 84 PID 2356 wrote to memory of 4680 2356 helper.exe 81 PID 2356 wrote to memory of 4680 2356 helper.exe 81 PID 2356 wrote to memory of 4680 2356 helper.exe 81 PID 2356 wrote to memory of 4680 2356 helper.exe 81 PID 2356 wrote to memory of 4680 2356 helper.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe"C:\Users\Admin\AppData\Local\Temp\ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe"C:\Users\Admin\AppData\Local\Temp\ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\ProgramData\252276\helper.exe"C:\ProgramData\252276\helper.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\ProgramData\252276\helper.exe"C:\ProgramData\252276\helper.exe"4⤵
- Executes dropped EXE
PID:5084
-
-
C:\ProgramData\252276\helper.exe"C:\ProgramData\252276\helper.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
362KB
MD56e3cf25df78c855156761cea3155462f
SHA10e5af76cda2f4a4ffa22486b3a73ca80b36980b8
SHA256ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42
SHA51285b4b69268a453659c7c28b2def0bc6c7e41bfb672425c6fd3dd9d23e92bbc744b1e388aa80d6a07ee4a315a8d2e300e0482a2a0b131f28605968db3abd66624
-
Filesize
362KB
MD56e3cf25df78c855156761cea3155462f
SHA10e5af76cda2f4a4ffa22486b3a73ca80b36980b8
SHA256ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42
SHA51285b4b69268a453659c7c28b2def0bc6c7e41bfb672425c6fd3dd9d23e92bbc744b1e388aa80d6a07ee4a315a8d2e300e0482a2a0b131f28605968db3abd66624
-
Filesize
362KB
MD56e3cf25df78c855156761cea3155462f
SHA10e5af76cda2f4a4ffa22486b3a73ca80b36980b8
SHA256ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42
SHA51285b4b69268a453659c7c28b2def0bc6c7e41bfb672425c6fd3dd9d23e92bbc744b1e388aa80d6a07ee4a315a8d2e300e0482a2a0b131f28605968db3abd66624
-
Filesize
362KB
MD56e3cf25df78c855156761cea3155462f
SHA10e5af76cda2f4a4ffa22486b3a73ca80b36980b8
SHA256ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42
SHA51285b4b69268a453659c7c28b2def0bc6c7e41bfb672425c6fd3dd9d23e92bbc744b1e388aa80d6a07ee4a315a8d2e300e0482a2a0b131f28605968db3abd66624
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ab0c7b8675aa676dde1de0c67ebbcac22fec306dc969541289e285b06ac22f42.exe.log
Filesize400B
MD50a9b4592cd49c3c21f6767c2dabda92f
SHA1f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA5126b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307