Analysis
-
max time kernel
146s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 15:21
Static task
static1
Behavioral task
behavioral1
Sample
497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe
Resource
win10v2004-20220812-en
General
-
Target
497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe
-
Size
267KB
-
MD5
73189127106a82789164e3e2b83d4ce5
-
SHA1
221e08a774a46b84e36fa55aa0a82f10af813765
-
SHA256
497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035
-
SHA512
df9a1ca3ded719b59c5c74021635f02aeef9c0b1cb258e275f651eff63d59767ce38f3b45747767a0a1a961fac3b406d101ea4cc0e1c0d6599ce76305db94dba
-
SSDEEP
6144:5v+2p5fGOmQ2lBZnUnoJHwGYbf6JvMumZnRFgsWct8lXp:J+2p5pmQg5U6HCSdmZR2otk5
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" helper.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\265367\\helper.exe\"" helper.exe -
Executes dropped EXE 2 IoCs
pid Process 1092 helper.exe 1972 helper.exe -
Loads dropped DLL 2 IoCs
pid Process 980 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe 980 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Computer Helper = "\"C:\\ProgramData\\265367\\helper.exe\"" helper.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe helper.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe helper.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1380 set thread context of 980 1380 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe 27 PID 1092 set thread context of 1972 1092 helper.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1972 helper.exe 1972 helper.exe 1972 helper.exe 1972 helper.exe 1972 helper.exe 1380 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 980 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1380 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe Token: SeDebugPrivilege 1092 helper.exe Token: SeDebugPrivilege 1972 helper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1972 helper.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1380 wrote to memory of 980 1380 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe 27 PID 1380 wrote to memory of 980 1380 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe 27 PID 1380 wrote to memory of 980 1380 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe 27 PID 1380 wrote to memory of 980 1380 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe 27 PID 1380 wrote to memory of 980 1380 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe 27 PID 1380 wrote to memory of 980 1380 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe 27 PID 1380 wrote to memory of 980 1380 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe 27 PID 1380 wrote to memory of 980 1380 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe 27 PID 1380 wrote to memory of 980 1380 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe 27 PID 980 wrote to memory of 1092 980 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe 29 PID 980 wrote to memory of 1092 980 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe 29 PID 980 wrote to memory of 1092 980 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe 29 PID 980 wrote to memory of 1092 980 497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe 29 PID 1092 wrote to memory of 1972 1092 helper.exe 30 PID 1092 wrote to memory of 1972 1092 helper.exe 30 PID 1092 wrote to memory of 1972 1092 helper.exe 30 PID 1092 wrote to memory of 1972 1092 helper.exe 30 PID 1092 wrote to memory of 1972 1092 helper.exe 30 PID 1092 wrote to memory of 1972 1092 helper.exe 30 PID 1092 wrote to memory of 1972 1092 helper.exe 30 PID 1092 wrote to memory of 1972 1092 helper.exe 30 PID 1092 wrote to memory of 1972 1092 helper.exe 30 PID 1972 wrote to memory of 1380 1972 helper.exe 26 PID 1972 wrote to memory of 1380 1972 helper.exe 26 PID 1972 wrote to memory of 1380 1972 helper.exe 26 PID 1972 wrote to memory of 1380 1972 helper.exe 26 PID 1972 wrote to memory of 1380 1972 helper.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe"C:\Users\Admin\AppData\Local\Temp\497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe"C:\Users\Admin\AppData\Local\Temp\497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:980 -
C:\ProgramData\265367\helper.exe"C:\ProgramData\265367\helper.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\ProgramData\265367\helper.exe"C:\ProgramData\265367\helper.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
267KB
MD573189127106a82789164e3e2b83d4ce5
SHA1221e08a774a46b84e36fa55aa0a82f10af813765
SHA256497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035
SHA512df9a1ca3ded719b59c5c74021635f02aeef9c0b1cb258e275f651eff63d59767ce38f3b45747767a0a1a961fac3b406d101ea4cc0e1c0d6599ce76305db94dba
-
Filesize
267KB
MD573189127106a82789164e3e2b83d4ce5
SHA1221e08a774a46b84e36fa55aa0a82f10af813765
SHA256497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035
SHA512df9a1ca3ded719b59c5c74021635f02aeef9c0b1cb258e275f651eff63d59767ce38f3b45747767a0a1a961fac3b406d101ea4cc0e1c0d6599ce76305db94dba
-
Filesize
267KB
MD573189127106a82789164e3e2b83d4ce5
SHA1221e08a774a46b84e36fa55aa0a82f10af813765
SHA256497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035
SHA512df9a1ca3ded719b59c5c74021635f02aeef9c0b1cb258e275f651eff63d59767ce38f3b45747767a0a1a961fac3b406d101ea4cc0e1c0d6599ce76305db94dba
-
Filesize
267KB
MD573189127106a82789164e3e2b83d4ce5
SHA1221e08a774a46b84e36fa55aa0a82f10af813765
SHA256497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035
SHA512df9a1ca3ded719b59c5c74021635f02aeef9c0b1cb258e275f651eff63d59767ce38f3b45747767a0a1a961fac3b406d101ea4cc0e1c0d6599ce76305db94dba
-
Filesize
267KB
MD573189127106a82789164e3e2b83d4ce5
SHA1221e08a774a46b84e36fa55aa0a82f10af813765
SHA256497d69084c82c0578576fb2d90c1cac706325f3a9da8626aebdc69b3c9340035
SHA512df9a1ca3ded719b59c5c74021635f02aeef9c0b1cb258e275f651eff63d59767ce38f3b45747767a0a1a961fac3b406d101ea4cc0e1c0d6599ce76305db94dba