Analysis
-
max time kernel
152s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 16:14
Static task
static1
Behavioral task
behavioral1
Sample
fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe
Resource
win10v2004-20220812-en
General
-
Target
fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe
-
Size
137KB
-
MD5
46f5fb806140c5da4c67328fb848cb7d
-
SHA1
59b63fe6fbe0021359f6031d7385396b1a771a06
-
SHA256
fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38
-
SHA512
941cf87101fc3fd880e12cf50702c8ce756a5909a13ae3ad14ffba026f08aca065d7eb058659cd5b16fd09bd2c2f275d2138d68a3dbd71b1c1ff5272d6d5f12a
-
SSDEEP
3072:BZQcPoOSj4Nohwz83RPXCyjHr0Aot4REQ7AvRjLNfxmm9on:0cPoOSjwz8hPXtjL0/H5bNI
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Executes dropped EXE 1 IoCs
pid Process 880 PEVerify.exe -
Loads dropped DLL 1 IoCs
pid Process 1552 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 912 set thread context of 1268 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1008 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 880 PEVerify.exe 880 PEVerify.exe 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe Token: SeDebugPrivilege 880 PEVerify.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1268 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 912 wrote to memory of 1268 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 28 PID 912 wrote to memory of 1268 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 28 PID 912 wrote to memory of 1268 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 28 PID 912 wrote to memory of 1268 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 28 PID 912 wrote to memory of 1268 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 28 PID 912 wrote to memory of 1268 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 28 PID 912 wrote to memory of 1268 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 28 PID 912 wrote to memory of 1268 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 28 PID 912 wrote to memory of 1268 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 28 PID 912 wrote to memory of 1008 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 29 PID 912 wrote to memory of 1008 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 29 PID 912 wrote to memory of 1008 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 29 PID 912 wrote to memory of 1008 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 29 PID 912 wrote to memory of 1552 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 32 PID 912 wrote to memory of 1552 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 32 PID 912 wrote to memory of 1552 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 32 PID 912 wrote to memory of 1552 912 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 32 PID 1552 wrote to memory of 880 1552 cmd.exe 34 PID 1552 wrote to memory of 880 1552 cmd.exe 34 PID 1552 wrote to memory of 880 1552 cmd.exe 34 PID 1552 wrote to memory of 880 1552 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1268
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\GetSummonersName" /XML "C:\Users\Admin\AppData\Roaming\knktoo.xml"2⤵
- Creates scheduled task(s)
PID:1008
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\PEVerify.exe" "C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe" & exit2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Roaming\PEVerify.exe"C:\Users\Admin\AppData\Roaming\PEVerify.exe" "C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5355581beb5aab77d21ad5e09f68e920b
SHA1a016be13c445790c8c8920607ddecb6c5513d6ec
SHA2560bc99fbab8adae751eff3d0bdd63a6e78fbbbed242e4e6f6d45ec89f66428752
SHA51260d799229d677b08237fa8840a667ea092050013752f1524c96d44f49cf44fb781a41edefdb63849068c3b3c3b913b19b57b770adf3fc7465aa52db81fd0cce8
-
Filesize
25KB
MD5355581beb5aab77d21ad5e09f68e920b
SHA1a016be13c445790c8c8920607ddecb6c5513d6ec
SHA2560bc99fbab8adae751eff3d0bdd63a6e78fbbbed242e4e6f6d45ec89f66428752
SHA51260d799229d677b08237fa8840a667ea092050013752f1524c96d44f49cf44fb781a41edefdb63849068c3b3c3b913b19b57b770adf3fc7465aa52db81fd0cce8
-
Filesize
1KB
MD55dcfe854b62383c3ca1783acc995a9e1
SHA1d7ec539c1f9e6524e198e158cc8535521ad8cbf6
SHA25696aae84318cb7a2c526b6662bcb8441af4d0cdce784cade86fe9df77204b9e52
SHA512f5e6deb86a1e68fbfe6c80915914e26ac5c99c037049578850f064b06f31c7906c5d71cc9ae605050f05769e495d8adbdcc7adb48e427dbc388d4b92f71caada
-
Filesize
25KB
MD5355581beb5aab77d21ad5e09f68e920b
SHA1a016be13c445790c8c8920607ddecb6c5513d6ec
SHA2560bc99fbab8adae751eff3d0bdd63a6e78fbbbed242e4e6f6d45ec89f66428752
SHA51260d799229d677b08237fa8840a667ea092050013752f1524c96d44f49cf44fb781a41edefdb63849068c3b3c3b913b19b57b770adf3fc7465aa52db81fd0cce8