Analysis

  • max time kernel
    152s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 16:14

General

  • Target

    fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe

  • Size

    137KB

  • MD5

    46f5fb806140c5da4c67328fb848cb7d

  • SHA1

    59b63fe6fbe0021359f6031d7385396b1a771a06

  • SHA256

    fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38

  • SHA512

    941cf87101fc3fd880e12cf50702c8ce756a5909a13ae3ad14ffba026f08aca065d7eb058659cd5b16fd09bd2c2f275d2138d68a3dbd71b1c1ff5272d6d5f12a

  • SSDEEP

    3072:BZQcPoOSj4Nohwz83RPXCyjHr0Aot4REQ7AvRjLNfxmm9on:0cPoOSjwz8hPXtjL0/H5bNI

Score
10/10

Malware Config

Signatures

  • Luminosity

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe
    "C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe
      "C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1268
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Update\GetSummonersName" /XML "C:\Users\Admin\AppData\Roaming\knktoo.xml"
      2⤵
      • Creates scheduled task(s)
      PID:1008
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\PEVerify.exe" "C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe" & exit
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Users\Admin\AppData\Roaming\PEVerify.exe
        "C:\Users\Admin\AppData\Roaming\PEVerify.exe" "C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:880

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\PEVerify.exe

    Filesize

    25KB

    MD5

    355581beb5aab77d21ad5e09f68e920b

    SHA1

    a016be13c445790c8c8920607ddecb6c5513d6ec

    SHA256

    0bc99fbab8adae751eff3d0bdd63a6e78fbbbed242e4e6f6d45ec89f66428752

    SHA512

    60d799229d677b08237fa8840a667ea092050013752f1524c96d44f49cf44fb781a41edefdb63849068c3b3c3b913b19b57b770adf3fc7465aa52db81fd0cce8

  • C:\Users\Admin\AppData\Roaming\PEVerify.exe

    Filesize

    25KB

    MD5

    355581beb5aab77d21ad5e09f68e920b

    SHA1

    a016be13c445790c8c8920607ddecb6c5513d6ec

    SHA256

    0bc99fbab8adae751eff3d0bdd63a6e78fbbbed242e4e6f6d45ec89f66428752

    SHA512

    60d799229d677b08237fa8840a667ea092050013752f1524c96d44f49cf44fb781a41edefdb63849068c3b3c3b913b19b57b770adf3fc7465aa52db81fd0cce8

  • C:\Users\Admin\AppData\Roaming\knktoo.xml

    Filesize

    1KB

    MD5

    5dcfe854b62383c3ca1783acc995a9e1

    SHA1

    d7ec539c1f9e6524e198e158cc8535521ad8cbf6

    SHA256

    96aae84318cb7a2c526b6662bcb8441af4d0cdce784cade86fe9df77204b9e52

    SHA512

    f5e6deb86a1e68fbfe6c80915914e26ac5c99c037049578850f064b06f31c7906c5d71cc9ae605050f05769e495d8adbdcc7adb48e427dbc388d4b92f71caada

  • \Users\Admin\AppData\Roaming\PEVerify.exe

    Filesize

    25KB

    MD5

    355581beb5aab77d21ad5e09f68e920b

    SHA1

    a016be13c445790c8c8920607ddecb6c5513d6ec

    SHA256

    0bc99fbab8adae751eff3d0bdd63a6e78fbbbed242e4e6f6d45ec89f66428752

    SHA512

    60d799229d677b08237fa8840a667ea092050013752f1524c96d44f49cf44fb781a41edefdb63849068c3b3c3b913b19b57b770adf3fc7465aa52db81fd0cce8

  • memory/880-80-0x00000000744B0000-0x0000000074A5B000-memory.dmp

    Filesize

    5.7MB

  • memory/880-79-0x00000000744B0000-0x0000000074A5B000-memory.dmp

    Filesize

    5.7MB

  • memory/912-71-0x00000000744B0000-0x0000000074A5B000-memory.dmp

    Filesize

    5.7MB

  • memory/912-55-0x00000000744B0000-0x0000000074A5B000-memory.dmp

    Filesize

    5.7MB

  • memory/912-54-0x0000000076091000-0x0000000076093000-memory.dmp

    Filesize

    8KB

  • memory/1268-66-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1268-70-0x00000000744B0000-0x0000000074A5B000-memory.dmp

    Filesize

    5.7MB

  • memory/1268-72-0x00000000744B0000-0x0000000074A5B000-memory.dmp

    Filesize

    5.7MB

  • memory/1268-57-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1268-56-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1268-59-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1268-64-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1268-61-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB