Analysis

  • max time kernel
    152s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 16:14

General

  • Target

    fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe

  • Size

    137KB

  • MD5

    46f5fb806140c5da4c67328fb848cb7d

  • SHA1

    59b63fe6fbe0021359f6031d7385396b1a771a06

  • SHA256

    fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38

  • SHA512

    941cf87101fc3fd880e12cf50702c8ce756a5909a13ae3ad14ffba026f08aca065d7eb058659cd5b16fd09bd2c2f275d2138d68a3dbd71b1c1ff5272d6d5f12a

  • SSDEEP

    3072:BZQcPoOSj4Nohwz83RPXCyjHr0Aot4REQ7AvRjLNfxmm9on:0cPoOSjwz8hPXtjL0/H5bNI

Score
10/10

Malware Config

Signatures

  • Luminosity 2 IoCs

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe
    "C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"
    1⤵
    • Luminosity
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe
      "C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:612
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Update\GetSummonersName" /XML "C:\Users\Admin\AppData\Roaming\umbpfl.xml"
      2⤵
      • Luminosity
      • Creates scheduled task(s)
      PID:4480
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\PEVerify.exe" "C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4380
      • C:\Users\Admin\AppData\Roaming\PEVerify.exe
        "C:\Users\Admin\AppData\Roaming\PEVerify.exe" "C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5028

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\PEVerify.exe

    Filesize

    25KB

    MD5

    355581beb5aab77d21ad5e09f68e920b

    SHA1

    a016be13c445790c8c8920607ddecb6c5513d6ec

    SHA256

    0bc99fbab8adae751eff3d0bdd63a6e78fbbbed242e4e6f6d45ec89f66428752

    SHA512

    60d799229d677b08237fa8840a667ea092050013752f1524c96d44f49cf44fb781a41edefdb63849068c3b3c3b913b19b57b770adf3fc7465aa52db81fd0cce8

  • C:\Users\Admin\AppData\Roaming\PEVerify.exe

    Filesize

    25KB

    MD5

    355581beb5aab77d21ad5e09f68e920b

    SHA1

    a016be13c445790c8c8920607ddecb6c5513d6ec

    SHA256

    0bc99fbab8adae751eff3d0bdd63a6e78fbbbed242e4e6f6d45ec89f66428752

    SHA512

    60d799229d677b08237fa8840a667ea092050013752f1524c96d44f49cf44fb781a41edefdb63849068c3b3c3b913b19b57b770adf3fc7465aa52db81fd0cce8

  • C:\Users\Admin\AppData\Roaming\umbpfl.xml

    Filesize

    1KB

    MD5

    87999fbc60ac43deb2aa71f78a65adf0

    SHA1

    ec6596ee9a4d2bccda3e9148731876df22ea4bd5

    SHA256

    7d80152fc9365a488cc32be54b7daa4da4a796bfb29588935e8bca5532c185f7

    SHA512

    2487ba7a0ac294db0c79d119b56a91e8fc877cd4900c22d990d81e7334cb0d838fb7a965f499be643e1830233a1c370c55ad9bcf5d4b9f65b25679a08f004027

  • memory/612-135-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

  • memory/612-137-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

  • memory/612-134-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4236-136-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

  • memory/4236-132-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

  • memory/5028-144-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB

  • memory/5028-145-0x0000000075160000-0x0000000075711000-memory.dmp

    Filesize

    5.7MB