Analysis
-
max time kernel
152s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 16:14
Static task
static1
Behavioral task
behavioral1
Sample
fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe
Resource
win10v2004-20220812-en
General
-
Target
fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe
-
Size
137KB
-
MD5
46f5fb806140c5da4c67328fb848cb7d
-
SHA1
59b63fe6fbe0021359f6031d7385396b1a771a06
-
SHA256
fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38
-
SHA512
941cf87101fc3fd880e12cf50702c8ce756a5909a13ae3ad14ffba026f08aca065d7eb058659cd5b16fd09bd2c2f275d2138d68a3dbd71b1c1ff5272d6d5f12a
-
SSDEEP
3072:BZQcPoOSj4Nohwz83RPXCyjHr0Aot4REQ7AvRjLNfxmm9on:0cPoOSjwz8hPXtjL0/H5bNI
Malware Config
Signatures
-
Luminosity 2 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
description ioc pid Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\SystemCertificates\CA fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 4480 schtasks.exe -
Executes dropped EXE 1 IoCs
pid Process 5028 PEVerify.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4236 set thread context of 612 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4480 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 5028 PEVerify.exe 5028 PEVerify.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe Token: SeDebugPrivilege 5028 PEVerify.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 612 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4236 wrote to memory of 612 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 83 PID 4236 wrote to memory of 612 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 83 PID 4236 wrote to memory of 612 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 83 PID 4236 wrote to memory of 612 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 83 PID 4236 wrote to memory of 612 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 83 PID 4236 wrote to memory of 612 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 83 PID 4236 wrote to memory of 612 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 83 PID 4236 wrote to memory of 612 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 83 PID 4236 wrote to memory of 4480 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 84 PID 4236 wrote to memory of 4480 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 84 PID 4236 wrote to memory of 4480 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 84 PID 4236 wrote to memory of 4380 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 86 PID 4236 wrote to memory of 4380 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 86 PID 4236 wrote to memory of 4380 4236 fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe 86 PID 4380 wrote to memory of 5028 4380 cmd.exe 88 PID 4380 wrote to memory of 5028 4380 cmd.exe 88 PID 4380 wrote to memory of 5028 4380 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"1⤵
- Luminosity
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:612
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\GetSummonersName" /XML "C:\Users\Admin\AppData\Roaming\umbpfl.xml"2⤵
- Luminosity
- Creates scheduled task(s)
PID:4480
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\PEVerify.exe" "C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Users\Admin\AppData\Roaming\PEVerify.exe"C:\Users\Admin\AppData\Roaming\PEVerify.exe" "C:\Users\Admin\AppData\Local\Temp\fdbec49b64538bf251f75185538566d5ee27547e927d8e0161fba43542afdf38.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5355581beb5aab77d21ad5e09f68e920b
SHA1a016be13c445790c8c8920607ddecb6c5513d6ec
SHA2560bc99fbab8adae751eff3d0bdd63a6e78fbbbed242e4e6f6d45ec89f66428752
SHA51260d799229d677b08237fa8840a667ea092050013752f1524c96d44f49cf44fb781a41edefdb63849068c3b3c3b913b19b57b770adf3fc7465aa52db81fd0cce8
-
Filesize
25KB
MD5355581beb5aab77d21ad5e09f68e920b
SHA1a016be13c445790c8c8920607ddecb6c5513d6ec
SHA2560bc99fbab8adae751eff3d0bdd63a6e78fbbbed242e4e6f6d45ec89f66428752
SHA51260d799229d677b08237fa8840a667ea092050013752f1524c96d44f49cf44fb781a41edefdb63849068c3b3c3b913b19b57b770adf3fc7465aa52db81fd0cce8
-
Filesize
1KB
MD587999fbc60ac43deb2aa71f78a65adf0
SHA1ec6596ee9a4d2bccda3e9148731876df22ea4bd5
SHA2567d80152fc9365a488cc32be54b7daa4da4a796bfb29588935e8bca5532c185f7
SHA5122487ba7a0ac294db0c79d119b56a91e8fc877cd4900c22d990d81e7334cb0d838fb7a965f499be643e1830233a1c370c55ad9bcf5d4b9f65b25679a08f004027