Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 17:51
Static task
static1
Behavioral task
behavioral1
Sample
c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe
Resource
win10v2004-20220812-en
General
-
Target
c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe
-
Size
747KB
-
MD5
1c37fcc88038b6b8fc85accd0ebc8343
-
SHA1
101b3727f1145d9b4483540b00d48b6cf9a03943
-
SHA256
c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b
-
SHA512
84905fcaeda25bac0fea20b4270f6d8724889b8a4e2567b8f64caad4cc82d6560812cd9ebcbcf3478910c97e857254b444d34755c519681c9d4161c969b2d939
-
SSDEEP
12288:B8uHgGWdpwVNZ373QQi2p9CwhiifzhHj2gROW65Ruy6NejRPfD54pw:XWnw+R6CwPbhFRx65RuNejBftP
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\301520\\helper.exe\"" helper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" helper.exe -
Executes dropped EXE 3 IoCs
pid Process 4984 helper.exe 3196 helper.exe 4788 helper.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Helper = "\"C:\\ProgramData\\301520\\helper.exe\"" helper.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe helper.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe helper.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1952 set thread context of 4196 1952 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 76 PID 4196 set thread context of 3504 4196 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 77 PID 4984 set thread context of 3196 4984 helper.exe 81 PID 3196 set thread context of 4788 3196 helper.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 3504 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 3504 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe 4788 helper.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3504 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4788 helper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4788 helper.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1952 wrote to memory of 4196 1952 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 76 PID 1952 wrote to memory of 4196 1952 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 76 PID 1952 wrote to memory of 4196 1952 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 76 PID 1952 wrote to memory of 4196 1952 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 76 PID 1952 wrote to memory of 4196 1952 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 76 PID 1952 wrote to memory of 4196 1952 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 76 PID 1952 wrote to memory of 4196 1952 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 76 PID 1952 wrote to memory of 4196 1952 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 76 PID 4196 wrote to memory of 3504 4196 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 77 PID 4196 wrote to memory of 3504 4196 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 77 PID 4196 wrote to memory of 3504 4196 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 77 PID 4196 wrote to memory of 3504 4196 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 77 PID 4196 wrote to memory of 3504 4196 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 77 PID 4196 wrote to memory of 3504 4196 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 77 PID 4196 wrote to memory of 3504 4196 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 77 PID 4196 wrote to memory of 3504 4196 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 77 PID 3504 wrote to memory of 4984 3504 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 80 PID 3504 wrote to memory of 4984 3504 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 80 PID 3504 wrote to memory of 4984 3504 c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe 80 PID 4984 wrote to memory of 3196 4984 helper.exe 81 PID 4984 wrote to memory of 3196 4984 helper.exe 81 PID 4984 wrote to memory of 3196 4984 helper.exe 81 PID 4984 wrote to memory of 3196 4984 helper.exe 81 PID 4984 wrote to memory of 3196 4984 helper.exe 81 PID 4984 wrote to memory of 3196 4984 helper.exe 81 PID 4984 wrote to memory of 3196 4984 helper.exe 81 PID 4984 wrote to memory of 3196 4984 helper.exe 81 PID 3196 wrote to memory of 4788 3196 helper.exe 82 PID 3196 wrote to memory of 4788 3196 helper.exe 82 PID 3196 wrote to memory of 4788 3196 helper.exe 82 PID 3196 wrote to memory of 4788 3196 helper.exe 82 PID 3196 wrote to memory of 4788 3196 helper.exe 82 PID 3196 wrote to memory of 4788 3196 helper.exe 82 PID 3196 wrote to memory of 4788 3196 helper.exe 82 PID 3196 wrote to memory of 4788 3196 helper.exe 82 PID 4788 wrote to memory of 3504 4788 helper.exe 77 PID 4788 wrote to memory of 3504 4788 helper.exe 77 PID 4788 wrote to memory of 3504 4788 helper.exe 77 PID 4788 wrote to memory of 3504 4788 helper.exe 77 PID 4788 wrote to memory of 3504 4788 helper.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe"C:\Users\Admin\AppData\Local\Temp\c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe"C:\Users\Admin\AppData\Local\Temp\c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe"C:\Users\Admin\AppData\Local\Temp\c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\ProgramData\301520\helper.exe"C:\ProgramData\301520\helper.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\ProgramData\301520\helper.exe"C:\ProgramData\301520\helper.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\ProgramData\301520\helper.exe"C:\ProgramData\301520\helper.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4788
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
747KB
MD51c37fcc88038b6b8fc85accd0ebc8343
SHA1101b3727f1145d9b4483540b00d48b6cf9a03943
SHA256c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b
SHA51284905fcaeda25bac0fea20b4270f6d8724889b8a4e2567b8f64caad4cc82d6560812cd9ebcbcf3478910c97e857254b444d34755c519681c9d4161c969b2d939
-
Filesize
747KB
MD51c37fcc88038b6b8fc85accd0ebc8343
SHA1101b3727f1145d9b4483540b00d48b6cf9a03943
SHA256c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b
SHA51284905fcaeda25bac0fea20b4270f6d8724889b8a4e2567b8f64caad4cc82d6560812cd9ebcbcf3478910c97e857254b444d34755c519681c9d4161c969b2d939
-
Filesize
747KB
MD51c37fcc88038b6b8fc85accd0ebc8343
SHA1101b3727f1145d9b4483540b00d48b6cf9a03943
SHA256c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b
SHA51284905fcaeda25bac0fea20b4270f6d8724889b8a4e2567b8f64caad4cc82d6560812cd9ebcbcf3478910c97e857254b444d34755c519681c9d4161c969b2d939
-
Filesize
747KB
MD51c37fcc88038b6b8fc85accd0ebc8343
SHA1101b3727f1145d9b4483540b00d48b6cf9a03943
SHA256c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b
SHA51284905fcaeda25bac0fea20b4270f6d8724889b8a4e2567b8f64caad4cc82d6560812cd9ebcbcf3478910c97e857254b444d34755c519681c9d4161c969b2d939
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\c818d9d86c869925d4ff82e2d17ac77300befcd1fe308191af7f10b246e37a6b.exe.log
Filesize223B
MD51cc4c5b51e50ec74a6880b50ecbee28b
SHA11ba7bb0e86c3d23fb0dc8bf16798d37afb4c4aba
SHA2560556734df26e82e363d47748a3ceedd5c23ea4b9ded6e68bd5c373c1c9f8777b
SHA5125d5532602b381125b24a9bd78781ed722ce0c862214ef17e7d224d269e6e7045c919ab19896dd8d9ae8920726092efe0ffb776a77a9a9539c4a70188d5a4c706
-
Filesize
223B
MD51cc4c5b51e50ec74a6880b50ecbee28b
SHA11ba7bb0e86c3d23fb0dc8bf16798d37afb4c4aba
SHA2560556734df26e82e363d47748a3ceedd5c23ea4b9ded6e68bd5c373c1c9f8777b
SHA5125d5532602b381125b24a9bd78781ed722ce0c862214ef17e7d224d269e6e7045c919ab19896dd8d9ae8920726092efe0ffb776a77a9a9539c4a70188d5a4c706