Analysis
-
max time kernel
189s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 18:02
Static task
static1
Behavioral task
behavioral1
Sample
12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe
Resource
win10v2004-20220812-en
General
-
Target
12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe
-
Size
591KB
-
MD5
12c1fc5af99577e0569bc732dd486d1a
-
SHA1
d9dfdbe862677a76a5864212332e2fc74f30c41a
-
SHA256
12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c
-
SHA512
1a1e763cc0515b4da6a618d99c3690956419ea3ce6b4410f5ac7c503b9c437ce82b4a4394e2522d4f53f29eeb53850b402460f5a129899f92274d7cdaf54dfee
-
SSDEEP
12288:1IUvw9jCD23JZQOf2ii/+b13iStZgvmwdbPv2xF:aUvYjCa3QOOiMU13iSIdRve
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" sysmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\855173\\sysmon.exe\"" sysmon.exe -
Executes dropped EXE 3 IoCs
pid Process 4028 sysmon.exe 1728 sysmon.exe 4984 sysmon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\855173\\sysmon.exe\"" sysmon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1444 set thread context of 872 1444 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 81 PID 4028 set thread context of 4984 4028 sysmon.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 872 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 872 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe 4984 sysmon.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 872 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4984 sysmon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4984 sysmon.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1444 wrote to memory of 712 1444 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 80 PID 1444 wrote to memory of 712 1444 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 80 PID 1444 wrote to memory of 712 1444 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 80 PID 1444 wrote to memory of 872 1444 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 81 PID 1444 wrote to memory of 872 1444 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 81 PID 1444 wrote to memory of 872 1444 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 81 PID 1444 wrote to memory of 872 1444 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 81 PID 1444 wrote to memory of 872 1444 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 81 PID 1444 wrote to memory of 872 1444 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 81 PID 1444 wrote to memory of 872 1444 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 81 PID 1444 wrote to memory of 872 1444 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 81 PID 872 wrote to memory of 4028 872 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 82 PID 872 wrote to memory of 4028 872 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 82 PID 872 wrote to memory of 4028 872 12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe 82 PID 4028 wrote to memory of 1728 4028 sysmon.exe 83 PID 4028 wrote to memory of 1728 4028 sysmon.exe 83 PID 4028 wrote to memory of 1728 4028 sysmon.exe 83 PID 4028 wrote to memory of 4984 4028 sysmon.exe 84 PID 4028 wrote to memory of 4984 4028 sysmon.exe 84 PID 4028 wrote to memory of 4984 4028 sysmon.exe 84 PID 4028 wrote to memory of 4984 4028 sysmon.exe 84 PID 4028 wrote to memory of 4984 4028 sysmon.exe 84 PID 4028 wrote to memory of 4984 4028 sysmon.exe 84 PID 4028 wrote to memory of 4984 4028 sysmon.exe 84 PID 4028 wrote to memory of 4984 4028 sysmon.exe 84 PID 4984 wrote to memory of 872 4984 sysmon.exe 81 PID 4984 wrote to memory of 872 4984 sysmon.exe 81 PID 4984 wrote to memory of 872 4984 sysmon.exe 81 PID 4984 wrote to memory of 872 4984 sysmon.exe 81 PID 4984 wrote to memory of 872 4984 sysmon.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe"C:\Users\Admin\AppData\Local\Temp\12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe"C:\Users\Admin\AppData\Local\Temp\12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe"2⤵PID:712
-
-
C:\Users\Admin\AppData\Local\Temp\12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe"C:\Users\Admin\AppData\Local\Temp\12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:872 -
C:\ProgramData\855173\sysmon.exe"C:\ProgramData\855173\sysmon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\ProgramData\855173\sysmon.exe"C:\ProgramData\855173\sysmon.exe"4⤵
- Executes dropped EXE
PID:1728
-
-
C:\ProgramData\855173\sysmon.exe"C:\ProgramData\855173\sysmon.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
591KB
MD512c1fc5af99577e0569bc732dd486d1a
SHA1d9dfdbe862677a76a5864212332e2fc74f30c41a
SHA25612683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c
SHA5121a1e763cc0515b4da6a618d99c3690956419ea3ce6b4410f5ac7c503b9c437ce82b4a4394e2522d4f53f29eeb53850b402460f5a129899f92274d7cdaf54dfee
-
Filesize
591KB
MD512c1fc5af99577e0569bc732dd486d1a
SHA1d9dfdbe862677a76a5864212332e2fc74f30c41a
SHA25612683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c
SHA5121a1e763cc0515b4da6a618d99c3690956419ea3ce6b4410f5ac7c503b9c437ce82b4a4394e2522d4f53f29eeb53850b402460f5a129899f92274d7cdaf54dfee
-
Filesize
591KB
MD512c1fc5af99577e0569bc732dd486d1a
SHA1d9dfdbe862677a76a5864212332e2fc74f30c41a
SHA25612683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c
SHA5121a1e763cc0515b4da6a618d99c3690956419ea3ce6b4410f5ac7c503b9c437ce82b4a4394e2522d4f53f29eeb53850b402460f5a129899f92274d7cdaf54dfee
-
Filesize
591KB
MD512c1fc5af99577e0569bc732dd486d1a
SHA1d9dfdbe862677a76a5864212332e2fc74f30c41a
SHA25612683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c
SHA5121a1e763cc0515b4da6a618d99c3690956419ea3ce6b4410f5ac7c503b9c437ce82b4a4394e2522d4f53f29eeb53850b402460f5a129899f92274d7cdaf54dfee
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\12683060f2e173014a172cebbe5f67354a8e2cd8f9a5b1197a1268d9c60fa77c.exe.log
Filesize312B
MD5d4b49ac61a6cac139f96450777c10204
SHA192089d33442c9e2eaceac3ed8db6a7168f938e5a
SHA256807bdfa62a4312030c1ed54981674cff77f6108e6b4957754cabb810098ce082
SHA512eb13a0e7f0d4b44db7e8d0625ba1ee6a036083c39c24b85493d3ec9074ada03eb7003b97bd92ed5f2baaf26295a4690303332593c4776e75da5bc3b6adbc3ea6