Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 20:36

General

  • Target

    5afacb39e2b3de26c60c6c4e96cf172dd952e20e7b081dd498a7157d8cb99383.exe

  • Size

    363KB

  • MD5

    407ad0b8ca4c0d6fdf45497b6e5e91b3

  • SHA1

    b904a4b9b05ff476c14b1c3dd1de55c7cbab0654

  • SHA256

    5afacb39e2b3de26c60c6c4e96cf172dd952e20e7b081dd498a7157d8cb99383

  • SHA512

    32c2f382b19298cf4e6978c44a09a33bb9ee0912d89ebf0138139f1618f3e8640474c78a97f3815dea4f740c177ef809efbf2a6d45e9588958d3fa7a654c9b98

  • SSDEEP

    6144:w8i2UsvYzQGvK28szYvU4n2kJBbnCtfhCyZx+LFus/pT7ivqqqXASDLNVJ6i:G2UsJwKqc4krDCtZxGFusxwqqMLXAi

Malware Config

Signatures

  • Luminosity

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5afacb39e2b3de26c60c6c4e96cf172dd952e20e7b081dd498a7157d8cb99383.exe
    "C:\Users\Admin\AppData\Local\Temp\5afacb39e2b3de26c60c6c4e96cf172dd952e20e7b081dd498a7157d8cb99383.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Users\Admin\AppData\Local\Temp\5afacb39e2b3de26c60c6c4e96cf172dd952e20e7b081dd498a7157d8cb99383.exe
      "C:\Users\Admin\AppData\Local\Temp\5afacb39e2b3de26c60c6c4e96cf172dd952e20e7b081dd498a7157d8cb99383.exe"
      2⤵
        PID:1872
      • C:\Users\Admin\AppData\Local\Temp\5afacb39e2b3de26c60c6c4e96cf172dd952e20e7b081dd498a7157d8cb99383.exe
        "C:\Users\Admin\AppData\Local\Temp\5afacb39e2b3de26c60c6c4e96cf172dd952e20e7b081dd498a7157d8cb99383.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:1820
        • C:\ProgramData\231036\helper.exe
          "C:\ProgramData\231036\helper.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1496
          • C:\ProgramData\231036\helper.exe
            "C:\ProgramData\231036\helper.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:552

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\231036\helper.exe

      Filesize

      363KB

      MD5

      407ad0b8ca4c0d6fdf45497b6e5e91b3

      SHA1

      b904a4b9b05ff476c14b1c3dd1de55c7cbab0654

      SHA256

      5afacb39e2b3de26c60c6c4e96cf172dd952e20e7b081dd498a7157d8cb99383

      SHA512

      32c2f382b19298cf4e6978c44a09a33bb9ee0912d89ebf0138139f1618f3e8640474c78a97f3815dea4f740c177ef809efbf2a6d45e9588958d3fa7a654c9b98

    • C:\ProgramData\231036\helper.exe

      Filesize

      363KB

      MD5

      407ad0b8ca4c0d6fdf45497b6e5e91b3

      SHA1

      b904a4b9b05ff476c14b1c3dd1de55c7cbab0654

      SHA256

      5afacb39e2b3de26c60c6c4e96cf172dd952e20e7b081dd498a7157d8cb99383

      SHA512

      32c2f382b19298cf4e6978c44a09a33bb9ee0912d89ebf0138139f1618f3e8640474c78a97f3815dea4f740c177ef809efbf2a6d45e9588958d3fa7a654c9b98

    • C:\ProgramData\231036\helper.exe

      Filesize

      363KB

      MD5

      407ad0b8ca4c0d6fdf45497b6e5e91b3

      SHA1

      b904a4b9b05ff476c14b1c3dd1de55c7cbab0654

      SHA256

      5afacb39e2b3de26c60c6c4e96cf172dd952e20e7b081dd498a7157d8cb99383

      SHA512

      32c2f382b19298cf4e6978c44a09a33bb9ee0912d89ebf0138139f1618f3e8640474c78a97f3815dea4f740c177ef809efbf2a6d45e9588958d3fa7a654c9b98

    • \ProgramData\231036\helper.exe

      Filesize

      363KB

      MD5

      407ad0b8ca4c0d6fdf45497b6e5e91b3

      SHA1

      b904a4b9b05ff476c14b1c3dd1de55c7cbab0654

      SHA256

      5afacb39e2b3de26c60c6c4e96cf172dd952e20e7b081dd498a7157d8cb99383

      SHA512

      32c2f382b19298cf4e6978c44a09a33bb9ee0912d89ebf0138139f1618f3e8640474c78a97f3815dea4f740c177ef809efbf2a6d45e9588958d3fa7a654c9b98

    • memory/552-91-0x00000000740B0000-0x000000007465B000-memory.dmp

      Filesize

      5.7MB

    • memory/552-92-0x00000000740B0000-0x000000007465B000-memory.dmp

      Filesize

      5.7MB

    • memory/1100-67-0x00000000740B0000-0x000000007465B000-memory.dmp

      Filesize

      5.7MB

    • memory/1100-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

      Filesize

      8KB

    • memory/1100-55-0x00000000740B0000-0x000000007465B000-memory.dmp

      Filesize

      5.7MB

    • memory/1496-86-0x00000000740B0000-0x000000007465B000-memory.dmp

      Filesize

      5.7MB

    • memory/1496-76-0x00000000740B0000-0x000000007465B000-memory.dmp

      Filesize

      5.7MB

    • memory/1820-69-0x00000000740B0000-0x000000007465B000-memory.dmp

      Filesize

      5.7MB

    • memory/1820-66-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1820-75-0x00000000740B0000-0x000000007465B000-memory.dmp

      Filesize

      5.7MB

    • memory/1820-64-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1820-61-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1820-59-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1820-57-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1820-56-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1820-93-0x00000000740B0000-0x000000007465B000-memory.dmp

      Filesize

      5.7MB