Analysis

  • max time kernel
    147s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 01:47

General

  • Target

    967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55.exe

  • Size

    509KB

  • MD5

    112978a940b3aa91557b10e37ec65ffb

  • SHA1

    51b06bbcd1a9320c4e1ff63a6d0b2a2221cef536

  • SHA256

    967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55

  • SHA512

    666f25c4cb694b69165b42cf4c71baeb38f0507039e5a455da87f70324f302e0dbfd3e8f5d858c88e35f76acb5c64bc30fed19398f4f636c35a12ecbc61483b3

  • SSDEEP

    12288:X03SAZHsXBEE4V+kwCJwNiNvwPeJYLd95YhJ:XDUEBEE4dlNIPWYBQD

Malware Config

Signatures

  • Luminosity

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55.exe
    "C:\Users\Admin\AppData\Local\Temp\967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Users\Admin\AppData\Local\Temp\967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55.exe
      "C:\Users\Admin\AppData\Local\Temp\967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55.exe"
      2⤵
        PID:1896
      • C:\Users\Admin\AppData\Local\Temp\967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55.exe
        "C:\Users\Admin\AppData\Local\Temp\967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55.exe"
        2⤵
          PID:1756
        • C:\Users\Admin\AppData\Local\Temp\967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55.exe
          "C:\Users\Admin\AppData\Local\Temp\967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55.exe"
          2⤵
            PID:1928
          • C:\Users\Admin\AppData\Local\Temp\967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55.exe
            "C:\Users\Admin\AppData\Local\Temp\967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55.exe"
            2⤵
              PID:1916
            • C:\Users\Admin\AppData\Local\Temp\967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55.exe
              "C:\Users\Admin\AppData\Local\Temp\967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55.exe"
              2⤵
                PID:1924
              • C:\Users\Admin\AppData\Local\Temp\967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55.exe
                "C:\Users\Admin\AppData\Local\Temp\967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55.exe"
                2⤵
                • Loads dropped DLL
                • Suspicious behavior: RenamesItself
                • Suspicious use of WriteProcessMemory
                PID:972
                • C:\ProgramData\323049\msfilecom.exe
                  "C:\ProgramData\323049\msfilecom.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:820
                  • C:\ProgramData\323049\msfilecom.exe
                    "C:\ProgramData\323049\msfilecom.exe"
                    4⤵
                    • Modifies WinLogon for persistence
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1224

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\323049\msfilecom.exe

              Filesize

              509KB

              MD5

              112978a940b3aa91557b10e37ec65ffb

              SHA1

              51b06bbcd1a9320c4e1ff63a6d0b2a2221cef536

              SHA256

              967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55

              SHA512

              666f25c4cb694b69165b42cf4c71baeb38f0507039e5a455da87f70324f302e0dbfd3e8f5d858c88e35f76acb5c64bc30fed19398f4f636c35a12ecbc61483b3

            • C:\ProgramData\323049\msfilecom.exe

              Filesize

              509KB

              MD5

              112978a940b3aa91557b10e37ec65ffb

              SHA1

              51b06bbcd1a9320c4e1ff63a6d0b2a2221cef536

              SHA256

              967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55

              SHA512

              666f25c4cb694b69165b42cf4c71baeb38f0507039e5a455da87f70324f302e0dbfd3e8f5d858c88e35f76acb5c64bc30fed19398f4f636c35a12ecbc61483b3

            • C:\ProgramData\323049\msfilecom.exe

              Filesize

              509KB

              MD5

              112978a940b3aa91557b10e37ec65ffb

              SHA1

              51b06bbcd1a9320c4e1ff63a6d0b2a2221cef536

              SHA256

              967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55

              SHA512

              666f25c4cb694b69165b42cf4c71baeb38f0507039e5a455da87f70324f302e0dbfd3e8f5d858c88e35f76acb5c64bc30fed19398f4f636c35a12ecbc61483b3

            • \ProgramData\323049\msfilecom.exe

              Filesize

              509KB

              MD5

              112978a940b3aa91557b10e37ec65ffb

              SHA1

              51b06bbcd1a9320c4e1ff63a6d0b2a2221cef536

              SHA256

              967a8db54ac259968792d81629b930bfeff404505eff4073b51a30d913bcaf55

              SHA512

              666f25c4cb694b69165b42cf4c71baeb38f0507039e5a455da87f70324f302e0dbfd3e8f5d858c88e35f76acb5c64bc30fed19398f4f636c35a12ecbc61483b3

            • memory/820-89-0x0000000073FA0000-0x000000007454B000-memory.dmp

              Filesize

              5.7MB

            • memory/820-75-0x0000000073FA0000-0x000000007454B000-memory.dmp

              Filesize

              5.7MB

            • memory/820-71-0x0000000000000000-mapping.dmp

            • memory/972-61-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

            • memory/972-59-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

            • memory/972-93-0x0000000073FA0000-0x000000007454B000-memory.dmp

              Filesize

              5.7MB

            • memory/972-69-0x0000000073FA0000-0x000000007454B000-memory.dmp

              Filesize

              5.7MB

            • memory/972-64-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

            • memory/972-62-0x000000000045CF0E-mapping.dmp

            • memory/972-91-0x0000000073FA0000-0x000000007454B000-memory.dmp

              Filesize

              5.7MB

            • memory/972-66-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

            • memory/972-57-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

            • memory/972-56-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

            • memory/1224-82-0x000000000045CF0E-mapping.dmp

            • memory/1224-90-0x0000000073FA0000-0x000000007454B000-memory.dmp

              Filesize

              5.7MB

            • memory/1224-92-0x0000000073FA0000-0x000000007454B000-memory.dmp

              Filesize

              5.7MB

            • memory/1496-55-0x0000000073FA0000-0x000000007454B000-memory.dmp

              Filesize

              5.7MB

            • memory/1496-54-0x0000000075131000-0x0000000075133000-memory.dmp

              Filesize

              8KB

            • memory/1496-68-0x0000000073FA0000-0x000000007454B000-memory.dmp

              Filesize

              5.7MB