Overview

overview

10

Static

static

804a740077...89.exe

windows7-x64

10

804a740077...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 01:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    804a74007782f858db9f08ec1797aa92429c1ae2f2496045854db975777ffe89.exe

  • Size

    196KB

  • MD5

    4e3b4a58556b73a525ac4ad4a667fc5f

  • SHA1

    8647ce41e973ec67d068c14921d80942a55f8bb4

  • SHA256

    804a74007782f858db9f08ec1797aa92429c1ae2f2496045854db975777ffe89

  • SHA512

    f85285858789a1e30b2afad625dfede84853c6154108b83a6a53cc7b88c5d6996ba2eb0dd38298fdd312f5ff280f3ea9aa523ba8a51ab83cff9efb8b20dcb6c7

  • SSDEEP

    6144:1L5Bx3DhHc6peTzhKeLTHav3bjUl2yzac:1VBx3tHc6khK4EPe2yV

Score
10/10
luminositypersistencerat

Malware Config

Signatures

  • Luminosity

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    ratluminosity
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\804a74007782f858db9f08ec1797aa92429c1ae2f2496045854db975777ffe89.exe
    "C:\Users\Admin\AppData\Local\Temp\804a74007782f858db9f08ec1797aa92429c1ae2f2496045854db975777ffe89.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Users\Admin\AppData\Local\Temp\804a74007782f858db9f08ec1797aa92429c1ae2f2496045854db975777ffe89.exe
      "C:\Users\Admin\AppData\Local\Temp\804a74007782f858db9f08ec1797aa92429c1ae2f2496045854db975777ffe89.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\ProgramData\106150\csrd.exe
        "C:\ProgramData\106150\csrd.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4004
        • C:\ProgramData\106150\csrd.exe
          "C:\ProgramData\106150\csrd.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of SetWindowsHookEx
          PID:856

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\106150\csrd.exe
    Filesize

    196KB

    MD5

    4e3b4a58556b73a525ac4ad4a667fc5f

    SHA1

    8647ce41e973ec67d068c14921d80942a55f8bb4

    SHA256

    804a74007782f858db9f08ec1797aa92429c1ae2f2496045854db975777ffe89

    SHA512

    f85285858789a1e30b2afad625dfede84853c6154108b83a6a53cc7b88c5d6996ba2eb0dd38298fdd312f5ff280f3ea9aa523ba8a51ab83cff9efb8b20dcb6c7

    Download Submit

  • C:\ProgramData\106150\csrd.exe
    Filesize

    196KB

    MD5

    4e3b4a58556b73a525ac4ad4a667fc5f

    SHA1

    8647ce41e973ec67d068c14921d80942a55f8bb4

    SHA256

    804a74007782f858db9f08ec1797aa92429c1ae2f2496045854db975777ffe89

    SHA512

    f85285858789a1e30b2afad625dfede84853c6154108b83a6a53cc7b88c5d6996ba2eb0dd38298fdd312f5ff280f3ea9aa523ba8a51ab83cff9efb8b20dcb6c7

    Download Submit

  • C:\ProgramData\106150\csrd.exe
    Filesize

    196KB

    MD5

    4e3b4a58556b73a525ac4ad4a667fc5f

    SHA1

    8647ce41e973ec67d068c14921d80942a55f8bb4

    SHA256

    804a74007782f858db9f08ec1797aa92429c1ae2f2496045854db975777ffe89

    SHA512

    f85285858789a1e30b2afad625dfede84853c6154108b83a6a53cc7b88c5d6996ba2eb0dd38298fdd312f5ff280f3ea9aa523ba8a51ab83cff9efb8b20dcb6c7

    Download Submit

  • memory/856-147-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/856-146-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/856-143-0x0000000000000000-mapping.dmp

    Download

  • memory/4004-140-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4004-137-0x0000000000000000-mapping.dmp

    Download

  • memory/4004-142-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4244-141-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4244-136-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4244-135-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/4244-134-0x0000000000000000-mapping.dmp

    Download

  • memory/4244-148-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4284-132-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4284-133-0x0000000074AC0000-0x0000000075071000-memory.dmp

    Filesize

    5.7MB

    Download