Analysis
-
max time kernel
149s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 12:47
Static task
static1
Behavioral task
behavioral1
Sample
655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe
Resource
win10v2004-20220812-en
General
-
Target
655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe
-
Size
263KB
-
MD5
0933760192fb29d692ef0e037229e86d
-
SHA1
e9a323e9fd86d090e3e942060c7d809d7f0a6eee
-
SHA256
655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9
-
SHA512
b7c733f0b5c02bfe61420dbb75a1c6cf57353b24c0853e07199cb89e3eebb1743df621779874ca6d1f00250c8a257e8b8b45bf4ee59a9bae5a8e3f7b0c4b52f0
-
SSDEEP
6144:Wve5lT+gycJHniGIGAigQtXopTPZTwqVOBCvDgi:W0Tu1G9BtXoBZrMBaDgi
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" sysmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\338351\\sysmon.exe\"" sysmon.exe -
Executes dropped EXE 2 IoCs
pid Process 1368 sysmon.exe 576 sysmon.exe -
Loads dropped DLL 2 IoCs
pid Process 2008 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 2008 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\338351\\sysmon.exe\"" sysmon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1048 set thread context of 2008 1048 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 27 PID 1368 set thread context of 576 1368 sysmon.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 576 sysmon.exe 576 sysmon.exe 576 sysmon.exe 576 sysmon.exe 576 sysmon.exe 1368 sysmon.exe 576 sysmon.exe 576 sysmon.exe 576 sysmon.exe 576 sysmon.exe 1048 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2008 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1048 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe Token: SeDebugPrivilege 1368 sysmon.exe Token: SeDebugPrivilege 576 sysmon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 576 sysmon.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1048 wrote to memory of 2008 1048 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 27 PID 1048 wrote to memory of 2008 1048 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 27 PID 1048 wrote to memory of 2008 1048 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 27 PID 1048 wrote to memory of 2008 1048 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 27 PID 1048 wrote to memory of 2008 1048 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 27 PID 1048 wrote to memory of 2008 1048 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 27 PID 1048 wrote to memory of 2008 1048 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 27 PID 1048 wrote to memory of 2008 1048 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 27 PID 1048 wrote to memory of 2008 1048 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 27 PID 2008 wrote to memory of 1368 2008 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 29 PID 2008 wrote to memory of 1368 2008 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 29 PID 2008 wrote to memory of 1368 2008 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 29 PID 2008 wrote to memory of 1368 2008 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 29 PID 1368 wrote to memory of 576 1368 sysmon.exe 30 PID 1368 wrote to memory of 576 1368 sysmon.exe 30 PID 1368 wrote to memory of 576 1368 sysmon.exe 30 PID 1368 wrote to memory of 576 1368 sysmon.exe 30 PID 1368 wrote to memory of 576 1368 sysmon.exe 30 PID 1368 wrote to memory of 576 1368 sysmon.exe 30 PID 1368 wrote to memory of 576 1368 sysmon.exe 30 PID 1368 wrote to memory of 576 1368 sysmon.exe 30 PID 1368 wrote to memory of 576 1368 sysmon.exe 30 PID 576 wrote to memory of 1368 576 sysmon.exe 29 PID 576 wrote to memory of 1368 576 sysmon.exe 29 PID 576 wrote to memory of 1368 576 sysmon.exe 29 PID 576 wrote to memory of 1368 576 sysmon.exe 29 PID 576 wrote to memory of 1368 576 sysmon.exe 29 PID 576 wrote to memory of 1048 576 sysmon.exe 26 PID 576 wrote to memory of 1048 576 sysmon.exe 26 PID 576 wrote to memory of 1048 576 sysmon.exe 26 PID 576 wrote to memory of 1048 576 sysmon.exe 26 PID 576 wrote to memory of 1048 576 sysmon.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe"C:\Users\Admin\AppData\Local\Temp\655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe"C:\Users\Admin\AppData\Local\Temp\655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\ProgramData\338351\sysmon.exe"C:\ProgramData\338351\sysmon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\ProgramData\338351\sysmon.exe"C:\ProgramData\338351\sysmon.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD50933760192fb29d692ef0e037229e86d
SHA1e9a323e9fd86d090e3e942060c7d809d7f0a6eee
SHA256655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9
SHA512b7c733f0b5c02bfe61420dbb75a1c6cf57353b24c0853e07199cb89e3eebb1743df621779874ca6d1f00250c8a257e8b8b45bf4ee59a9bae5a8e3f7b0c4b52f0
-
Filesize
263KB
MD50933760192fb29d692ef0e037229e86d
SHA1e9a323e9fd86d090e3e942060c7d809d7f0a6eee
SHA256655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9
SHA512b7c733f0b5c02bfe61420dbb75a1c6cf57353b24c0853e07199cb89e3eebb1743df621779874ca6d1f00250c8a257e8b8b45bf4ee59a9bae5a8e3f7b0c4b52f0
-
Filesize
263KB
MD50933760192fb29d692ef0e037229e86d
SHA1e9a323e9fd86d090e3e942060c7d809d7f0a6eee
SHA256655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9
SHA512b7c733f0b5c02bfe61420dbb75a1c6cf57353b24c0853e07199cb89e3eebb1743df621779874ca6d1f00250c8a257e8b8b45bf4ee59a9bae5a8e3f7b0c4b52f0
-
Filesize
263KB
MD50933760192fb29d692ef0e037229e86d
SHA1e9a323e9fd86d090e3e942060c7d809d7f0a6eee
SHA256655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9
SHA512b7c733f0b5c02bfe61420dbb75a1c6cf57353b24c0853e07199cb89e3eebb1743df621779874ca6d1f00250c8a257e8b8b45bf4ee59a9bae5a8e3f7b0c4b52f0
-
Filesize
263KB
MD50933760192fb29d692ef0e037229e86d
SHA1e9a323e9fd86d090e3e942060c7d809d7f0a6eee
SHA256655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9
SHA512b7c733f0b5c02bfe61420dbb75a1c6cf57353b24c0853e07199cb89e3eebb1743df621779874ca6d1f00250c8a257e8b8b45bf4ee59a9bae5a8e3f7b0c4b52f0