Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 12:47
Static task
static1
Behavioral task
behavioral1
Sample
655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe
Resource
win10v2004-20220812-en
General
-
Target
655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe
-
Size
263KB
-
MD5
0933760192fb29d692ef0e037229e86d
-
SHA1
e9a323e9fd86d090e3e942060c7d809d7f0a6eee
-
SHA256
655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9
-
SHA512
b7c733f0b5c02bfe61420dbb75a1c6cf57353b24c0853e07199cb89e3eebb1743df621779874ca6d1f00250c8a257e8b8b45bf4ee59a9bae5a8e3f7b0c4b52f0
-
SSDEEP
6144:Wve5lT+gycJHniGIGAigQtXopTPZTwqVOBCvDgi:W0Tu1G9BtXoBZrMBaDgi
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" sysmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\455397\\sysmon.exe\"" sysmon.exe -
Executes dropped EXE 2 IoCs
pid Process 4372 sysmon.exe 4760 sysmon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\455397\\sysmon.exe\"" sysmon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe sysmon.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe sysmon.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 620 set thread context of 5020 620 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 82 PID 4372 set thread context of 4760 4372 sysmon.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4372 sysmon.exe 4372 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 5020 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 5020 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 620 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 620 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe 4760 sysmon.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5020 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 620 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe Token: SeDebugPrivilege 4372 sysmon.exe Token: SeDebugPrivilege 4760 sysmon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4760 sysmon.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 620 wrote to memory of 5020 620 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 82 PID 620 wrote to memory of 5020 620 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 82 PID 620 wrote to memory of 5020 620 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 82 PID 620 wrote to memory of 5020 620 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 82 PID 620 wrote to memory of 5020 620 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 82 PID 620 wrote to memory of 5020 620 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 82 PID 620 wrote to memory of 5020 620 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 82 PID 620 wrote to memory of 5020 620 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 82 PID 5020 wrote to memory of 4372 5020 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 83 PID 5020 wrote to memory of 4372 5020 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 83 PID 5020 wrote to memory of 4372 5020 655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe 83 PID 4372 wrote to memory of 4760 4372 sysmon.exe 85 PID 4372 wrote to memory of 4760 4372 sysmon.exe 85 PID 4372 wrote to memory of 4760 4372 sysmon.exe 85 PID 4372 wrote to memory of 4760 4372 sysmon.exe 85 PID 4372 wrote to memory of 4760 4372 sysmon.exe 85 PID 4372 wrote to memory of 4760 4372 sysmon.exe 85 PID 4372 wrote to memory of 4760 4372 sysmon.exe 85 PID 4372 wrote to memory of 4760 4372 sysmon.exe 85 PID 4760 wrote to memory of 4372 4760 sysmon.exe 83 PID 4760 wrote to memory of 4372 4760 sysmon.exe 83 PID 4760 wrote to memory of 4372 4760 sysmon.exe 83 PID 4760 wrote to memory of 4372 4760 sysmon.exe 83 PID 4760 wrote to memory of 4372 4760 sysmon.exe 83 PID 4760 wrote to memory of 5020 4760 sysmon.exe 82 PID 4760 wrote to memory of 5020 4760 sysmon.exe 82 PID 4760 wrote to memory of 5020 4760 sysmon.exe 82 PID 4760 wrote to memory of 5020 4760 sysmon.exe 82 PID 4760 wrote to memory of 5020 4760 sysmon.exe 82 PID 4760 wrote to memory of 620 4760 sysmon.exe 79 PID 4760 wrote to memory of 620 4760 sysmon.exe 79 PID 4760 wrote to memory of 620 4760 sysmon.exe 79 PID 4760 wrote to memory of 620 4760 sysmon.exe 79 PID 4760 wrote to memory of 620 4760 sysmon.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe"C:\Users\Admin\AppData\Local\Temp\655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Users\Admin\AppData\Local\Temp\655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe"C:\Users\Admin\AppData\Local\Temp\655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\ProgramData\455397\sysmon.exe"C:\ProgramData\455397\sysmon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\ProgramData\455397\sysmon.exe"C:\ProgramData\455397\sysmon.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD50933760192fb29d692ef0e037229e86d
SHA1e9a323e9fd86d090e3e942060c7d809d7f0a6eee
SHA256655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9
SHA512b7c733f0b5c02bfe61420dbb75a1c6cf57353b24c0853e07199cb89e3eebb1743df621779874ca6d1f00250c8a257e8b8b45bf4ee59a9bae5a8e3f7b0c4b52f0
-
Filesize
263KB
MD50933760192fb29d692ef0e037229e86d
SHA1e9a323e9fd86d090e3e942060c7d809d7f0a6eee
SHA256655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9
SHA512b7c733f0b5c02bfe61420dbb75a1c6cf57353b24c0853e07199cb89e3eebb1743df621779874ca6d1f00250c8a257e8b8b45bf4ee59a9bae5a8e3f7b0c4b52f0
-
Filesize
263KB
MD50933760192fb29d692ef0e037229e86d
SHA1e9a323e9fd86d090e3e942060c7d809d7f0a6eee
SHA256655c5fb5f5600963ef4d2d705b839e62be86ae03dc3e416a1feaa670b85dfaa9
SHA512b7c733f0b5c02bfe61420dbb75a1c6cf57353b24c0853e07199cb89e3eebb1743df621779874ca6d1f00250c8a257e8b8b45bf4ee59a9bae5a8e3f7b0c4b52f0