Overview

overview

10

Static

static

b9694c6ae1...f5.exe

windows7-x64

10

b9694c6ae1...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9694c6ae1d20d43f9ee72800810658b23ea0505afba30030fd474a22f3921f5.exe

  • Size

    267KB

  • MD5

    03f81f69db69634c13210bae6b4598f4

  • SHA1

    6710382e4f58f97f99fca1ae6b189fcc67e9011d

  • SHA256

    b9694c6ae1d20d43f9ee72800810658b23ea0505afba30030fd474a22f3921f5

  • SHA512

    f7f8cd15d01fd26b03881811e27356179deaafe3afd6a1b7b908edbab0357f52d8c3753c179c666c6df18e32cd784252c4cd92cd7e1ff21bd1981228708aa1f8

  • SSDEEP

    6144:LIl3YnIIHBJ0X4U3cCIUqWzInoBdm4XORyGB7W0OnyYLSAXQ:ElYhQ4UMCIMdw3BTOyYLlg

Score
10/10
luminositypersistencerat

Malware Config

Signatures

  • Luminosity

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    ratluminosity
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9694c6ae1d20d43f9ee72800810658b23ea0505afba30030fd474a22f3921f5.exe
    "C:\Users\Admin\AppData\Local\Temp\b9694c6ae1d20d43f9ee72800810658b23ea0505afba30030fd474a22f3921f5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Users\Admin\AppData\Local\Temp\b9694c6ae1d20d43f9ee72800810658b23ea0505afba30030fd474a22f3921f5.exe
      "C:\Users\Admin\AppData\Local\Temp\b9694c6ae1d20d43f9ee72800810658b23ea0505afba30030fd474a22f3921f5.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\ProgramData\973692\sysconfig.exe
        "C:\ProgramData\973692\sysconfig.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\ProgramData\973692\sysconfig.exe
          "C:\ProgramData\973692\sysconfig.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4264

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\973692\sysconfig.exe
    Filesize

    267KB

    MD5

    03f81f69db69634c13210bae6b4598f4

    SHA1

    6710382e4f58f97f99fca1ae6b189fcc67e9011d

    SHA256

    b9694c6ae1d20d43f9ee72800810658b23ea0505afba30030fd474a22f3921f5

    SHA512

    f7f8cd15d01fd26b03881811e27356179deaafe3afd6a1b7b908edbab0357f52d8c3753c179c666c6df18e32cd784252c4cd92cd7e1ff21bd1981228708aa1f8

    Download Submit

  • C:\ProgramData\973692\sysconfig.exe
    Filesize

    267KB

    MD5

    03f81f69db69634c13210bae6b4598f4

    SHA1

    6710382e4f58f97f99fca1ae6b189fcc67e9011d

    SHA256

    b9694c6ae1d20d43f9ee72800810658b23ea0505afba30030fd474a22f3921f5

    SHA512

    f7f8cd15d01fd26b03881811e27356179deaafe3afd6a1b7b908edbab0357f52d8c3753c179c666c6df18e32cd784252c4cd92cd7e1ff21bd1981228708aa1f8

    Download Submit

  • C:\ProgramData\973692\sysconfig.exe
    Filesize

    267KB

    MD5

    03f81f69db69634c13210bae6b4598f4

    SHA1

    6710382e4f58f97f99fca1ae6b189fcc67e9011d

    SHA256

    b9694c6ae1d20d43f9ee72800810658b23ea0505afba30030fd474a22f3921f5

    SHA512

    f7f8cd15d01fd26b03881811e27356179deaafe3afd6a1b7b908edbab0357f52d8c3753c179c666c6df18e32cd784252c4cd92cd7e1ff21bd1981228708aa1f8

    Download Submit

  • memory/1652-136-0x0000000075480000-0x0000000075A31000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1652-147-0x0000000006E90000-0x0000000006EA7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1652-151-0x0000000075480000-0x0000000075A31000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1652-135-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1652-134-0x0000000000000000-mapping.dmp

    Download

  • memory/1652-149-0x0000000006E90000-0x0000000006EA7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1652-141-0x0000000075480000-0x0000000075A31000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1652-148-0x0000000006E90000-0x0000000006EA7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2220-142-0x0000000075480000-0x0000000075A31000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2220-140-0x0000000075480000-0x0000000075A31000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2220-137-0x0000000000000000-mapping.dmp

    Download

  • memory/4264-146-0x0000000075480000-0x0000000075A31000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4264-143-0x0000000000000000-mapping.dmp

    Download

  • memory/4264-150-0x0000000075480000-0x0000000075A31000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4928-133-0x0000000075480000-0x0000000075A31000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4928-132-0x0000000075480000-0x0000000075A31000-memory.dmp

    Filesize

    5.7MB

    Download