Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 15:54

General

  • Target

    98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe

  • Size

    544KB

  • MD5

    ac3c3cfe80075221faa650b1a929b07f

  • SHA1

    829a8e2af0dfa44a2e5b757c250f83c778977341

  • SHA256

    98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6

  • SHA512

    43e5cbdc5bbf11ab49e5ec580eca341d5c92782a5cf8d51aa4a4eda107e33c992b9dff3c1fe3fa5e4b236751a8c720110fafd6290a40e5bcd5cebb1de794e6e5

  • SSDEEP

    12288:NRNRU7S8iTbBO7efStkG1thiYsZOJF24vvJVsa//yvAu:sGAefS+OSYjFjfvy

Malware Config

Signatures

  • Luminosity

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe
    "C:\Users\Admin\AppData\Local\Temp\98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\ProgramData\713126\sysmon.exe
      "C:\ProgramData\713126\sysmon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:468

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\713126\sysmon.exe

    Filesize

    544KB

    MD5

    ac3c3cfe80075221faa650b1a929b07f

    SHA1

    829a8e2af0dfa44a2e5b757c250f83c778977341

    SHA256

    98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6

    SHA512

    43e5cbdc5bbf11ab49e5ec580eca341d5c92782a5cf8d51aa4a4eda107e33c992b9dff3c1fe3fa5e4b236751a8c720110fafd6290a40e5bcd5cebb1de794e6e5

  • C:\ProgramData\713126\sysmon.exe

    Filesize

    544KB

    MD5

    ac3c3cfe80075221faa650b1a929b07f

    SHA1

    829a8e2af0dfa44a2e5b757c250f83c778977341

    SHA256

    98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6

    SHA512

    43e5cbdc5bbf11ab49e5ec580eca341d5c92782a5cf8d51aa4a4eda107e33c992b9dff3c1fe3fa5e4b236751a8c720110fafd6290a40e5bcd5cebb1de794e6e5

  • memory/468-63-0x0000000001EE6000-0x0000000001F05000-memory.dmp

    Filesize

    124KB

  • memory/468-61-0x000007FEF4280000-0x000007FEF4CA3000-memory.dmp

    Filesize

    10.1MB

  • memory/468-62-0x000007FEEEC10000-0x000007FEEFCA6000-memory.dmp

    Filesize

    16.6MB

  • memory/468-65-0x0000000001EE6000-0x0000000001F05000-memory.dmp

    Filesize

    124KB

  • memory/1632-57-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

    Filesize

    8KB

  • memory/1632-55-0x000007FEEEC10000-0x000007FEEFCA6000-memory.dmp

    Filesize

    16.6MB

  • memory/1632-56-0x00000000021C6000-0x00000000021E5000-memory.dmp

    Filesize

    124KB

  • memory/1632-54-0x000007FEF4280000-0x000007FEF4CA3000-memory.dmp

    Filesize

    10.1MB

  • memory/1632-64-0x00000000021C6000-0x00000000021E5000-memory.dmp

    Filesize

    124KB

  • memory/1632-66-0x00000000021C6000-0x00000000021E5000-memory.dmp

    Filesize

    124KB