Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 15:54
Static task
static1
Behavioral task
behavioral1
Sample
98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe
Resource
win10v2004-20220812-en
General
-
Target
98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe
-
Size
544KB
-
MD5
ac3c3cfe80075221faa650b1a929b07f
-
SHA1
829a8e2af0dfa44a2e5b757c250f83c778977341
-
SHA256
98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6
-
SHA512
43e5cbdc5bbf11ab49e5ec580eca341d5c92782a5cf8d51aa4a4eda107e33c992b9dff3c1fe3fa5e4b236751a8c720110fafd6290a40e5bcd5cebb1de794e6e5
-
SSDEEP
12288:NRNRU7S8iTbBO7efStkG1thiYsZOJF24vvJVsa//yvAu:sGAefS+OSYjFjfvy
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" sysmon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\713126\\sysmon.exe\"" sysmon.exe -
Executes dropped EXE 1 IoCs
pid Process 468 sysmon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\713126\\sysmon.exe\"" sysmon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\clientsvr.exe sysmon.exe File opened for modification C:\Windows\system32\clientsvr.exe sysmon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe 468 sysmon.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1632 98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1632 98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe Token: SeDebugPrivilege 468 sysmon.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1632 wrote to memory of 468 1632 98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe 29 PID 1632 wrote to memory of 468 1632 98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe 29 PID 1632 wrote to memory of 468 1632 98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe"C:\Users\Admin\AppData\Local\Temp\98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\ProgramData\713126\sysmon.exe"C:\ProgramData\713126\sysmon.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544KB
MD5ac3c3cfe80075221faa650b1a929b07f
SHA1829a8e2af0dfa44a2e5b757c250f83c778977341
SHA25698cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6
SHA51243e5cbdc5bbf11ab49e5ec580eca341d5c92782a5cf8d51aa4a4eda107e33c992b9dff3c1fe3fa5e4b236751a8c720110fafd6290a40e5bcd5cebb1de794e6e5
-
Filesize
544KB
MD5ac3c3cfe80075221faa650b1a929b07f
SHA1829a8e2af0dfa44a2e5b757c250f83c778977341
SHA25698cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6
SHA51243e5cbdc5bbf11ab49e5ec580eca341d5c92782a5cf8d51aa4a4eda107e33c992b9dff3c1fe3fa5e4b236751a8c720110fafd6290a40e5bcd5cebb1de794e6e5