Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

98cf15505f...b6.exe

windows7-x64

10

98cf15505f...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 15:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe

  • Size

    544KB

  • MD5

    ac3c3cfe80075221faa650b1a929b07f

  • SHA1

    829a8e2af0dfa44a2e5b757c250f83c778977341

  • SHA256

    98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6

  • SHA512

    43e5cbdc5bbf11ab49e5ec580eca341d5c92782a5cf8d51aa4a4eda107e33c992b9dff3c1fe3fa5e4b236751a8c720110fafd6290a40e5bcd5cebb1de794e6e5

  • SSDEEP

    12288:NRNRU7S8iTbBO7efStkG1thiYsZOJF24vvJVsa//yvAu:sGAefS+OSYjFjfvy

Score
10/10
luminositypersistencerat

Malware Config

Signatures

  • Luminosity

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    ratluminosity
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe
    "C:\Users\Admin\AppData\Local\Temp\98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\ProgramData\546706\sysmon.exe
      "C:\ProgramData\546706\sysmon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4916

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\546706\sysmon.exe
    Filesize

    544KB

    MD5

    ac3c3cfe80075221faa650b1a929b07f

    SHA1

    829a8e2af0dfa44a2e5b757c250f83c778977341

    SHA256

    98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6

    SHA512

    43e5cbdc5bbf11ab49e5ec580eca341d5c92782a5cf8d51aa4a4eda107e33c992b9dff3c1fe3fa5e4b236751a8c720110fafd6290a40e5bcd5cebb1de794e6e5

    Download Submit

  • C:\ProgramData\546706\sysmon.exe
    Filesize

    544KB

    MD5

    ac3c3cfe80075221faa650b1a929b07f

    SHA1

    829a8e2af0dfa44a2e5b757c250f83c778977341

    SHA256

    98cf15505fcc65023b4e0b44070e29627ca560b65744d315ba24ce16abd23eb6

    SHA512

    43e5cbdc5bbf11ab49e5ec580eca341d5c92782a5cf8d51aa4a4eda107e33c992b9dff3c1fe3fa5e4b236751a8c720110fafd6290a40e5bcd5cebb1de794e6e5

    Download Submit

  • memory/4024-132-0x00007FFE2E6A0000-0x00007FFE2F0D6000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/4916-136-0x00007FFE2E6A0000-0x00007FFE2F0D6000-memory.dmp

    Filesize

    10.2MB

    Download