Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 18:22
Static task
static1
Behavioral task
behavioral1
Sample
f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe
Resource
win10v2004-20220901-en
General
-
Target
f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe
-
Size
349KB
-
MD5
60eec175da96472e274f381336f2e953
-
SHA1
3bf49fe29e8a17070594ab1df37d36c7d605576a
-
SHA256
f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11
-
SHA512
3715091d4beb2e3903f4f5e2a37366d0c0d55e88d2aba78f4000d348fc31ef7936a9092fb716e8af10bcd9932b940e931a667f6cf8244ac7bfe9d8e34e519549
-
SSDEEP
6144:/v+2p5fGOmQ2lBZnUnoJHwGYb3XFNCSbLnTZYJFpiNX85pRpp99k9T9s9s9:H+2p5pmQg5U6HCB5bzOFwd2pRpp99k9l
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\224205\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" csrss.exe -
Executes dropped EXE 2 IoCs
pid Process 592 csrss.exe 636 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 988 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 988 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Client Services Runtime Service = "\"C:\\ProgramData\\224205\\csrss.exe\"" csrss.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe csrss.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe csrss.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1032 set thread context of 988 1032 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 28 PID 592 set thread context of 636 592 csrss.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 636 csrss.exe 636 csrss.exe 636 csrss.exe 636 csrss.exe 636 csrss.exe 1032 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 988 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1032 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe Token: SeDebugPrivilege 592 csrss.exe Token: SeDebugPrivilege 636 csrss.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 636 csrss.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1032 wrote to memory of 988 1032 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 28 PID 1032 wrote to memory of 988 1032 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 28 PID 1032 wrote to memory of 988 1032 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 28 PID 1032 wrote to memory of 988 1032 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 28 PID 1032 wrote to memory of 988 1032 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 28 PID 1032 wrote to memory of 988 1032 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 28 PID 1032 wrote to memory of 988 1032 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 28 PID 1032 wrote to memory of 988 1032 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 28 PID 1032 wrote to memory of 988 1032 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 28 PID 988 wrote to memory of 592 988 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 30 PID 988 wrote to memory of 592 988 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 30 PID 988 wrote to memory of 592 988 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 30 PID 988 wrote to memory of 592 988 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 30 PID 592 wrote to memory of 636 592 csrss.exe 31 PID 592 wrote to memory of 636 592 csrss.exe 31 PID 592 wrote to memory of 636 592 csrss.exe 31 PID 592 wrote to memory of 636 592 csrss.exe 31 PID 592 wrote to memory of 636 592 csrss.exe 31 PID 592 wrote to memory of 636 592 csrss.exe 31 PID 592 wrote to memory of 636 592 csrss.exe 31 PID 592 wrote to memory of 636 592 csrss.exe 31 PID 592 wrote to memory of 636 592 csrss.exe 31 PID 636 wrote to memory of 1032 636 csrss.exe 27 PID 636 wrote to memory of 1032 636 csrss.exe 27 PID 636 wrote to memory of 1032 636 csrss.exe 27 PID 636 wrote to memory of 1032 636 csrss.exe 27 PID 636 wrote to memory of 1032 636 csrss.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe"C:\Users\Admin\AppData\Local\Temp\f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe"C:\Users\Admin\AppData\Local\Temp\f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:988 -
C:\ProgramData\224205\csrss.exe"C:\ProgramData\224205\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592 -
C:\ProgramData\224205\csrss.exe"C:\ProgramData\224205\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
349KB
MD560eec175da96472e274f381336f2e953
SHA13bf49fe29e8a17070594ab1df37d36c7d605576a
SHA256f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11
SHA5123715091d4beb2e3903f4f5e2a37366d0c0d55e88d2aba78f4000d348fc31ef7936a9092fb716e8af10bcd9932b940e931a667f6cf8244ac7bfe9d8e34e519549
-
Filesize
349KB
MD560eec175da96472e274f381336f2e953
SHA13bf49fe29e8a17070594ab1df37d36c7d605576a
SHA256f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11
SHA5123715091d4beb2e3903f4f5e2a37366d0c0d55e88d2aba78f4000d348fc31ef7936a9092fb716e8af10bcd9932b940e931a667f6cf8244ac7bfe9d8e34e519549
-
Filesize
349KB
MD560eec175da96472e274f381336f2e953
SHA13bf49fe29e8a17070594ab1df37d36c7d605576a
SHA256f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11
SHA5123715091d4beb2e3903f4f5e2a37366d0c0d55e88d2aba78f4000d348fc31ef7936a9092fb716e8af10bcd9932b940e931a667f6cf8244ac7bfe9d8e34e519549
-
Filesize
349KB
MD560eec175da96472e274f381336f2e953
SHA13bf49fe29e8a17070594ab1df37d36c7d605576a
SHA256f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11
SHA5123715091d4beb2e3903f4f5e2a37366d0c0d55e88d2aba78f4000d348fc31ef7936a9092fb716e8af10bcd9932b940e931a667f6cf8244ac7bfe9d8e34e519549
-
Filesize
349KB
MD560eec175da96472e274f381336f2e953
SHA13bf49fe29e8a17070594ab1df37d36c7d605576a
SHA256f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11
SHA5123715091d4beb2e3903f4f5e2a37366d0c0d55e88d2aba78f4000d348fc31ef7936a9092fb716e8af10bcd9932b940e931a667f6cf8244ac7bfe9d8e34e519549