Analysis
-
max time kernel
152s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 18:22
Static task
static1
Behavioral task
behavioral1
Sample
f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe
Resource
win10v2004-20220901-en
General
-
Target
f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe
-
Size
349KB
-
MD5
60eec175da96472e274f381336f2e953
-
SHA1
3bf49fe29e8a17070594ab1df37d36c7d605576a
-
SHA256
f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11
-
SHA512
3715091d4beb2e3903f4f5e2a37366d0c0d55e88d2aba78f4000d348fc31ef7936a9092fb716e8af10bcd9932b940e931a667f6cf8244ac7bfe9d8e34e519549
-
SSDEEP
6144:/v+2p5fGOmQ2lBZnUnoJHwGYb3XFNCSbLnTZYJFpiNX85pRpp99k9T9s9s9:H+2p5pmQg5U6HCB5bzOFwd2pRpp99k9l
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\950199\\csrss.exe\"" csrss.exe -
Executes dropped EXE 2 IoCs
pid Process 3572 csrss.exe 5040 csrss.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Services Runtime Service = "\"C:\\ProgramData\\950199\\csrss.exe\"" csrss.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\clientsvr.exe csrss.exe File created C:\Windows\SysWOW64\clientsvr.exe csrss.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4980 set thread context of 2108 4980 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 83 PID 3572 set thread context of 5040 3572 csrss.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 2108 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 2108 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 4980 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 4980 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe 5040 csrss.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2108 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4980 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe Token: SeDebugPrivilege 3572 csrss.exe Token: SeDebugPrivilege 5040 csrss.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5040 csrss.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4980 wrote to memory of 2108 4980 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 83 PID 4980 wrote to memory of 2108 4980 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 83 PID 4980 wrote to memory of 2108 4980 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 83 PID 4980 wrote to memory of 2108 4980 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 83 PID 4980 wrote to memory of 2108 4980 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 83 PID 4980 wrote to memory of 2108 4980 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 83 PID 4980 wrote to memory of 2108 4980 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 83 PID 4980 wrote to memory of 2108 4980 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 83 PID 2108 wrote to memory of 3572 2108 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 84 PID 2108 wrote to memory of 3572 2108 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 84 PID 2108 wrote to memory of 3572 2108 f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe 84 PID 3572 wrote to memory of 5040 3572 csrss.exe 87 PID 3572 wrote to memory of 5040 3572 csrss.exe 87 PID 3572 wrote to memory of 5040 3572 csrss.exe 87 PID 3572 wrote to memory of 5040 3572 csrss.exe 87 PID 3572 wrote to memory of 5040 3572 csrss.exe 87 PID 3572 wrote to memory of 5040 3572 csrss.exe 87 PID 3572 wrote to memory of 5040 3572 csrss.exe 87 PID 3572 wrote to memory of 5040 3572 csrss.exe 87 PID 5040 wrote to memory of 2108 5040 csrss.exe 83 PID 5040 wrote to memory of 2108 5040 csrss.exe 83 PID 5040 wrote to memory of 2108 5040 csrss.exe 83 PID 5040 wrote to memory of 2108 5040 csrss.exe 83 PID 5040 wrote to memory of 2108 5040 csrss.exe 83 PID 5040 wrote to memory of 4980 5040 csrss.exe 81 PID 5040 wrote to memory of 4980 5040 csrss.exe 81 PID 5040 wrote to memory of 4980 5040 csrss.exe 81 PID 5040 wrote to memory of 4980 5040 csrss.exe 81 PID 5040 wrote to memory of 4980 5040 csrss.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe"C:\Users\Admin\AppData\Local\Temp\f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe"C:\Users\Admin\AppData\Local\Temp\f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\ProgramData\950199\csrss.exe"C:\ProgramData\950199\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\ProgramData\950199\csrss.exe"C:\ProgramData\950199\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
349KB
MD560eec175da96472e274f381336f2e953
SHA13bf49fe29e8a17070594ab1df37d36c7d605576a
SHA256f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11
SHA5123715091d4beb2e3903f4f5e2a37366d0c0d55e88d2aba78f4000d348fc31ef7936a9092fb716e8af10bcd9932b940e931a667f6cf8244ac7bfe9d8e34e519549
-
Filesize
349KB
MD560eec175da96472e274f381336f2e953
SHA13bf49fe29e8a17070594ab1df37d36c7d605576a
SHA256f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11
SHA5123715091d4beb2e3903f4f5e2a37366d0c0d55e88d2aba78f4000d348fc31ef7936a9092fb716e8af10bcd9932b940e931a667f6cf8244ac7bfe9d8e34e519549
-
Filesize
349KB
MD560eec175da96472e274f381336f2e953
SHA13bf49fe29e8a17070594ab1df37d36c7d605576a
SHA256f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11
SHA5123715091d4beb2e3903f4f5e2a37366d0c0d55e88d2aba78f4000d348fc31ef7936a9092fb716e8af10bcd9932b940e931a667f6cf8244ac7bfe9d8e34e519549