Analysis

  • max time kernel
    152s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 18:22

General

  • Target

    f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe

  • Size

    349KB

  • MD5

    60eec175da96472e274f381336f2e953

  • SHA1

    3bf49fe29e8a17070594ab1df37d36c7d605576a

  • SHA256

    f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11

  • SHA512

    3715091d4beb2e3903f4f5e2a37366d0c0d55e88d2aba78f4000d348fc31ef7936a9092fb716e8af10bcd9932b940e931a667f6cf8244ac7bfe9d8e34e519549

  • SSDEEP

    6144:/v+2p5fGOmQ2lBZnUnoJHwGYb3XFNCSbLnTZYJFpiNX85pRpp99k9T9s9s9:H+2p5pmQg5U6HCB5bzOFwd2pRpp99k9l

Malware Config

Signatures

  • Luminosity

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe
    "C:\Users\Admin\AppData\Local\Temp\f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Users\Admin\AppData\Local\Temp\f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe
      "C:\Users\Admin\AppData\Local\Temp\f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\ProgramData\950199\csrss.exe
        "C:\ProgramData\950199\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3572
        • C:\ProgramData\950199\csrss.exe
          "C:\ProgramData\950199\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5040

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\950199\csrss.exe

    Filesize

    349KB

    MD5

    60eec175da96472e274f381336f2e953

    SHA1

    3bf49fe29e8a17070594ab1df37d36c7d605576a

    SHA256

    f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11

    SHA512

    3715091d4beb2e3903f4f5e2a37366d0c0d55e88d2aba78f4000d348fc31ef7936a9092fb716e8af10bcd9932b940e931a667f6cf8244ac7bfe9d8e34e519549

  • C:\ProgramData\950199\csrss.exe

    Filesize

    349KB

    MD5

    60eec175da96472e274f381336f2e953

    SHA1

    3bf49fe29e8a17070594ab1df37d36c7d605576a

    SHA256

    f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11

    SHA512

    3715091d4beb2e3903f4f5e2a37366d0c0d55e88d2aba78f4000d348fc31ef7936a9092fb716e8af10bcd9932b940e931a667f6cf8244ac7bfe9d8e34e519549

  • C:\ProgramData\950199\csrss.exe

    Filesize

    349KB

    MD5

    60eec175da96472e274f381336f2e953

    SHA1

    3bf49fe29e8a17070594ab1df37d36c7d605576a

    SHA256

    f00480b1d8e9b860b77fc5fb64c5ecc3cde8ae3bfe8aa9bbdabe57da5633bc11

    SHA512

    3715091d4beb2e3903f4f5e2a37366d0c0d55e88d2aba78f4000d348fc31ef7936a9092fb716e8af10bcd9932b940e931a667f6cf8244ac7bfe9d8e34e519549

  • memory/2108-154-0x0000000074BF0000-0x00000000751A1000-memory.dmp

    Filesize

    5.7MB

  • memory/2108-135-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

  • memory/2108-136-0x0000000074BF0000-0x00000000751A1000-memory.dmp

    Filesize

    5.7MB

  • memory/2108-148-0x00000000073D0000-0x00000000073E7000-memory.dmp

    Filesize

    92KB

  • memory/2108-149-0x00000000073D0000-0x00000000073E7000-memory.dmp

    Filesize

    92KB

  • memory/2108-141-0x0000000074BF0000-0x00000000751A1000-memory.dmp

    Filesize

    5.7MB

  • memory/2108-147-0x00000000073D0000-0x00000000073E7000-memory.dmp

    Filesize

    92KB

  • memory/3572-142-0x0000000074BF0000-0x00000000751A1000-memory.dmp

    Filesize

    5.7MB

  • memory/3572-140-0x0000000074BF0000-0x00000000751A1000-memory.dmp

    Filesize

    5.7MB

  • memory/4980-132-0x0000000074BF0000-0x00000000751A1000-memory.dmp

    Filesize

    5.7MB

  • memory/4980-150-0x0000000007250000-0x0000000007267000-memory.dmp

    Filesize

    92KB

  • memory/4980-152-0x0000000007250000-0x0000000007267000-memory.dmp

    Filesize

    92KB

  • memory/4980-151-0x0000000007250000-0x0000000007267000-memory.dmp

    Filesize

    92KB

  • memory/4980-133-0x0000000074BF0000-0x00000000751A1000-memory.dmp

    Filesize

    5.7MB

  • memory/5040-146-0x0000000074BF0000-0x00000000751A1000-memory.dmp

    Filesize

    5.7MB

  • memory/5040-153-0x0000000074BF0000-0x00000000751A1000-memory.dmp

    Filesize

    5.7MB