Analysis
-
max time kernel
154s -
max time network
192s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 09:35
Static task
static1
Behavioral task
behavioral1
Sample
77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe
Resource
win10v2004-20220812-en
General
-
Target
77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe
-
Size
1.7MB
-
MD5
f6775963efac80285f8bd9ccf238e8e6
-
SHA1
c62b3116cd6be338f3a5c31c475440405971a213
-
SHA256
77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80
-
SHA512
2df6ae13a2fadbd56973423c47f2bf59e0eb6aa1e809ca0779d5b088b824eaf3625a0f4899f87df338cf8389f11374f29cac1aa589edca54f7d98329f920e86f
-
SSDEEP
49152:XdPemCeUjRvBvaBEDYlHQE4eZY9oB21V4z:N2tekRclwDAYakaz
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe\"" 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe -
Executes dropped EXE 1 IoCs
pid Process 1484 mysqldt.exe -
Loads dropped DLL 2 IoCs
pid Process 1868 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe 1868 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MySQL = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe\"" 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 268 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1868 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1868 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1868 wrote to memory of 268 1868 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe 28 PID 1868 wrote to memory of 268 1868 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe 28 PID 1868 wrote to memory of 268 1868 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe 28 PID 1868 wrote to memory of 268 1868 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe 28 PID 1868 wrote to memory of 1484 1868 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe 31 PID 1868 wrote to memory of 1484 1868 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe 31 PID 1868 wrote to memory of 1484 1868 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe 31 PID 1868 wrote to memory of 1484 1868 77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe"C:\Users\Admin\AppData\Local\Temp\77576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\mysqldt" /XML "C:\Users\Admin\AppData\Local\Temp\1471840762.xml"2⤵
- Creates scheduled task(s)
PID:268
-
-
C:\ProgramData\683383\mysqldt.exe"C:\ProgramData\683383\mysqldt.exe"2⤵
- Executes dropped EXE
PID:1484
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5f6775963efac80285f8bd9ccf238e8e6
SHA1c62b3116cd6be338f3a5c31c475440405971a213
SHA25677576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80
SHA5122df6ae13a2fadbd56973423c47f2bf59e0eb6aa1e809ca0779d5b088b824eaf3625a0f4899f87df338cf8389f11374f29cac1aa589edca54f7d98329f920e86f
-
Filesize
1.7MB
MD5f6775963efac80285f8bd9ccf238e8e6
SHA1c62b3116cd6be338f3a5c31c475440405971a213
SHA25677576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80
SHA5122df6ae13a2fadbd56973423c47f2bf59e0eb6aa1e809ca0779d5b088b824eaf3625a0f4899f87df338cf8389f11374f29cac1aa589edca54f7d98329f920e86f
-
Filesize
1KB
MD5069f1fcadee88a26d1e7a78f23c62e2a
SHA16b4e4f5a38e36187eb6da8a7464f770f583f72bb
SHA256e35b77808582c3a354e60fe8cc99990a8a6ee34a246669c2a90da81f8a20c0a5
SHA5126dc3475904dbabcf91f323a37eb4118f8d3ad86c28a719416df0868a24d137a0546c037752d579133a4740dd96e4bb3103c446b2d7613ba6734f7b2ce8cceb0a
-
Filesize
1.7MB
MD5f6775963efac80285f8bd9ccf238e8e6
SHA1c62b3116cd6be338f3a5c31c475440405971a213
SHA25677576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80
SHA5122df6ae13a2fadbd56973423c47f2bf59e0eb6aa1e809ca0779d5b088b824eaf3625a0f4899f87df338cf8389f11374f29cac1aa589edca54f7d98329f920e86f
-
Filesize
1.7MB
MD5f6775963efac80285f8bd9ccf238e8e6
SHA1c62b3116cd6be338f3a5c31c475440405971a213
SHA25677576d4c908eb399228e2a00c6269714739195a3db63fb597f47fdf54df32b80
SHA5122df6ae13a2fadbd56973423c47f2bf59e0eb6aa1e809ca0779d5b088b824eaf3625a0f4899f87df338cf8389f11374f29cac1aa589edca54f7d98329f920e86f