Analysis
-
max time kernel
100s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2023, 02:15
Static task
static1
Behavioral task
behavioral1
Sample
Luxury Shield 7.1/Luxury Shield 7.1.exe
Resource
win10v2004-20230703-en
General
-
Target
Luxury Shield 7.1/Luxury Shield 7.1.exe
-
Size
8.1MB
-
MD5
e484d9f831bae0a774f3ac0fcff44512
-
SHA1
4cb52554b2dc37939749607b9532839de6fdf25c
-
SHA256
cdb6b34eb4090b0be2b503767a8463741bc17b5cac2d2e22caf52aa1676616a7
-
SHA512
a0673bfddb1ecf11dc71a0411f39df4fb10f90e86d63e81215447a766d2788c9564b1423d8af5c604ce357fa196edbccbca5c53ad6802d4b208b991aeb0aa8fa
-
SSDEEP
196608:JgNBSpjrtV0fgOUmO1AGMNpmUOzLhPnNxMNZQ4NQw:JgNBSRtV0fgdmZBNp90hPnDaQM
Malware Config
Extracted
xworm
society-painted.at.ply.gg:17251
-
install_file
USB.exe
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation Luxury Shield 7.1.exe Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation Luxury Sheild v7.1.exe Key value queried \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation WinRAR.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe crack.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe crack.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk WinRAR.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk WinRAR.exe -
Executes dropped EXE 5 IoCs
pid Process 4432 crack.exe 4060 Luxury Sheild v7.1.exe 5060 Luxury Shield 7.1.exe 1552 WinRAR.exe 1848 WinRAR.exe -
Loads dropped DLL 1 IoCs
pid Process 5060 Luxury Shield 7.1.exe -
Obfuscated with Agile.Net obfuscator 30 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/5060-253-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-254-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-256-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-259-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-261-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-263-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-265-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-267-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-269-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-271-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-273-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-275-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-277-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-279-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-281-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-284-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-286-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-288-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-290-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-292-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-294-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-296-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-298-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-300-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-302-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-304-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-306-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-308-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-310-0x000000000C540000-0x000000000C788000-memory.dmp agile_net behavioral1/memory/5060-312-0x000000000C540000-0x000000000C788000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Public\\WinRAR.exe" WinRAR.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 5060 Luxury Shield 7.1.exe 5060 Luxury Shield 7.1.exe 5060 Luxury Shield 7.1.exe 5060 Luxury Shield 7.1.exe 5060 Luxury Shield 7.1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1040 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Luxury Shield 7.1.exe Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Luxury Shield 7.1.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4432 crack.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3740 powershell.exe 3740 powershell.exe 3740 powershell.exe 4664 powershell.exe 4664 powershell.exe 4664 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1136 Luxury Shield 7.1.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3740 powershell.exe Token: SeDebugPrivilege 4664 powershell.exe Token: SeDebugPrivilege 1552 WinRAR.exe Token: SeDebugPrivilege 1848 WinRAR.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1136 Luxury Shield 7.1.exe 1136 Luxury Shield 7.1.exe 5060 Luxury Shield 7.1.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1136 wrote to memory of 4432 1136 Luxury Shield 7.1.exe 100 PID 1136 wrote to memory of 4432 1136 Luxury Shield 7.1.exe 100 PID 4060 wrote to memory of 3740 4060 Luxury Sheild v7.1.exe 104 PID 4060 wrote to memory of 3740 4060 Luxury Sheild v7.1.exe 104 PID 4060 wrote to memory of 5060 4060 Luxury Sheild v7.1.exe 107 PID 4060 wrote to memory of 5060 4060 Luxury Sheild v7.1.exe 107 PID 4060 wrote to memory of 5060 4060 Luxury Sheild v7.1.exe 107 PID 4060 wrote to memory of 4664 4060 Luxury Sheild v7.1.exe 108 PID 4060 wrote to memory of 4664 4060 Luxury Sheild v7.1.exe 108 PID 4060 wrote to memory of 1552 4060 Luxury Sheild v7.1.exe 110 PID 4060 wrote to memory of 1552 4060 Luxury Sheild v7.1.exe 110 PID 1552 wrote to memory of 1040 1552 WinRAR.exe 111 PID 1552 wrote to memory of 1040 1552 WinRAR.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\Desktop\crack.exe"C:\Users\Admin\Desktop\crack.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:4432
-
-
C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe"C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinRAR" /tr "C:\Users\Public\WinRAR.exe"3⤵
- Creates scheduled task(s)
PID:1040
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pass to use.txt1⤵PID:944
-
C:\Users\Public\WinRAR.exeC:\Users\Public\WinRAR.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1848
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a
-
Filesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a
-
Filesize
7.5MB
MD59502776952e6900ae1f98934004b4293
SHA13905f80a539d37c648a5da1cc6dace16d3516c2c
SHA256d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f
SHA512cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb
-
Filesize
7.5MB
MD59502776952e6900ae1f98934004b4293
SHA13905f80a539d37c648a5da1cc6dace16d3516c2c
SHA256d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f
SHA512cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb
-
Filesize
7.5MB
MD59502776952e6900ae1f98934004b4293
SHA13905f80a539d37c648a5da1cc6dace16d3516c2c
SHA256d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f
SHA512cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb
-
Filesize
226KB
MD560219035e32ad00d4c691a1bdc6455fb
SHA15f3740fcf89a95437ce184cfe22f23ed8b5b9254
SHA256e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5
SHA512b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7
-
Filesize
226KB
MD560219035e32ad00d4c691a1bdc6455fb
SHA15f3740fcf89a95437ce184cfe22f23ed8b5b9254
SHA256e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5
SHA512b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7
-
Filesize
226KB
MD560219035e32ad00d4c691a1bdc6455fb
SHA15f3740fcf89a95437ce184cfe22f23ed8b5b9254
SHA256e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5
SHA512b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
7.6MB
MD5f145671c3c65072a5a49f1d1d68a4a3a
SHA12453dddb4e6ebd48604fff3094f6a59dacdc3ad7
SHA256d5dcde7ced43245641793538f847c55e3271f5ff8eb45fa5616a00634b7e64a1
SHA5126f9bb2a1c9e4f90c22f7e0675c6d0ab06e0b7875c432d229739000c568a9a0fa5024cd36ec6b947b520704ad706b945371029c24766cac3fb2d509f478dc6902
-
Filesize
7.6MB
MD5f145671c3c65072a5a49f1d1d68a4a3a
SHA12453dddb4e6ebd48604fff3094f6a59dacdc3ad7
SHA256d5dcde7ced43245641793538f847c55e3271f5ff8eb45fa5616a00634b7e64a1
SHA5126f9bb2a1c9e4f90c22f7e0675c6d0ab06e0b7875c432d229739000c568a9a0fa5024cd36ec6b947b520704ad706b945371029c24766cac3fb2d509f478dc6902
-
Filesize
107B
MD5f2b0d578a79ac19b492e04bc5a7050f7
SHA16210e3fec78230eb39649946a1cce41a980ed156
SHA25678f53709cce69e858fbb201be13803e63d7e0aa84d7cabe1353ce4989c68eec7
SHA512e1488c9d33160cd3f9ee112941978e746f37675b52f70956cd2c0cc8d5e6ac4657fb526dbf87ef9cbbf4d2679a2a001baa8289784ab17e10940750ca0664a624
-
Filesize
18KB
MD5b441b71b1ce23257d6f40bd7555703ac
SHA1961d3ae7e69b7a39edda340e93986c5a7f89c097
SHA256eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4
SHA512e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b
-
Filesize
18KB
MD5b441b71b1ce23257d6f40bd7555703ac
SHA1961d3ae7e69b7a39edda340e93986c5a7f89c097
SHA256eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4
SHA512e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b
-
Filesize
18KB
MD5b441b71b1ce23257d6f40bd7555703ac
SHA1961d3ae7e69b7a39edda340e93986c5a7f89c097
SHA256eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4
SHA512e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b
-
Filesize
226KB
MD560219035e32ad00d4c691a1bdc6455fb
SHA15f3740fcf89a95437ce184cfe22f23ed8b5b9254
SHA256e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5
SHA512b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7
-
Filesize
226KB
MD560219035e32ad00d4c691a1bdc6455fb
SHA15f3740fcf89a95437ce184cfe22f23ed8b5b9254
SHA256e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5
SHA512b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7