Overview
overview
10Static
static
10Luxury Shi...UI.dll
windows10-2004-x64
1Luxury Shi...I2.dll
windows10-2004-x64
1Luxury Shi...ge.exe
windows10-2004-x64
1Luxury Shi...np.exe
windows10-2004-x64
10Luxury Shi...ld.exe
windows10-2004-x64
7Luxury Shi...on.dll
windows10-2004-x64
1Luxury Shi...on.dll
windows10-2004-x64
1Analysis
-
max time kernel
296s -
max time network
274s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
20-08-2023 00:33
Behavioral task
behavioral1
Sample
Luxury Shield/Guna.UI.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral2
Sample
Luxury Shield/Guna.UI2.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
Luxury Shield/ILMerge.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral4
Sample
Luxury Shield/Infected.pnggnp.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
Luxury Shield/Luxury Shield.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral6
Sample
Luxury Shield/Newtonsoft.Json.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
Luxury Shield/System.Web.Optimization.dll
Resource
win10v2004-20230703-en
General
-
Target
Luxury Shield/Luxury Shield.exe
-
Size
6.1MB
-
MD5
40955751ffb3df0dd4cef5728cb0a2c5
-
SHA1
6219105ac9261fd9eedaf9eb103f2a856e43b4ba
-
SHA256
07c5f5c6595f9ccb544b2d78677fce86084b1821474216a6d3d3241701d4692c
-
SHA512
a9bf58a9ef3dbaf01fe42b00dbad3c0455dc9d2da78833a1c05bc98992722ed044d90529272dfaedb62d1c9d09b3336774b82015c74fdc9d1279596756639808
-
SSDEEP
196608:nUJ5nwUlVzBvx4DkwjdtBC5U45+YXGJPVc9hC:UJhfBv67d/C6YXGJdc9hC
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
Luxury Shield.exepid process 1500 Luxury Shield.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral5/memory/1500-142-0x0000000007810000-0x0000000007A5C000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
Luxury Shield.exepid process 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe 1500 Luxury Shield.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Luxury Shield.exedescription pid process Token: SeDebugPrivilege 1500 Luxury Shield.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Luxury Shield.exepid process 1500 Luxury Shield.exe 1500 Luxury Shield.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Luxury Shield.exedescription pid process target process PID 1500 wrote to memory of 3408 1500 Luxury Shield.exe ILMerge.exe PID 1500 wrote to memory of 3408 1500 Luxury Shield.exe ILMerge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Luxury Shield\Luxury Shield.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Shield\Luxury Shield.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\Luxury Shield\ILMerge.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Shield\ILMerge.exe"2⤵PID:3408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a
-
Filesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a