luminosity | ae192099d8abfa67a49b100223a764cb4e227132e54f10c8ef2bc7bac185c49d

Analysis

max time kernel
151s
max time network
135s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01-12-2023 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
Size

1004KB
MD5

17f83bc21dfe5a240ffe81217f0d892f
SHA1

9f15af376dae479aa706555e5509322b018a99ba
SHA256

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd
SHA512

7490a3bd7bb698b571fc443e617615ad7aac338f9c6b844078ea3de3126b2eb91c904f8b0d8c9806ab0abf254a7bfb6595c993faab60be0620934ad5ed8c2979
SSDEEP

24576:xE/NU3dLfFe1gAS0LE2ZKc9PSEH0uZuLfSA5yN4spZjpVcNTkJXo:EihxASPsaEH9ZuL3udKTW

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity 4 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

Processes:

schtasks.exeschtasks.exeschtasks.execb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

pid	process
2732	schtasks.exe
2552	schtasks.exe
2812	schtasks.exe
File created	C:\Program Files (x86)\folder\cli.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

Executes dropped EXE 3 IoCs

Processes:

cli.execli.execli.exe

pid process

792 cli.exe
2840 cli.exe
2140 cli.exe

pid	process
792	cli.exe
2840	cli.exe
2140	cli.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

REG.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\move up = "cmd /c \"start \"move up\" \"C:\\Program Files (x86)\\folder\\cli.exe\""	REG.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.execli.exe

description	pid	process	target process
PID 1948 set thread context of 2192	1948	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 792 set thread context of 2840	792	cli.exe	cli.exe

Drops file in Program Files directory 2 IoCs

Processes:

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\folder\cli.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
File created	C:\Program Files (x86)\folder\cli.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2812 schtasks.exe

pid	process
2812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exeschtasks.execli.exe

pid	process
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2732	schtasks.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
792	cli.exe
2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

description pid process

Token: SeDebugPrivilege 2192 cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

pid process

2192 cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

description	pid	process
Token: SeDebugPrivilege	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.execb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exetaskeng.execli.exe

description	pid	process	target process
PID 1948 wrote to memory of 2192	1948	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 1948 wrote to memory of 2192	1948	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 1948 wrote to memory of 2192	1948	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 1948 wrote to memory of 2192	1948	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 1948 wrote to memory of 2192	1948	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 1948 wrote to memory of 2192	1948	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 1948 wrote to memory of 2192	1948	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 1948 wrote to memory of 2192	1948	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 1948 wrote to memory of 2192	1948	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
PID 2192 wrote to memory of 2732	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2732	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2732	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2732	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2552	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2552	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2552	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2552	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2732	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2732	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2732	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2732	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2732	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2812	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2812	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2812	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 2812	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	schtasks.exe
PID 2192 wrote to memory of 476	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	REG.exe
PID 2192 wrote to memory of 476	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	REG.exe
PID 2192 wrote to memory of 476	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	REG.exe
PID 2192 wrote to memory of 476	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	REG.exe
PID 1668 wrote to memory of 792	1668	taskeng.exe	cli.exe
PID 1668 wrote to memory of 792	1668	taskeng.exe	cli.exe
PID 1668 wrote to memory of 792	1668	taskeng.exe	cli.exe
PID 1668 wrote to memory of 792	1668	taskeng.exe	cli.exe
PID 2192 wrote to memory of 792	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 2192 wrote to memory of 792	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 2192 wrote to memory of 792	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 2192 wrote to memory of 792	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 2192 wrote to memory of 792	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 792 wrote to memory of 2840	792	cli.exe	cli.exe
PID 792 wrote to memory of 2840	792	cli.exe	cli.exe
PID 792 wrote to memory of 2840	792	cli.exe	cli.exe
PID 792 wrote to memory of 2840	792	cli.exe	cli.exe
PID 792 wrote to memory of 2840	792	cli.exe	cli.exe
PID 792 wrote to memory of 2840	792	cli.exe	cli.exe
PID 792 wrote to memory of 2840	792	cli.exe	cli.exe
PID 792 wrote to memory of 2840	792	cli.exe	cli.exe
PID 792 wrote to memory of 2840	792	cli.exe	cli.exe
PID 2192 wrote to memory of 2840	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 2192 wrote to memory of 2840	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 2192 wrote to memory of 2840	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 2192 wrote to memory of 2840	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 2192 wrote to memory of 2840	2192	cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe	cli.exe
PID 1668 wrote to memory of 2140	1668	taskeng.exe	cli.exe
PID 1668 wrote to memory of 2140	1668	taskeng.exe	cli.exe
PID 1668 wrote to memory of 2140	1668	taskeng.exe	cli.exe
PID 1668 wrote to memory of 2140	1668	taskeng.exe	cli.exe

C:\Users\Admin\AppData\Local\Temp\cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
"C:\Users\Admin\AppData\Local\Temp\cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe
  "C:\Users\Admin\AppData\Local\Temp\cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd.exe"
  2⤵
  - Luminosity
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "move up" /tr "'C:\Program Files (x86)\folder\cli.exe' /startup" /sc MINUTE /f /rl highest
    3⤵
    - Luminosity
    - Suspicious behavior: EnumeratesProcesses
    PID:2732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "move up" /tr "'C:\Program Files (x86)\folder\cli.exe' /startup" /sc MINUTE /f /rl highest
    3⤵
    - Luminosity
    PID:2552
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "move up" /tr "'C:\Program Files (x86)\folder\cli.exe' /startup" /sc MINUTE /f /rl highest
    3⤵
    - Luminosity
    - Creates scheduled task(s)
    PID:2812
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "move up" /d "cmd /c """start """move up""" """C:\Program Files (x86)\folder\cli.exe"""" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:476

C:\Windows\system32\taskeng.exe
taskeng.exe {42104FBC-D4A1-4C63-93EC-5116FA622534} S-1-5-21-3618187007-3650799920-3290345941-1000:BPDFUYWR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Program Files (x86)\folder\cli.exe
  "C:\Program Files (x86)\folder\cli.exe" /startup
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Program Files (x86)\folder\cli.exe
    "C:\Program Files (x86)\folder\cli.exe"
    3⤵
    - Executes dropped EXE
    PID:2840
- C:\Program Files (x86)\folder\cli.exe
  "C:\Program Files (x86)\folder\cli.exe" /startup
  2⤵
  - Executes dropped EXE
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\folder\cli.exe

Filesize
1004KB

MD5
17f83bc21dfe5a240ffe81217f0d892f

SHA1
9f15af376dae479aa706555e5509322b018a99ba

SHA256
cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd

SHA512
7490a3bd7bb698b571fc443e617615ad7aac338f9c6b844078ea3de3126b2eb91c904f8b0d8c9806ab0abf254a7bfb6595c993faab60be0620934ad5ed8c2979

Download Submit
C:\Program Files (x86)\folder\cli.exe

Filesize
1004KB

MD5
17f83bc21dfe5a240ffe81217f0d892f

SHA1
9f15af376dae479aa706555e5509322b018a99ba

SHA256
cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd

SHA512
7490a3bd7bb698b571fc443e617615ad7aac338f9c6b844078ea3de3126b2eb91c904f8b0d8c9806ab0abf254a7bfb6595c993faab60be0620934ad5ed8c2979

Download Submit
C:\Program Files (x86)\folder\cli.exe

Filesize
1004KB

MD5
17f83bc21dfe5a240ffe81217f0d892f

SHA1
9f15af376dae479aa706555e5509322b018a99ba

SHA256
cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd

SHA512
7490a3bd7bb698b571fc443e617615ad7aac338f9c6b844078ea3de3126b2eb91c904f8b0d8c9806ab0abf254a7bfb6595c993faab60be0620934ad5ed8c2979

Download Submit
C:\Program Files (x86)\folder\cli.exe

Filesize
1004KB

MD5
17f83bc21dfe5a240ffe81217f0d892f

SHA1
9f15af376dae479aa706555e5509322b018a99ba

SHA256
cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd

SHA512
7490a3bd7bb698b571fc443e617615ad7aac338f9c6b844078ea3de3126b2eb91c904f8b0d8c9806ab0abf254a7bfb6595c993faab60be0620934ad5ed8c2979

Download Submit
C:\Program Files (x86)\folder\cli.exe

Filesize
1004KB

MD5
17f83bc21dfe5a240ffe81217f0d892f

SHA1
9f15af376dae479aa706555e5509322b018a99ba

SHA256
cb7d74d3686c2832d6bbf6bb9a5f20e8d0d0e7f48fd0c8d6a3b07e98769e59fd

SHA512
7490a3bd7bb698b571fc443e617615ad7aac338f9c6b844078ea3de3126b2eb91c904f8b0d8c9806ab0abf254a7bfb6595c993faab60be0620934ad5ed8c2979

Download Submit
memory/792-84-0x0000000000780000-0x0000000000797000-memory.dmp

Filesize
92KB

Download
memory/792-69-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/792-99-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/792-97-0x0000000000780000-0x0000000000797000-memory.dmp

Filesize
92KB

Download
memory/792-87-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/792-70-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/792-71-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/792-83-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/792-80-0x0000000000780000-0x0000000000797000-memory.dmp

Filesize
92KB

Download
memory/792-78-0x0000000000780000-0x0000000000797000-memory.dmp

Filesize
92KB

Download
memory/792-76-0x0000000000780000-0x0000000000797000-memory.dmp

Filesize
92KB

Download
memory/1948-22-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-2-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

Filesize
256KB

Download
memory/1948-1-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-0-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-123-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2140-122-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2192-46-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2192-23-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2192-3-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2192-5-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2192-7-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2192-13-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2192-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2192-18-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2192-20-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2192-21-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-34-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/2732-39-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2732-29-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/2732-31-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/2732-42-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2732-45-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/2732-37-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/2732-38-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2732-40-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/2732-27-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/2840-116-0x00000000022B0000-0x00000000022F0000-memory.dmp

Filesize
256KB

Download
memory/2840-118-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-119-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2840-120-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-117-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2840-115-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download