Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-03-2024 20:23
Static task
static1
Behavioral task
behavioral1
Sample
bcb88f34917a59dbc6795b620dd798df.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bcb88f34917a59dbc6795b620dd798df.exe
Resource
win10v2004-20240226-en
General
-
Target
bcb88f34917a59dbc6795b620dd798df.exe
-
Size
220KB
-
MD5
bcb88f34917a59dbc6795b620dd798df
-
SHA1
6c3e9f9bd3b5d42210e0b368ef5b2b97a01679a0
-
SHA256
41028718b81c51998d11be05e664fae1e2f80ca76b4936a46736c5f7b712b13b
-
SHA512
4cf64f890e534ae58b5a70a2aaaaf0afe86269ec1b6e3ef481c5da93ed5b28c2a12899b43deea740eaadf07e296b96f0141df45e085c6c42b270595de6773ac2
-
SSDEEP
3072:v/uybjWFAN44SHX4ty3IP25Ll40TV81RxwLRMcR9aBeWvfxLWDwCeWJ2NJ2RD1cy:vmA22S314WZOmLbR9JWJW7JYJK1
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\947906\\rundll32.exe\"" rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
rundll32.exepid process 2444 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
bcb88f34917a59dbc6795b620dd798df.exepid process 2160 bcb88f34917a59dbc6795b620dd798df.exe 2160 bcb88f34917a59dbc6795b620dd798df.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\System32 = "\"C:\\ProgramData\\947906\\rundll32.exe\"" rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\clientsvr.exe rundll32.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exebcb88f34917a59dbc6795b620dd798df.exepid process 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2160 bcb88f34917a59dbc6795b620dd798df.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe 2444 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
bcb88f34917a59dbc6795b620dd798df.exepid process 2160 bcb88f34917a59dbc6795b620dd798df.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2444 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
rundll32.exepid process 2444 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
bcb88f34917a59dbc6795b620dd798df.exerundll32.exedescription pid process target process PID 2160 wrote to memory of 2444 2160 bcb88f34917a59dbc6795b620dd798df.exe rundll32.exe PID 2160 wrote to memory of 2444 2160 bcb88f34917a59dbc6795b620dd798df.exe rundll32.exe PID 2160 wrote to memory of 2444 2160 bcb88f34917a59dbc6795b620dd798df.exe rundll32.exe PID 2160 wrote to memory of 2444 2160 bcb88f34917a59dbc6795b620dd798df.exe rundll32.exe PID 2160 wrote to memory of 2444 2160 bcb88f34917a59dbc6795b620dd798df.exe rundll32.exe PID 2160 wrote to memory of 2444 2160 bcb88f34917a59dbc6795b620dd798df.exe rundll32.exe PID 2160 wrote to memory of 2444 2160 bcb88f34917a59dbc6795b620dd798df.exe rundll32.exe PID 2444 wrote to memory of 2160 2444 rundll32.exe bcb88f34917a59dbc6795b620dd798df.exe PID 2444 wrote to memory of 2160 2444 rundll32.exe bcb88f34917a59dbc6795b620dd798df.exe PID 2444 wrote to memory of 2160 2444 rundll32.exe bcb88f34917a59dbc6795b620dd798df.exe PID 2444 wrote to memory of 2160 2444 rundll32.exe bcb88f34917a59dbc6795b620dd798df.exe PID 2444 wrote to memory of 2160 2444 rundll32.exe bcb88f34917a59dbc6795b620dd798df.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcb88f34917a59dbc6795b620dd798df.exe"C:\Users\Admin\AppData\Local\Temp\bcb88f34917a59dbc6795b620dd798df.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\947906\rundll32.exe"C:\ProgramData\947906\rundll32.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\947906\rundll32.exeFilesize
220KB
MD5bcb88f34917a59dbc6795b620dd798df
SHA16c3e9f9bd3b5d42210e0b368ef5b2b97a01679a0
SHA25641028718b81c51998d11be05e664fae1e2f80ca76b4936a46736c5f7b712b13b
SHA5124cf64f890e534ae58b5a70a2aaaaf0afe86269ec1b6e3ef481c5da93ed5b28c2a12899b43deea740eaadf07e296b96f0141df45e085c6c42b270595de6773ac2
-
memory/2160-36-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/2160-34-0x0000000000C70000-0x0000000000C87000-memory.dmpFilesize
92KB
-
memory/2160-1-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/2160-31-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/2160-40-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/2160-33-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/2160-22-0x0000000000C70000-0x0000000000C87000-memory.dmpFilesize
92KB
-
memory/2160-27-0x0000000000C70000-0x0000000000C87000-memory.dmpFilesize
92KB
-
memory/2160-41-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/2160-39-0x0000000000C70000-0x0000000000C87000-memory.dmpFilesize
92KB
-
memory/2160-30-0x0000000000C70000-0x0000000000C87000-memory.dmpFilesize
92KB
-
memory/2160-24-0x0000000000C70000-0x0000000000C87000-memory.dmpFilesize
92KB
-
memory/2160-20-0x0000000000C70000-0x0000000000C87000-memory.dmpFilesize
92KB
-
memory/2160-2-0x00000000002A0000-0x00000000002E0000-memory.dmpFilesize
256KB
-
memory/2160-0-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/2444-37-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/2444-38-0x0000000000920000-0x0000000000960000-memory.dmpFilesize
256KB
-
memory/2444-17-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/2444-16-0x0000000000920000-0x0000000000960000-memory.dmpFilesize
256KB
-
memory/2444-15-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB