luminosity | 22761f5b95ad6b2932fd543292606a4390728e4837a9914c087ee0556b910786

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
Size

418KB
MD5

53474c750c9187e0490082d8e1c11a6d
SHA1

a53490817cd28f7f9d3689c1dff73308e39ea8c0
SHA256

22761f5b95ad6b2932fd543292606a4390728e4837a9914c087ee0556b910786
SHA512

77ffaf942f932c2ec81a1ca2c0b9f321c28745fd8f0cd1f91f8e0b7bd69fc82099b81cd736514309e8f431b7a6cbecf19ee154844587e3fbd1c097ec969c4f92
SSDEEP

12288:qINL5QskZOSBJRVhQKUN3iduyA3fpIyTCP/tkhDzOkZ:n5mZOoJPCF3iduy669ViDykZ

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\HBimlPyf.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\nTUFfozA.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\FaajStvs.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\bneVLMBl.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\683642\\svchost.exe\""	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

pid process

2280 svchost.exe
588 svchost.exe
700 svchost.exe
2952 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe

pid process

2876 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe

pid	process
2280	svchost.exe
588	svchost.exe
700	svchost.exe
2952	svchost.exe

pid	process
2876	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Adobe Startup Utility = "\"C:\\ProgramData\\683642\\svchost.exe\""	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1796 set thread context of 2096	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 2096 set thread context of 2876	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 2280 set thread context of 588	2280	svchost.exe	svchost.exe
PID 588 set thread context of 2952	588	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe

pid	process
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2876	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe
2952	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe

pid process

2876 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 2952 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2952 svchost.exe

pid	process
2876	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2952	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.execsc.execmd.exe53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.execsc.execmd.exe53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exesvchost.execsc.exe

description	pid	process	target process
PID 1796 wrote to memory of 2560	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	csc.exe
PID 1796 wrote to memory of 2560	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	csc.exe
PID 1796 wrote to memory of 2560	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	csc.exe
PID 1796 wrote to memory of 2560	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	csc.exe
PID 2560 wrote to memory of 2640	2560	csc.exe	cvtres.exe
PID 2560 wrote to memory of 2640	2560	csc.exe	cvtres.exe
PID 2560 wrote to memory of 2640	2560	csc.exe	cvtres.exe
PID 2560 wrote to memory of 2640	2560	csc.exe	cvtres.exe
PID 1796 wrote to memory of 2096	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 1796 wrote to memory of 2096	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 1796 wrote to memory of 2096	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 1796 wrote to memory of 2096	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 1796 wrote to memory of 2096	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 1796 wrote to memory of 2096	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 1796 wrote to memory of 2096	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 1796 wrote to memory of 2096	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 1796 wrote to memory of 2096	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 1796 wrote to memory of 2512	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	cmd.exe
PID 1796 wrote to memory of 2512	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	cmd.exe
PID 1796 wrote to memory of 2512	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	cmd.exe
PID 1796 wrote to memory of 2512	1796	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	cmd.exe
PID 2512 wrote to memory of 2888	2512	cmd.exe	reg.exe
PID 2512 wrote to memory of 2888	2512	cmd.exe	reg.exe
PID 2512 wrote to memory of 2888	2512	cmd.exe	reg.exe
PID 2512 wrote to memory of 2888	2512	cmd.exe	reg.exe
PID 2096 wrote to memory of 2688	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	csc.exe
PID 2096 wrote to memory of 2688	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	csc.exe
PID 2096 wrote to memory of 2688	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	csc.exe
PID 2096 wrote to memory of 2688	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	csc.exe
PID 2688 wrote to memory of 2708	2688	csc.exe	cvtres.exe
PID 2688 wrote to memory of 2708	2688	csc.exe	cvtres.exe
PID 2688 wrote to memory of 2708	2688	csc.exe	cvtres.exe
PID 2688 wrote to memory of 2708	2688	csc.exe	cvtres.exe
PID 2096 wrote to memory of 2876	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 2096 wrote to memory of 2876	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 2096 wrote to memory of 2876	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 2096 wrote to memory of 2876	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 2096 wrote to memory of 2876	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 2096 wrote to memory of 2876	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 2096 wrote to memory of 2876	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 2096 wrote to memory of 2876	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 2096 wrote to memory of 2876	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
PID 2096 wrote to memory of 1992	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	cmd.exe
PID 2096 wrote to memory of 1992	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	cmd.exe
PID 2096 wrote to memory of 1992	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	cmd.exe
PID 2096 wrote to memory of 1992	2096	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	cmd.exe
PID 1992 wrote to memory of 344	1992	cmd.exe	reg.exe
PID 1992 wrote to memory of 344	1992	cmd.exe	reg.exe
PID 1992 wrote to memory of 344	1992	cmd.exe	reg.exe
PID 1992 wrote to memory of 344	1992	cmd.exe	reg.exe
PID 2876 wrote to memory of 2280	2876	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	svchost.exe
PID 2876 wrote to memory of 2280	2876	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	svchost.exe
PID 2876 wrote to memory of 2280	2876	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	svchost.exe
PID 2876 wrote to memory of 2280	2876	53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe	svchost.exe
PID 2280 wrote to memory of 2288	2280	svchost.exe	csc.exe
PID 2280 wrote to memory of 2288	2280	svchost.exe	csc.exe
PID 2280 wrote to memory of 2288	2280	svchost.exe	csc.exe
PID 2280 wrote to memory of 2288	2280	svchost.exe	csc.exe
PID 2288 wrote to memory of 332	2288	csc.exe	cvtres.exe
PID 2288 wrote to memory of 332	2288	csc.exe	cvtres.exe
PID 2288 wrote to memory of 332	2288	csc.exe	cvtres.exe
PID 2288 wrote to memory of 332	2288	csc.exe	cvtres.exe
PID 2280 wrote to memory of 588	2280	svchost.exe	svchost.exe
PID 2280 wrote to memory of 588	2280	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tuvi9d4q.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES121B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC121A.tmp"
3⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\khyr8x8q.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1343.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1342.tmp"
4⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2876

C:\ProgramData\683642\svchost.exe
"C:\ProgramData\683642\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ershds7p.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E7A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1E79.tmp"
6⤵
PID:332

C:\ProgramData\683642\svchost.exe
"C:\ProgramData\683642\svchost.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\shqplxlj.cmdline"
6⤵
PID:2960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F54.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1F53.tmp"
7⤵
PID:1040

C:\ProgramData\683642\svchost.exe
"C:\ProgramData\683642\svchost.exe"
6⤵
- Executes dropped EXE
PID:700

C:\ProgramData\683642\svchost.exe
"C:\ProgramData\683642\svchost.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\bneVLMBl.exe"
6⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\bneVLMBl.exe"
7⤵
- Modifies WinLogon for persistence
PID:2184

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\FaajStvs.exe"
5⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\FaajStvs.exe"
6⤵
- Modifies WinLogon for persistence
PID:2160

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\nTUFfozA.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\nTUFfozA.exe"
4⤵
- Modifies WinLogon for persistence
PID:344

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\HBimlPyf.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\HBimlPyf.exe"
3⤵
- Modifies WinLogon for persistence
PID:2888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\683642\svchost.exe
Filesize
418KB

MD5
53474c750c9187e0490082d8e1c11a6d

SHA1
a53490817cd28f7f9d3689c1dff73308e39ea8c0

SHA256
22761f5b95ad6b2932fd543292606a4390728e4837a9914c087ee0556b910786

SHA512
77ffaf942f932c2ec81a1ca2c0b9f321c28745fd8f0cd1f91f8e0b7bd69fc82099b81cd736514309e8f431b7a6cbecf19ee154844587e3fbd1c097ec969c4f92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
44c52c25cc55dd3b92b508c2eaf24e5b

SHA1
b29cc28e89a68ebe0ab1c75fbf96f5f48e7ab95c

SHA256
165d1c9f9778c508cf37b1b99477ae84c9d831f924a5edcad7bb6bdc9eea5ea6

SHA512
da8ed7e82fac5aaaf9729a55c2c017c9f02ee1ba74ca084f8f7bd9dd7a38706a1df7aed57301c5842be36918f57080d2cdb0681db509ed5573e9df3017f0d86b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
904329701d77780524eade97ab2c6fe0

SHA1
f9bafd0e0aa9111b69fd6c8d1a12d4fbb3846447

SHA256
ac67c5b5a625e91808d639243e8c12c1fbcd50ca8f474e82eec49ba69bb46588

SHA512
bbd45da7040fd1739748b9a3b888eb81c6d1c7cd6a95da135abafe8e994d49587d47d4347482ca4f53daeeebc877e75c9d79e457a3e07a907a2852fb139a8c30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
664d1f985eef739675814b46aacfc46b

SHA1
f77d7dc0ea92d045a3c6f085bbf2fd1db5156be0

SHA256
02e32e9e2c725c161b655fa375c9f450854be53c8145bd89a7b84733fbfd171a

SHA512
f9c66034957c0162286f10ca83d06aff8929ac94517ede11641bfef7ff486e71b5e48e6da0c8a3b73680dd6ef558e785659f94761ae703d62e2085df82859f2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c88a6ee80bed03bcda58ce47e21e9690

SHA1
cbe6cbf5b5a44b6b35a4bfa7cc71b4e0507be5b5

SHA256
957beff88403ea5eff2fd8dac1c35247d26b3ad86fea422b11634984ac640fb1

SHA512
4ad08d8568047b6300509b73cbfe3f09c7c9d448a5c19694ce8f09ada35c7d71bf13294df7aa47a5c5a8300fb9ed887f4af850fec1d943dbc15cbe33ef1d76d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1287.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES121B.tmp
Filesize
1KB

MD5
6c557886191378e52f2843478bf2629c

SHA1
124d824a11b9c09d3de0879c5262389c3a9287d8

SHA256
f17ed9b47c3d2a5a56a051f7fdaed9517f387069ff0348a743c9a2b5cad582e4

SHA512
c98fb6234de1172d97586a22cea052ebf3251ff53a40c543db7214282cdb98710daa45ca4730781149bc1b3e674e643e3ee2fef4c81265c587765c3f70cac8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1343.tmp
Filesize
1KB

MD5
c9f7aacb33aaf22af3c42f1db6396511

SHA1
55b647772b4b49bf88e2646347e85bcbd1c4ff9a

SHA256
11ea243d70691d679ea142897d04d570c172b47f3a733b9a05dfaccd57d3d454

SHA512
b072f32ce8a766d0b86d26e55ead8576af4147a9dba70560c39f080299b625e72efafb738c2ea10840081ea22d58cd5a7b77e930ef011066b2fa5d1b6ea1bccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1E7A.tmp
Filesize
1KB

MD5
7a6278b775c4f260f925a2f3c0740023

SHA1
b9ce08f83f6f30f7689c4f85eb438efa314d2a40

SHA256
cfa2927c16af1b5e36ee5e78aa5575e94128c693be628d3e2e3142f1cb11e36d

SHA512
296e06cc1971edf1fd4a86bfff9dda682f300eab25b8a610cf09cfc18cfa2a532df94c30a4989e71531291e3cf5136c012026c351415c3893a0db8e7e9496414

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F54.tmp
Filesize
1KB

MD5
c73a877ed2886699841531d4e96ed622

SHA1
e0f83914c03b420d62bc229055bbe998b69c38ae

SHA256
93d80d2154f469e211991059a80a04b58e06a6c65e8d9f9ddaec5373b883e5a8

SHA512
e4275cfa04ed4b6f1ab98d58c31a01a21c9538184492397512b931b72542289e8461cb0f24b354019097fc92be84c13dd2ac6900e356c840e780d6269d313021

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar12F7.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ershds7p.dll
Filesize
828KB

MD5
951509d8367f7b779670be79f6092b7f

SHA1
27aa0390b24dd4752acc95a83dc54091637834e2

SHA256
2ab6e1ea271edfde12234c977f1e2f1f9b5d29b15d6d678ec60f5941629327fb

SHA512
012bae9f557f0eb379b4f388b134fe371ddb64f43bd13f8d7a9402d06441d707e63ae70bbb8111b041b99983e86a6454cb9cdeaefe5dd28ca50de74b7352f332

Download Submit
C:\Users\Admin\AppData\Local\Temp\khyr8x8q.dll
Filesize
556KB

MD5
aa01cabe2e46ab788fa459acffe73f65

SHA1
ccfebd1ba8cdcdcd92e6f4c5b55d321dc78e1608

SHA256
6d9b255f31ddf168305fbd7ce4a6e60086dc7db602bba8b5f376fbcfdf657e00

SHA512
4fc75805177cc4d527b3c92af4a8c4998fc85100df0cdcecad9441ab69d378c505b5634ee335c9781300345f2e854443fe07e389276a09ca6d712c3c02be08ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\shqplxlj.dll
Filesize
556KB

MD5
15fb5c463a0e9067dc0853c883579578

SHA1
b1c19815167e7670e0b3e0d16b92d4126c9b6528

SHA256
e416c3db6974896dd7e3a13cab22788b05fb9c093240db9ebbad0a958d96c978

SHA512
d04c5115570aa370d9ac599f8ed5eb5c09fdd70ba49af055d28dc5ba3f83c314e12705cb7715a0912ddb4f94a2766a196572f55b81b15a2be2b192fc90931392

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuvi9d4q.dll
Filesize
828KB

MD5
3df0ad13e4993c96079b3ca01b25cafb

SHA1
7936af9b12671e315385dacd88f4199bd6ad5edb

SHA256
a338c62299c29623c7f43091d4268062cc1bdf05e3df47fe3a7a15d7221aec0b

SHA512
7e00d4598eb2f1ea3bf6bada3978c7a82df28e633d9728108e920c162b60bb610c1808f5dcd8eb862bd87536e4751f9042ebb00bd12945ad0a603dbc92e13518

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC121A.tmp
Filesize
652B

MD5
a1920b4e826b9bfb49014ee353ee56ba

SHA1
fc5ed350475b3522b78f157522acfa0d71c707fa

SHA256
ca287fab57ccd1bb740045653b2a989cad09818035d4b16fe9af0e1de705fdbe

SHA512
4b4a66bd0fa1fe0960307b29949534b596c399f020e9b20877f85404028dd75973e06a30de347723c2039c390a0e2b5a619ab6f8e2d8a8564e17c0ee35f1fff4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1342.tmp
Filesize
652B

MD5
59e2d42338bfbb1bc4320969b3069b4d

SHA1
d857eb9ba05877394af1cb52827107722aa2abc1

SHA256
ab8d27269d1debb83e3992b84b75ca45c2b52d117a94fc0c5c2a59d937d09b85

SHA512
b358818c2c568228a9b31095aff76c75ea89ed32e67607da568562d9538c74264b7fd3824d087cd5c2a75d0e028fa1d855ab8445a41a9cfab49f994d3c706236

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1E79.tmp
Filesize
652B

MD5
1f6ad6cb0adfb12c92edd890f22296b5

SHA1
a9b3bbf2c1f520a7c12fd7fcfc5892288ca672ce

SHA256
27ac9ccd45109a15f78e3c810de80eb498ee0aecfc552ee85d514b60bd5dbe56

SHA512
5d6753f6292935da346d6621ec78b15d8e7fc67fd7aae3c7882c3b9b5f49d141eddfad13ed874064d4110a8c7e06c661264b1703282f76d13a37abb983f045a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1F53.tmp
Filesize
652B

MD5
45c9b9eed94d3402851c03e753c01c5f

SHA1
3710f2cc74f59c9a5c844a0a25d2e59f149ef4d1

SHA256
6d6830329e58a71045445af1f7de46f55a733c1e5c07f5fe95f683d93fea576c

SHA512
fdf799d0c937b8fa48a97bc12e9880a05a70932e54a88d7e864ee911747effe3fe9695290083c5cafd9e09137551d3282df800cc753240a31014790609ff4c34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ershds7p.cmdline
Filesize
196B

MD5
6f860839b1fc8e58fb719cecf51f6ff4

SHA1
5621be634f1880fef4f1868dabf0a39ad49f13cc

SHA256
9b7f8f0793833684f1862bd2859afda4e555b2f0eb8d24b1fdb5cffb645398ee

SHA512
2ee0496c70cb254614701ad2db14d3c7fd656e9d15909db545ad4204b7d0755d7662b8e522f0e27979ac465ce18f88b110b83da7f060695baf4518325f914661

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\khyr8x8q.cmdline
Filesize
196B

MD5
a82a80484c3bb265cd10c309d4e5d5d8

SHA1
1b40d54f312c245568064d6c06a6c547f86292dd

SHA256
769566cff2789d747a3d8589e873a06921d033a8a6952c99b10c5563577b5246

SHA512
60af2eda9e5cd13fe28a10922d119a988433d007245a92b4c01817951846f1ff77ed2622e5a81799eb71a9b0fbf761221c0acda0b660a900a31b8fbbf7093b03

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\shqplxlj.cmdline
Filesize
196B

MD5
7ae6dc5b6e5880cc09d1dadec0872051

SHA1
1b4fd0868a0a91dea2902ac6c557c60890680a9a

SHA256
f69748d30d23e2b0355c7199e296cbe57308281ffd76079569b55e5a14f9409e

SHA512
a0bb8880bc678e800dbda09f445963ad4ad7e79ee80778e5d02bc44e6ceeb042c8a8d2e19d96507d3af11256f03d0da491870e0f342758b241503bbbaa0b0718

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp11C0.tmp.txt
Filesize
407KB

MD5
3fc0338c5b131613c2d4a8555d9d7775

SHA1
c67542ffa9a87ffd8df40025ccc62c2a15dde83a

SHA256
74af134a8b7df9e7bb5198a3e3a3e957eb49bf2b565e402929c913573cf8300e

SHA512
ef2e8cc5710fb45eefc9a5241d506dac8ceee25ec886efbb262958d64ceaf86e219a6185f20dd13a68fa8c9f3c6c0860fabcea4eb2cfd310a6cac9a051367a56

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp1308.tmp.txt
Filesize
271KB

MD5
e7311b28ef77fe20a83d1ea042945293

SHA1
3b8edf149437d35e4ba4241ddd85a7140827fcee

SHA256
bfd1b696ef37f194027c9cf109e251fc5ff73de3a09d09ff77aabb4ae77ae534

SHA512
d2711d9dd9b4a61c0db6b238477833ad5a8f56698436fb281fdc8af28d7d66d25de96379ed7a633c32854315891ea0c7a870e635b915c26b2c936cb56c442cc1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tuvi9d4q.cmdline
Filesize
196B

MD5
40a734cad390e9462e5d7e853c61ccb8

SHA1
f3834a00974237cc942324c7dce77d95aaba6bb8

SHA256
dc5d5c3db668e4df6373b3ddcc69e9c690d90d8a99c11f176fc5e835d84303b1

SHA512
cc032541144a0d88ec815d9bb5d2b66c143cef7e83b6350cad9071b2f5c797136abecd6597d685aa35409956d3b611de68d18eae14943f642a890d9aa89db387

Download Submit
memory/588-154-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1796-0-0x0000000074741000-0x0000000074742000-memory.dmp

Filesize
4KB

Download
memory/1796-1-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1796-62-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2096-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2096-104-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2096-35-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2096-37-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2096-38-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2096-41-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2096-44-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2096-49-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2096-60-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2096-50-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2560-25-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2560-32-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2876-90-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-100-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-97-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2876-99-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-86-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-213-0x00000000045D0000-0x00000000045E7000-memory.dmp

Filesize
92KB

Download
memory/2876-212-0x00000000045D0000-0x00000000045E7000-memory.dmp

Filesize
92KB

Download
memory/2876-211-0x00000000045D0000-0x00000000045E7000-memory.dmp

Filesize
92KB

Download
memory/2876-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download