Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 03:14
Static task
static1
Behavioral task
behavioral1
Sample
e-catalog.pdf.scr
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
e-catalog.pdf.scr
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
e-cataloge.pdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
e-cataloge.pdf.exe
Resource
win10v2004-20240508-en
General
-
Target
e-catalog.pdf.scr
-
Size
1.2MB
-
MD5
3f379c45cf293566709f473ea1f38125
-
SHA1
825af50daf0146a5f16aa6e3f59fa5320def4735
-
SHA256
94b795d57617222666cc16d4c9928841d781ba8d2406a188314e51a48f5d10da
-
SHA512
7a124fe558e4d8d1aed01be8d5d9720e7fc07d2f4a7215392eb4e4883e2191820a2e45f36c922e49aa2989301f379f43361d11558b43f4b6d814140eb6e90add
-
SSDEEP
24576:s+o/NuOhnPXVW9+E7a64d968HFghHqnqXg6cU9KXLNJCR+0MNDjCO4pF:IlvnPlW9+En4d08lghHqqQqoGsDjCNF
Malware Config
Signatures
-
Luminosity 3 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
Processes:
e-catalog.pdf.scrschtasks.exeschtasks.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\SystemCertificates\CA e-catalog.pdf.scr 3776 schtasks.exe 4880 schtasks.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
REG.exeREG.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e-catalog.pdf.scrpid process 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr 3520 e-catalog.pdf.scr -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
e-catalog.pdf.scrpid process 3520 e-catalog.pdf.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e-catalog.pdf.scrclient.exedescription pid process Token: SeDebugPrivilege 3520 e-catalog.pdf.scr Token: SeDebugPrivilege 4068 client.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
e-catalog.pdf.scrclient.exepid process 3520 e-catalog.pdf.scr 4068 client.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e-catalog.pdf.scrclient.exedescription pid process target process PID 3520 wrote to memory of 3776 3520 e-catalog.pdf.scr schtasks.exe PID 3520 wrote to memory of 3776 3520 e-catalog.pdf.scr schtasks.exe PID 3520 wrote to memory of 3776 3520 e-catalog.pdf.scr schtasks.exe PID 3520 wrote to memory of 1836 3520 e-catalog.pdf.scr REG.exe PID 3520 wrote to memory of 1836 3520 e-catalog.pdf.scr REG.exe PID 3520 wrote to memory of 1836 3520 e-catalog.pdf.scr REG.exe PID 3520 wrote to memory of 4068 3520 e-catalog.pdf.scr client.exe PID 3520 wrote to memory of 4068 3520 e-catalog.pdf.scr client.exe PID 3520 wrote to memory of 4068 3520 e-catalog.pdf.scr client.exe PID 3520 wrote to memory of 4068 3520 e-catalog.pdf.scr client.exe PID 3520 wrote to memory of 4068 3520 e-catalog.pdf.scr client.exe PID 4068 wrote to memory of 4880 4068 client.exe schtasks.exe PID 4068 wrote to memory of 4880 4068 client.exe schtasks.exe PID 4068 wrote to memory of 4880 4068 client.exe schtasks.exe PID 4068 wrote to memory of 3668 4068 client.exe REG.exe PID 4068 wrote to memory of 3668 4068 client.exe REG.exe PID 4068 wrote to memory of 3668 4068 client.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e-catalog.pdf.scr"C:\Users\Admin\AppData\Local\Temp\e-catalog.pdf.scr" /S1⤵
- Luminosity
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest2⤵
- Luminosity
PID:3776
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:642⤵
- Adds Run key to start application
PID:1836
-
-
C:\Program Files (x86)\Client\client.exe"C:\Program Files (x86)\Client\client.exe" /startup1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest2⤵
- Luminosity
- Creates scheduled task(s)
PID:4880
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:642⤵
- Adds Run key to start application
PID:3668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize471B
MD5b8580ddaa0a4baef024bf6dc0235a5fd
SHA12b70d795ff52433de6b45fbc180d34f05ac11f34
SHA2560cac8b67ae22816af07ff37e607ec304b1c670ac792f45f34672dc6d613c4d61
SHA512cb77d6b3b3cb20ff7bb84ec0c83e8ff3d0f1c916cdd1b76bf8ad9b4019afdcbde7043603177e19319867e653b386b0396680fafd26b06764df53a8372a1ecd80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_108A7991F73F2B507007C35661993162
Filesize471B
MD55fc585ad8ccb121d30a05982c2d33bb1
SHA1a2cb274463a1945a875c80731afd01855abb32e3
SHA25654a4e08a1d51525e6721b5cf219edb9649195c623a57667ea9e53a50c479b01d
SHA5120ecc3f89130f802b38c8ff9a6fab3be68f12b09943529ab877cd8207f3100969e06df2b9bd0d5e61eec1dd9cbc3a34ab99e85fe6bd5dd71afda9736993caa9d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize404B
MD557b5d23446faba5a5f7c52fb235b3415
SHA158009d9b9c4aa2d3ddabb5641a1e40a29f847b12
SHA256cb77b447657c0f319e3be7b17908d89221e8ecabbb64c7e2bfadba2f2390874b
SHA512a1907a067f4e0a76d3a2c9d17f0226f70e9544c8af728165bbab95434a04ddbc11fde7e349875f3094c58e7dd444243f0c67f844d98d6864d42c21b8c13a4ef7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_108A7991F73F2B507007C35661993162
Filesize400B
MD50396138381af1c342ec08abcf44a3ab8
SHA17b0f427c58e5629977283f5af22439dc334fbf17
SHA256d5dd788d8aa8b6b4c94dbf08bee02aa17e4c791f9e67a3f7f60b81528ceab24e
SHA512555f837a3fbba4e997f4315137239a3c03857cb11f60dfccf1dcb5d93236ed6f750d2b67c88a22530c05b1889fc4fd4e1d022bbca62c42ce044e14ec2cfaabf7