Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 03:14
Static task
static1
Behavioral task
behavioral1
Sample
e-catalog.pdf.scr
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
e-catalog.pdf.scr
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
e-cataloge.pdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
e-cataloge.pdf.exe
Resource
win10v2004-20240508-en
General
-
Target
e-cataloge.pdf.exe
-
Size
1.2MB
-
MD5
3f379c45cf293566709f473ea1f38125
-
SHA1
825af50daf0146a5f16aa6e3f59fa5320def4735
-
SHA256
94b795d57617222666cc16d4c9928841d781ba8d2406a188314e51a48f5d10da
-
SHA512
7a124fe558e4d8d1aed01be8d5d9720e7fc07d2f4a7215392eb4e4883e2191820a2e45f36c922e49aa2989301f379f43361d11558b43f4b6d814140eb6e90add
-
SSDEEP
24576:s+o/NuOhnPXVW9+E7a64d968HFghHqnqXg6cU9KXLNJCR+0MNDjCO4pF:IlvnPlW9+En4d08lghHqqQqoGsDjCNF
Malware Config
Signatures
-
Luminosity 3 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
Processes:
e-cataloge.pdf.exeschtasks.exeschtasks.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\SystemCertificates\CA e-cataloge.pdf.exe 1972 schtasks.exe 1656 schtasks.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
REG.exeREG.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e-cataloge.pdf.exepid process 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe 4816 e-cataloge.pdf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
e-cataloge.pdf.exepid process 4816 e-cataloge.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e-cataloge.pdf.execlient.exedescription pid process Token: SeDebugPrivilege 4816 e-cataloge.pdf.exe Token: SeDebugPrivilege 1756 client.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
e-cataloge.pdf.execlient.exepid process 4816 e-cataloge.pdf.exe 1756 client.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e-cataloge.pdf.execlient.exedescription pid process target process PID 4816 wrote to memory of 1972 4816 e-cataloge.pdf.exe schtasks.exe PID 4816 wrote to memory of 1972 4816 e-cataloge.pdf.exe schtasks.exe PID 4816 wrote to memory of 1972 4816 e-cataloge.pdf.exe schtasks.exe PID 4816 wrote to memory of 792 4816 e-cataloge.pdf.exe REG.exe PID 4816 wrote to memory of 792 4816 e-cataloge.pdf.exe REG.exe PID 4816 wrote to memory of 792 4816 e-cataloge.pdf.exe REG.exe PID 4816 wrote to memory of 1756 4816 e-cataloge.pdf.exe client.exe PID 4816 wrote to memory of 1756 4816 e-cataloge.pdf.exe client.exe PID 4816 wrote to memory of 1756 4816 e-cataloge.pdf.exe client.exe PID 4816 wrote to memory of 1756 4816 e-cataloge.pdf.exe client.exe PID 4816 wrote to memory of 1756 4816 e-cataloge.pdf.exe client.exe PID 1756 wrote to memory of 1656 1756 client.exe schtasks.exe PID 1756 wrote to memory of 1656 1756 client.exe schtasks.exe PID 1756 wrote to memory of 1656 1756 client.exe schtasks.exe PID 1756 wrote to memory of 3660 1756 client.exe REG.exe PID 1756 wrote to memory of 3660 1756 client.exe REG.exe PID 1756 wrote to memory of 3660 1756 client.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e-cataloge.pdf.exe"C:\Users\Admin\AppData\Local\Temp\e-cataloge.pdf.exe"1⤵
- Luminosity
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest2⤵
- Luminosity
PID:1972
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:642⤵
- Adds Run key to start application
PID:792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3668,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:81⤵PID:4420
-
C:\Program Files (x86)\Client\client.exe"C:\Program Files (x86)\Client\client.exe" /startup1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest2⤵
- Luminosity
- Creates scheduled task(s)
PID:1656
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:642⤵
- Adds Run key to start application
PID:3660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize471B
MD5b8580ddaa0a4baef024bf6dc0235a5fd
SHA12b70d795ff52433de6b45fbc180d34f05ac11f34
SHA2560cac8b67ae22816af07ff37e607ec304b1c670ac792f45f34672dc6d613c4d61
SHA512cb77d6b3b3cb20ff7bb84ec0c83e8ff3d0f1c916cdd1b76bf8ad9b4019afdcbde7043603177e19319867e653b386b0396680fafd26b06764df53a8372a1ecd80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_108A7991F73F2B507007C35661993162
Filesize471B
MD55fc585ad8ccb121d30a05982c2d33bb1
SHA1a2cb274463a1945a875c80731afd01855abb32e3
SHA25654a4e08a1d51525e6721b5cf219edb9649195c623a57667ea9e53a50c479b01d
SHA5120ecc3f89130f802b38c8ff9a6fab3be68f12b09943529ab877cd8207f3100969e06df2b9bd0d5e61eec1dd9cbc3a34ab99e85fe6bd5dd71afda9736993caa9d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize404B
MD5eb0ef1535d964e5518bcb7d0391a8336
SHA1e2105f1366bc116631ca6f24fcd20df5ab715815
SHA256e4c4b9cdf7cea1bb8ff6f535649d7870fe5ae973fc867915680e7df8bb69b80f
SHA512cbc398d96aec0015f97073e22179e9e6d4eed389241265760955e580bb7e1cf4cf49391701fc29e3380da489fc73549ecbe72a1ac8fb129144d80e77831ecfdc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_108A7991F73F2B507007C35661993162
Filesize400B
MD56d67ce1a3e5c8429dea0ddea81ce60ad
SHA151d5798d92d9e8c6edd8cd54ee3068e573834ac2
SHA256a7415fda15b910cd07c241bb66614a2113473362a2734bde3eac7c3c6bd85c9b
SHA51201c24e47e2bfa969606ba39cc703963fcf928d1c207437d2b3ae74fc9be868d7cd4eb83431962f0fe7157a6303cb951dc0c1a2c921c714fe6c376673a1ca2528