Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2024 02:13
Static task
static1
Behavioral task
behavioral1
Sample
scan-image.scr
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
scan-image.scr
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
scan-image2.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
scan-image2.exe
Resource
win10v2004-20240802-en
General
-
Target
scan-image.scr
-
Size
1.2MB
-
MD5
82bd56d1562393f6fe6804679c757e39
-
SHA1
9f419cea26e9cfce290527a4671b3fc3a49c446d
-
SHA256
bdfb0d576f4f54f95a314462a84449b875e7130c89d44d37942c03b82f22d92f
-
SHA512
91908924f04b153ebb992a1b2aa935edceb07f2318c2ccf8a526a74c75448346c17502ae23ef956d6c6fbd881934e53565e6606d0ed918f04f6045c7aacd2714
-
SSDEEP
24576:pT3yU52y8rvkYzcUYGSvEoH/Ee/i/nNhzAv9nZ4pM:ZC20vkYzc00/Ee/i/DI9UM
Malware Config
Signatures
-
Luminosity 3 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scan-image.scr 856 schtasks.exe 968 schtasks.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scan-image.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 968 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr 1440 scan-image.scr -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1440 scan-image.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1440 scan-image.scr Token: SeDebugPrivilege 5096 client.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1440 scan-image.scr 5096 client.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1440 wrote to memory of 856 1440 scan-image.scr 82 PID 1440 wrote to memory of 856 1440 scan-image.scr 82 PID 1440 wrote to memory of 856 1440 scan-image.scr 82 PID 1440 wrote to memory of 4660 1440 scan-image.scr 93 PID 1440 wrote to memory of 4660 1440 scan-image.scr 93 PID 1440 wrote to memory of 4660 1440 scan-image.scr 93 PID 1440 wrote to memory of 5096 1440 scan-image.scr 95 PID 1440 wrote to memory of 5096 1440 scan-image.scr 95 PID 1440 wrote to memory of 5096 1440 scan-image.scr 95 PID 1440 wrote to memory of 5096 1440 scan-image.scr 95 PID 1440 wrote to memory of 5096 1440 scan-image.scr 95 PID 5096 wrote to memory of 968 5096 client.exe 96 PID 5096 wrote to memory of 968 5096 client.exe 96 PID 5096 wrote to memory of 968 5096 client.exe 96 PID 5096 wrote to memory of 5112 5096 client.exe 98 PID 5096 wrote to memory of 5112 5096 client.exe 98 PID 5096 wrote to memory of 5112 5096 client.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\scan-image.scr"C:\Users\Admin\AppData\Local\Temp\scan-image.scr" /S1⤵
- Luminosity
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest2⤵
- Luminosity
- System Location Discovery: System Language Discovery
PID:856
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:642⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4660
-
-
C:\Program Files (x86)\Client\client.exe"C:\Program Files (x86)\Client\client.exe" /startup1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest2⤵
- Luminosity
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:968
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:642⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5112
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize471B
MD5609b46a76cd48bb821b1f4893f40f1bc
SHA10a182f9b53fad50958702442a19760f5982a5d82
SHA2565cc0d2dabe6b8816250c659f061774c6316d4d5c8e3c0b664954161cecf91c9c
SHA512675cd91026d4b29731ef7da7188b357fd36a512d824f70a7fdf289a2a24cd2eba0ee155337f7ede359fd07c25801b984210728a632a3e4ac65dc73064a28f3cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_108A7991F73F2B507007C35661993162
Filesize471B
MD53f0c72d80da402da75333ce2eee6e822
SHA154974826b4c7c7ac213521f57c3e7d98e6de06df
SHA2565fa4a6df15caeef2b33dc4a514ffbb5f719f32e6dd312b249c2d466b6b69295c
SHA512457a18ed2484e392859eb3eea5ecfd35406407c826b3d6c75a4d6a511826f36c6096986b17be2aecc64f97c03d03abf8ccba5158185a429af4b7d763473b45ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize404B
MD5e896c11ba2f9f579b62fb9596fcb637a
SHA14327b4dc13e655899023fdd41e4b415e9806cc74
SHA256dfd52bbf5af959aab2779408acfa483575bbc4206a76f6dec97d3071289ef236
SHA512dc474e34616b8a8ed83612521862247c896f2067f8efeb4686eef7a62cc1eaa11ea352c34adcf965da06d85fabec0d28d327d1fcc20d3429d28419dbeba6cfc9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_108A7991F73F2B507007C35661993162
Filesize400B
MD57a602ffd21e0164533480c8165216d34
SHA140053c99eaa1a4acb4dce94be3d3b7f1054e8a20
SHA2564f8dff21d30f54f2677c64ad5fdb2c7f5f91da1562ed55770d76d3ddeb9c5522
SHA51205fc791ae57c71c7fe7084f4c00503781aeff1b2d3c7907185da2516c60bcb514d2d49452618ee364c80b7aaf338db0be4de483e3fa8af027f8ee5c04589e74e