Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
30-09-2024 02:13
General
-
Target
scan-image2.exe
-
Size
1.2MB
-
MD5
82bd56d1562393f6fe6804679c757e39
-
SHA1
9f419cea26e9cfce290527a4671b3fc3a49c446d
-
SHA256
bdfb0d576f4f54f95a314462a84449b875e7130c89d44d37942c03b82f22d92f
-
SHA512
91908924f04b153ebb992a1b2aa935edceb07f2318c2ccf8a526a74c75448346c17502ae23ef956d6c6fbd881934e53565e6606d0ed918f04f6045c7aacd2714
-
SSDEEP
24576:pT3yU52y8rvkYzcUYGSvEoH/Ee/i/nNhzAv9nZ4pM:ZC20vkYzc00/Ee/i/DI9UM
Malware Config
Signatures
-
Luminosity 3 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\scan-image2.exe"C:\Users\Admin\AppData\Local\Temp\scan-image2.exe"1⤵
- Luminosity
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest2⤵
- Luminosity
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:642⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Client\client.exe"C:\Program Files (x86)\Client\client.exe" /startup1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Client Monitor" /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /sc MINUTE /f /rl highest2⤵
- Luminosity
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:642⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5609b46a76cd48bb821b1f4893f40f1bc
SHA10a182f9b53fad50958702442a19760f5982a5d82
SHA2565cc0d2dabe6b8816250c659f061774c6316d4d5c8e3c0b664954161cecf91c9c
SHA512675cd91026d4b29731ef7da7188b357fd36a512d824f70a7fdf289a2a24cd2eba0ee155337f7ede359fd07c25801b984210728a632a3e4ac65dc73064a28f3cb
-
Filesize
471B
MD53f0c72d80da402da75333ce2eee6e822
SHA154974826b4c7c7ac213521f57c3e7d98e6de06df
SHA2565fa4a6df15caeef2b33dc4a514ffbb5f719f32e6dd312b249c2d466b6b69295c
SHA512457a18ed2484e392859eb3eea5ecfd35406407c826b3d6c75a4d6a511826f36c6096986b17be2aecc64f97c03d03abf8ccba5158185a429af4b7d763473b45ce
-
Filesize
404B
MD501aea4cdde044751dc25c3033a067ce4
SHA1c702f333ec98e95a2c95264024553694c260120f
SHA256d1fe7edcadf7c55fc7f2145288e10275e6e266cb981cd37f642aa796f0dbaef4
SHA512afd0235007936f68e671d611a3f2eb2d0ee3caf19f67e62dff7c98dd1fe339b42091505da762a8058c459d035dd502cd2526293b5f398f7283c5b8d1cc76bfb8
-
Filesize
400B
MD59fd93e7b5c15aa790416261bec2439a0
SHA19ba4b20be045ee53fd7b226b0142b17aba231992
SHA256694f35d63beb81977df4930e119e0e3429e648e2e4d01af13cfcb92382fabd93
SHA512159c4f9c170c6839c803b9f2547f22727e0d83bcbb2d5c888dc02afafd5ddcc09529c6cdb97a648f3f44da1ceef841d65f7dfa7fefa8dbfb424638e813bacffa
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
92KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB