f97034b507b27905197c61afbfd9d8b1868d07b9558fb13af6a08ad79b37ed26

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Luxury Shield/Luxury Shield.exe
Size

6.1MB
MD5

40955751ffb3df0dd4cef5728cb0a2c5
SHA1

6219105ac9261fd9eedaf9eb103f2a856e43b4ba
SHA256

07c5f5c6595f9ccb544b2d78677fce86084b1821474216a6d3d3241701d4692c
SHA512

a9bf58a9ef3dbaf01fe42b00dbad3c0455dc9d2da78833a1c05bc98992722ed044d90529272dfaedb62d1c9d09b3336774b82015c74fdc9d1279596756639808
SSDEEP

196608:nUJ5nwUlVzBvx4DkwjdtBC5U45+YXGJPVc9hC:UJhfBv67d/C6YXGJdc9hC

Score

7^/10

agilenet discovery

Malware Config

Signatures

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral9/memory/2612-1-0x0000000006120000-0x0000000006798000-memory.dmp	net_reactor
behavioral9/memory/2612-5-0x0000000005AA0000-0x0000000006116000-memory.dmp	net_reactor

Loads dropped DLL 1 IoCs

Processes:

Luxury Shield.exe

pid process

2612 Luxury Shield.exe

pid	process
2612	Luxury Shield.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral9/memory/2612-7-0x00000000071C0000-0x000000000740C000-memory.dmp	agile_net

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

Luxury Shield.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Shield.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Luxury Shield.exe

description pid process

Token: SeDebugPrivilege 2612 Luxury Shield.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Luxury Shield.exe

pid process

2612 Luxury Shield.exe
2612 Luxury Shield.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Luxury Shield.exe

description	pid	process
Token: SeDebugPrivilege	2612	Luxury Shield.exe

pid	process
2612	Luxury Shield.exe
2612	Luxury Shield.exe

C:\Users\Admin\AppData\Local\Temp\Luxury Shield\Luxury Shield.exe
"C:\Users\Admin\AppData\Local\Temp\Luxury Shield\Luxury Shield.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\53b4dde3-ceef-4149-b63d-4b67cc36c3e9\GunaDotNetRT.dll

Filesize
136KB

MD5
9af5eb006bb0bab7f226272d82c896c7

SHA1
c2a5bb42a5f08f4dc821be374b700652262308f0

SHA256
77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db

SHA512
7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

Download Submit
memory/2612-17-0x000000000DBD0000-0x000000000E484000-memory.dmp

Filesize
8.7MB

Download
memory/2612-5-0x0000000005AA0000-0x0000000006116000-memory.dmp

Filesize
6.5MB

Download
memory/2612-18-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-4-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-19-0x0000000008B30000-0x0000000008C4A000-memory.dmp

Filesize
1.1MB

Download
memory/2612-6-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-7-0x00000000071C0000-0x000000000740C000-memory.dmp

Filesize
2.3MB

Download
memory/2612-20-0x0000000007F70000-0x0000000007FD6000-memory.dmp

Filesize
408KB

Download
memory/2612-15-0x0000000074360000-0x00000000743E0000-memory.dmp

Filesize
512KB

Download
memory/2612-14-0x0000000073CD0000-0x0000000073D07000-memory.dmp

Filesize
220KB

Download
memory/2612-16-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-0-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/2612-3-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-2-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-1-0x0000000006120000-0x0000000006798000-memory.dmp

Filesize
6.5MB

Download
memory/2612-21-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-22-0x000000000F0B0000-0x000000000F112000-memory.dmp

Filesize
392KB

Download
memory/2612-23-0x0000000008D10000-0x0000000008D1A000-memory.dmp

Filesize
40KB

Download
memory/2612-24-0x000000000F210000-0x000000000F236000-memory.dmp

Filesize
152KB

Download
memory/2612-25-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/2612-26-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-27-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-28-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-29-0x0000000073CD0000-0x0000000073D07000-memory.dmp

Filesize
220KB

Download
memory/2612-30-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download