Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 08:33
Static task
static1
Behavioral task
behavioral1
Sample
695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe
Resource
win10v2004-20241007-en
General
-
Target
695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe
-
Size
1.0MB
-
MD5
0213d411f64b6250c3bd2e0989ee7897
-
SHA1
dbbd1cbf444cefec25109dc19d33574b526d5c1a
-
SHA256
695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4
-
SHA512
b6f1fc2706be127180ed937aec25d03dd2f268e339397524de9715e198484f6c00fe6c191ce13358d62f8b6b943703524fc5e599e3b54b70e2b6c2e0cfa9a72f
-
SSDEEP
12288:7JuDFhY9HGbus7YjeLIcSdThuQsx9I9UF8KRNQ9HalPfz9QqDieQqLu/T/EUvvMZ:7+hGSSc5sus9Ux0Hal/LvpJv2V4a4h
Malware Config
Signatures
-
Luminosity 2 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe 4780 schtasks.exe -
Luminosity family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bDBQhIKXVVbPZJSU.cmd.lnk QbLYCBPGXPbYIDYcPIDgL.cmd -
Executes dropped EXE 1 IoCs
pid Process 5108 QbLYCBPGXPbYIDYcPIDgL.cmd -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "\"C:\\Program Files (x86)\\Client\\client.exe\" -a /a" RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5108 set thread context of 3752 5108 QbLYCBPGXPbYIDYcPIDgL.cmd 84 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Client\client.exe RegAsm.exe File opened for modification C:\Program Files (x86)\Client\client.exe RegAsm.exe File created C:\Program Files (x86)\Client\client.exe.config RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QbLYCBPGXPbYIDYcPIDgL.cmd Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4780 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5108 QbLYCBPGXPbYIDYcPIDgL.cmd 5108 QbLYCBPGXPbYIDYcPIDgL.cmd 5108 QbLYCBPGXPbYIDYcPIDgL.cmd 5108 QbLYCBPGXPbYIDYcPIDgL.cmd 5108 QbLYCBPGXPbYIDYcPIDgL.cmd 5108 QbLYCBPGXPbYIDYcPIDgL.cmd 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe 3752 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3752 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3752 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4324 wrote to memory of 5108 4324 695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe 83 PID 4324 wrote to memory of 5108 4324 695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe 83 PID 4324 wrote to memory of 5108 4324 695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe 83 PID 5108 wrote to memory of 3752 5108 QbLYCBPGXPbYIDYcPIDgL.cmd 84 PID 5108 wrote to memory of 3752 5108 QbLYCBPGXPbYIDYcPIDgL.cmd 84 PID 5108 wrote to memory of 3752 5108 QbLYCBPGXPbYIDYcPIDgL.cmd 84 PID 5108 wrote to memory of 3752 5108 QbLYCBPGXPbYIDYcPIDgL.cmd 84 PID 5108 wrote to memory of 3752 5108 QbLYCBPGXPbYIDYcPIDgL.cmd 84 PID 3752 wrote to memory of 4780 3752 RegAsm.exe 99 PID 3752 wrote to memory of 4780 3752 RegAsm.exe 99 PID 3752 wrote to memory of 4780 3752 RegAsm.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe"C:\Users\Admin\AppData\Local\Temp\695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe"1⤵
- Luminosity
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QbLYCBPGXPbYIDYcPIDgL.cmdC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QbLYCBPGXPbYIDYcPIDgL.cmd QbLYCBPGXPbYIDYcPID2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe- CmdLine Args3⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f4⤵
- Luminosity
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4780
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
Filesize
181B
MD50366f988e5ea426d80338070d8fa241b
SHA1153b90af59d0598a0d5f5e083cb7ff24e2f7adcf
SHA256325b14941e79aeb570eb4062714d446f70b51db3c14fa58c5d2f90c8dafe3c3e
SHA512563a39c5958ae6f507e37923959a8a2608c7e9a6f338053edc142d8038849043c6050df2946116876102704ff14d6b36314aca468d91a7f3279754df2aba0bc2
-
Filesize
35KB
MD572b36c12497445f37160a6d0161cb995
SHA1da8f1a93a7bc5ef1ee0430367dcd776c646b6cbe
SHA2564761f4a8b757b9c6cf7bb37bdf973b4a09e7bf93d3d21149172ec77a3ccd9552
SHA512a0707acb63702f1e095887eef1f130991233a329a5c142a33cef3243682be6742b046fba186ada03970ad2af50a5a161026f2146f4f5d7930fff4961b8dccf32
-
Filesize
915KB
MD5e01ced5c12390ff5256694eda890b33a
SHA10bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA25666c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA51293a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d
-
Filesize
452KB
MD5ad73d8fae345ee6c61d81f9c9b6abe73
SHA1e26043ea314136beaf98e7bcfcc902b60282c412
SHA256978222e1962291bf90244b8593c90a14251fbcd4f313ef1e4619e4c83c72bac5
SHA512f696356c32fc101ce6c7096edb8c95ec1b6363102e18c924292db862e2cc88fc7ed87c93f43ad8c5955c1e59eb0d0004dd4140db0649557368ce24dd850be39d