Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 08:33

General

  • Target

    695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe

  • Size

    1.0MB

  • MD5

    0213d411f64b6250c3bd2e0989ee7897

  • SHA1

    dbbd1cbf444cefec25109dc19d33574b526d5c1a

  • SHA256

    695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4

  • SHA512

    b6f1fc2706be127180ed937aec25d03dd2f268e339397524de9715e198484f6c00fe6c191ce13358d62f8b6b943703524fc5e599e3b54b70e2b6c2e0cfa9a72f

  • SSDEEP

    12288:7JuDFhY9HGbus7YjeLIcSdThuQsx9I9UF8KRNQ9HalPfz9QqDieQqLu/T/EUvvMZ:7+hGSSc5sus9Ux0Hal/LvpJv2V4a4h

Malware Config

Signatures

  • Luminosity 2 IoCs

    Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

  • Luminosity family
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe
    "C:\Users\Admin\AppData\Local\Temp\695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe"
    1⤵
    • Luminosity
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QbLYCBPGXPbYIDYcPIDgL.cmd
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QbLYCBPGXPbYIDYcPIDgL.cmd QbLYCBPGXPbYIDYcPID
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5108
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        - CmdLine Args
        3⤵
        • Adds Run key to start application
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3752
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f
          4⤵
          • Luminosity
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Client\client.exe

    Filesize

    52KB

    MD5

    a64daca3cfbcd039df3ec29d3eddd001

    SHA1

    eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

    SHA256

    403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

    SHA512

    b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

  • C:\Program Files (x86)\Client\client.exe.config

    Filesize

    181B

    MD5

    0366f988e5ea426d80338070d8fa241b

    SHA1

    153b90af59d0598a0d5f5e083cb7ff24e2f7adcf

    SHA256

    325b14941e79aeb570eb4062714d446f70b51db3c14fa58c5d2f90c8dafe3c3e

    SHA512

    563a39c5958ae6f507e37923959a8a2608c7e9a6f338053edc142d8038849043c6050df2946116876102704ff14d6b36314aca468d91a7f3279754df2aba0bc2

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QbLYCBPGXPbYIDYcPID

    Filesize

    35KB

    MD5

    72b36c12497445f37160a6d0161cb995

    SHA1

    da8f1a93a7bc5ef1ee0430367dcd776c646b6cbe

    SHA256

    4761f4a8b757b9c6cf7bb37bdf973b4a09e7bf93d3d21149172ec77a3ccd9552

    SHA512

    a0707acb63702f1e095887eef1f130991233a329a5c142a33cef3243682be6742b046fba186ada03970ad2af50a5a161026f2146f4f5d7930fff4961b8dccf32

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QbLYCBPGXPbYIDYcPIDgL.cmd

    Filesize

    915KB

    MD5

    e01ced5c12390ff5256694eda890b33a

    SHA1

    0bb74a9d3154d1269e5e456aa41e94b60f753f78

    SHA256

    66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

    SHA512

    93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bDBQhIKXVVbP

    Filesize

    452KB

    MD5

    ad73d8fae345ee6c61d81f9c9b6abe73

    SHA1

    e26043ea314136beaf98e7bcfcc902b60282c412

    SHA256

    978222e1962291bf90244b8593c90a14251fbcd4f313ef1e4619e4c83c72bac5

    SHA512

    f696356c32fc101ce6c7096edb8c95ec1b6363102e18c924292db862e2cc88fc7ed87c93f43ad8c5955c1e59eb0d0004dd4140db0649557368ce24dd850be39d

  • memory/3752-19-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/3752-23-0x0000000073C22000-0x0000000073C23000-memory.dmp

    Filesize

    4KB

  • memory/3752-26-0x0000000073C20000-0x00000000741D1000-memory.dmp

    Filesize

    5.7MB

  • memory/3752-27-0x0000000073C20000-0x00000000741D1000-memory.dmp

    Filesize

    5.7MB

  • memory/3752-30-0x0000000073C22000-0x0000000073C23000-memory.dmp

    Filesize

    4KB

  • memory/3752-31-0x0000000073C20000-0x00000000741D1000-memory.dmp

    Filesize

    5.7MB

  • memory/5108-17-0x0000000004A30000-0x0000000004A31000-memory.dmp

    Filesize

    4KB