Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 08:38
Static task
static1
Behavioral task
behavioral1
Sample
695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe
Resource
win10v2004-20241007-en
General
-
Target
695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe
-
Size
1.0MB
-
MD5
0213d411f64b6250c3bd2e0989ee7897
-
SHA1
dbbd1cbf444cefec25109dc19d33574b526d5c1a
-
SHA256
695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4
-
SHA512
b6f1fc2706be127180ed937aec25d03dd2f268e339397524de9715e198484f6c00fe6c191ce13358d62f8b6b943703524fc5e599e3b54b70e2b6c2e0cfa9a72f
-
SSDEEP
12288:7JuDFhY9HGbus7YjeLIcSdThuQsx9I9UF8KRNQ9HalPfz9QqDieQqLu/T/EUvvMZ:7+hGSSc5sus9Ux0Hal/LvpJv2V4a4h
Malware Config
Signatures
-
Luminosity 2 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe 4044 schtasks.exe -
Luminosity family
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bDBQhIKXVVbPZJSU.cmd.lnk QbLYCBPGXPbYIDYcPIDgL.cmd File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bDBQhIKXVVbPZJSU.cmd.lnk RegAsm.exe -
Executes dropped EXE 1 IoCs
pid Process 2456 QbLYCBPGXPbYIDYcPIDgL.cmd -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "\"C:\\Program Files (x86)\\Client\\client.exe\" -a /a" RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2456 set thread context of 4156 2456 QbLYCBPGXPbYIDYcPIDgL.cmd 85 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Client\client.exe RegAsm.exe File opened for modification C:\Program Files (x86)\Client\client.exe RegAsm.exe File created C:\Program Files (x86)\Client\client.exe.config RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QbLYCBPGXPbYIDYcPIDgL.cmd Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4044 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2456 QbLYCBPGXPbYIDYcPIDgL.cmd 2456 QbLYCBPGXPbYIDYcPIDgL.cmd 2456 QbLYCBPGXPbYIDYcPIDgL.cmd 2456 QbLYCBPGXPbYIDYcPIDgL.cmd 2456 QbLYCBPGXPbYIDYcPIDgL.cmd 2456 QbLYCBPGXPbYIDYcPIDgL.cmd 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe 4156 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4156 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4156 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 628 wrote to memory of 2456 628 695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe 84 PID 628 wrote to memory of 2456 628 695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe 84 PID 628 wrote to memory of 2456 628 695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe 84 PID 2456 wrote to memory of 4156 2456 QbLYCBPGXPbYIDYcPIDgL.cmd 85 PID 2456 wrote to memory of 4156 2456 QbLYCBPGXPbYIDYcPIDgL.cmd 85 PID 2456 wrote to memory of 4156 2456 QbLYCBPGXPbYIDYcPIDgL.cmd 85 PID 2456 wrote to memory of 4156 2456 QbLYCBPGXPbYIDYcPIDgL.cmd 85 PID 2456 wrote to memory of 4156 2456 QbLYCBPGXPbYIDYcPIDgL.cmd 85 PID 4156 wrote to memory of 4044 4156 RegAsm.exe 100 PID 4156 wrote to memory of 4044 4156 RegAsm.exe 100 PID 4156 wrote to memory of 4044 4156 RegAsm.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe"C:\Users\Admin\AppData\Local\Temp\695948025c33e266f635153993f55133514836be90cdd0739d860bcde6d863c4.exe"1⤵
- Luminosity
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QbLYCBPGXPbYIDYcPIDgL.cmdC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QbLYCBPGXPbYIDYcPIDgL.cmd QbLYCBPGXPbYIDYcPID2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe- CmdLine Args3⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f4⤵
- Luminosity
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4044
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
Filesize
181B
MD50366f988e5ea426d80338070d8fa241b
SHA1153b90af59d0598a0d5f5e083cb7ff24e2f7adcf
SHA256325b14941e79aeb570eb4062714d446f70b51db3c14fa58c5d2f90c8dafe3c3e
SHA512563a39c5958ae6f507e37923959a8a2608c7e9a6f338053edc142d8038849043c6050df2946116876102704ff14d6b36314aca468d91a7f3279754df2aba0bc2
-
Filesize
35KB
MD572b36c12497445f37160a6d0161cb995
SHA1da8f1a93a7bc5ef1ee0430367dcd776c646b6cbe
SHA2564761f4a8b757b9c6cf7bb37bdf973b4a09e7bf93d3d21149172ec77a3ccd9552
SHA512a0707acb63702f1e095887eef1f130991233a329a5c142a33cef3243682be6742b046fba186ada03970ad2af50a5a161026f2146f4f5d7930fff4961b8dccf32
-
Filesize
915KB
MD5e01ced5c12390ff5256694eda890b33a
SHA10bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA25666c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA51293a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d
-
Filesize
452KB
MD5ad73d8fae345ee6c61d81f9c9b6abe73
SHA1e26043ea314136beaf98e7bcfcc902b60282c412
SHA256978222e1962291bf90244b8593c90a14251fbcd4f313ef1e4619e4c83c72bac5
SHA512f696356c32fc101ce6c7096edb8c95ec1b6363102e18c924292db862e2cc88fc7ed87c93f43ad8c5955c1e59eb0d0004dd4140db0649557368ce24dd850be39d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bDBQhIKXVVbPZJSU.cmd.lnk
Filesize945B
MD54928fb080511e442b91edde7274b307c
SHA14fd873f8ed6afb92c421b49d64ac1488edfdb63e
SHA256b5a0dae1f8d8a7c371e939e10646a64fb27f5093c6b72f9a791b4012536cf72f
SHA51235ff83f09d6a1f4dd67a1faf6c1a243f178c2b197cd325d3f6faaff5a03d62e4813fa2cae6be3a5a99d762a4d08bebf929d6feae7c5d162bd70fe524541444a7