luminosity | a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69

General

Target

a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe
Size

2.0MB
MD5

aa2029141de945ce6e875597eab77db7
SHA1

8a67d1126de4280741a24a65c1a81a631e036fbc
SHA256

a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69
SHA512

fb9ea5b20b2ee22caaff999e07fc77d7e197db9e3e898638f083e4ddb4b53a1a0b3d6ed3c8925dffb7c96435ceb1352a89f265f0b38ebad0a4f52d892d9b91c2

Score

10^/10

luminosity rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Executes dropped EXE 2 IoCs

pid	Process
1636	IntelHQ.exe
1764	IntelHQ.exe

Loads dropped DLL 1 IoCs

pid	Process
1572	cmd.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	IntelHQ.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	IntelHQ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 1764	1636	IntelHQ.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe
792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe
792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe
792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe
792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe
792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe
792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe
792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe
1636	IntelHQ.exe
1636	IntelHQ.exe
1636	IntelHQ.exe
1636	IntelHQ.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1636	IntelHQ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe
Token: SeDebugPrivilege	1636	IntelHQ.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1764	IntelHQ.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 1700	792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe	30
PID 792 wrote to memory of 1700	792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe	30
PID 792 wrote to memory of 1700	792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe	30
PID 792 wrote to memory of 1700	792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe	30
PID 792 wrote to memory of 1104	792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe	32
PID 792 wrote to memory of 1104	792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe	32
PID 792 wrote to memory of 1104	792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe	32
PID 792 wrote to memory of 1104	792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe	32
PID 792 wrote to memory of 1572	792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe	34
PID 792 wrote to memory of 1572	792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe	34
PID 792 wrote to memory of 1572	792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe	34
PID 792 wrote to memory of 1572	792	a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe	34
PID 1572 wrote to memory of 1636	1572	cmd.exe	36
PID 1572 wrote to memory of 1636	1572	cmd.exe	36
PID 1572 wrote to memory of 1636	1572	cmd.exe	36
PID 1572 wrote to memory of 1636	1572	cmd.exe	36
PID 1636 wrote to memory of 1764	1636	IntelHQ.exe	37
PID 1636 wrote to memory of 1764	1636	IntelHQ.exe	37
PID 1636 wrote to memory of 1764	1636	IntelHQ.exe	37
PID 1636 wrote to memory of 1764	1636	IntelHQ.exe	37
PID 1636 wrote to memory of 1764	1636	IntelHQ.exe	37

C:\Users\Admin\AppData\Local\Temp\a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe
"C:\Users\Admin\AppData\Local\Temp\a46470252300473bd2f6b703c07323fe567557c6195d392d7273ea981c95dd69.exe"
1⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Delete /TN "Update\568fc4a3-5966-4d10-b433-96b5090ed4ce" /F
  2⤵
  PID:1700
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Update\568fc4a3-5966-4d10-b433-96b5090ed4ce" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1636280375.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1104
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /K "C:\Users\Admin\AppData\Roaming\IntelHQ.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Users\Admin\AppData\Roaming\IntelHQ.exe
    C:\Users\Admin\AppData\Roaming\IntelHQ.exe
    3⤵
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Users\Admin\AppData\Roaming\IntelHQ.exe
      C:\Users\Admin\AppData\Roaming\IntelHQ.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1636280375.tmp

Filesize
1KB

MD5
6899e933cfd2aca4ca9e45278b7d542c

SHA1
db38339c9822b505e23867bd9c37a55e6e40b891

SHA256
96849425f5b04e8ab5e47913729f5c24805c0de4c10863e4b1ce83fd669ea1d7

SHA512
21dc7a6d91c2096ea3ef5d72f6d4d310125163d4acf59a713418f630c53adeb94d0bc76e435fdd943034a23733a760c952414724e2af51571fa3455a885d9c5b

Download Submit
C:\Users\Admin\AppData\Roaming\IntelHQ.exe

Filesize
2.0MB

MD5
e53ded1e6877ce5465412b622df5ff20

SHA1
3e2c951e4ba2f0eff20f347917e69a36b8c6fab7

SHA256
fefec8239563ebb213dfd8ce1de19943266216c9601883aa1edc646b669b882a

SHA512
4c564b14ba398dd33b8737fa387a6e53bb2ced3d92ff99720e9078030b31518b61e4a778c03277b0001e9c95d5ad79171f8145aa909b76ca31449294cb5b2aaa

Download Submit
C:\Users\Admin\AppData\Roaming\IntelHQ.exe

Filesize
2.0MB

MD5
e53ded1e6877ce5465412b622df5ff20

SHA1
3e2c951e4ba2f0eff20f347917e69a36b8c6fab7

SHA256
fefec8239563ebb213dfd8ce1de19943266216c9601883aa1edc646b669b882a

SHA512
4c564b14ba398dd33b8737fa387a6e53bb2ced3d92ff99720e9078030b31518b61e4a778c03277b0001e9c95d5ad79171f8145aa909b76ca31449294cb5b2aaa

Download Submit
C:\Users\Admin\AppData\Roaming\IntelHQ.exe

Filesize
2.0MB

MD5
e53ded1e6877ce5465412b622df5ff20

SHA1
3e2c951e4ba2f0eff20f347917e69a36b8c6fab7

SHA256
fefec8239563ebb213dfd8ce1de19943266216c9601883aa1edc646b669b882a

SHA512
4c564b14ba398dd33b8737fa387a6e53bb2ced3d92ff99720e9078030b31518b61e4a778c03277b0001e9c95d5ad79171f8145aa909b76ca31449294cb5b2aaa

Download Submit
\Users\Admin\AppData\Roaming\IntelHQ.exe

Filesize
2.0MB

MD5
e53ded1e6877ce5465412b622df5ff20

SHA1
3e2c951e4ba2f0eff20f347917e69a36b8c6fab7

SHA256
fefec8239563ebb213dfd8ce1de19943266216c9601883aa1edc646b669b882a

SHA512
4c564b14ba398dd33b8737fa387a6e53bb2ced3d92ff99720e9078030b31518b61e4a778c03277b0001e9c95d5ad79171f8145aa909b76ca31449294cb5b2aaa

Download Submit
memory/792-55-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/792-56-0x0000000000E95000-0x0000000000EA6000-memory.dmp

Filesize
68KB

Download
memory/792-54-0x00000000758A1000-0x00000000758A3000-memory.dmp

Filesize
8KB

Download
memory/1636-67-0x0000000002255000-0x0000000002266000-memory.dmp

Filesize
68KB

Download
memory/1636-66-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-68-0x0000000004ED0000-0x0000000004ED3000-memory.dmp

Filesize
12KB

Download
memory/1764-72-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads