luminosity | 956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6

General

Target

956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
Size

454KB
MD5

29e6d27c57748d5d213aa77d707a2a05
SHA1

9cf15e6d65557297fe4223fbfd48d3c31ca54734
SHA256

956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6
SHA512

80dd38fc5fa39cd79b4e9eb83557608f92ac4a2a8423cf61eb1ec7c3d3bff15ea1217898faeae3e69682a42918974d08938804b11f56a24b95431d215a7fea9d

Score

10^/10

luminosity evasion persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe\""	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 2 IoCs

pid	Process
1652	tcent.exe.exe
1968	tcent.exe.exe

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tcent.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tcent.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe

Loads dropped DLL 2 IoCs

pid	Process
1876	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
1876	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\HWKLADMIN = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe\""	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	tcent.exe.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	tcent.exe.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\clientsvr.exe	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 560 set thread context of 1876	560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	30
PID 1652 set thread context of 1968	1652	tcent.exe.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
1652	tcent.exe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
Token: SeDebugPrivilege	1652	tcent.exe.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1876	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 288	560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	28
PID 560 wrote to memory of 288	560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	28
PID 560 wrote to memory of 288	560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	28
PID 560 wrote to memory of 288	560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	28
PID 560 wrote to memory of 1876	560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	30
PID 560 wrote to memory of 1876	560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	30
PID 560 wrote to memory of 1876	560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	30
PID 560 wrote to memory of 1876	560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	30
PID 560 wrote to memory of 1876	560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	30
PID 560 wrote to memory of 1876	560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	30
PID 560 wrote to memory of 1876	560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	30
PID 560 wrote to memory of 1876	560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	30
PID 560 wrote to memory of 1876	560	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	30
PID 1876 wrote to memory of 1652	1876	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	31
PID 1876 wrote to memory of 1652	1876	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	31
PID 1876 wrote to memory of 1652	1876	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	31
PID 1876 wrote to memory of 1652	1876	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	31
PID 1652 wrote to memory of 1968	1652	tcent.exe.exe	32
PID 1652 wrote to memory of 1968	1652	tcent.exe.exe	32
PID 1652 wrote to memory of 1968	1652	tcent.exe.exe	32
PID 1652 wrote to memory of 1968	1652	tcent.exe.exe	32
PID 1652 wrote to memory of 1968	1652	tcent.exe.exe	32
PID 1652 wrote to memory of 1968	1652	tcent.exe.exe	32
PID 1652 wrote to memory of 1968	1652	tcent.exe.exe	32
PID 1652 wrote to memory of 1968	1652	tcent.exe.exe	32
PID 1652 wrote to memory of 1968	1652	tcent.exe.exe	32

C:\Users\Admin\AppData\Local\Temp\956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
"C:\Users\Admin\AppData\Local\Temp\956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QJBGtQhm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp80B5.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:288
- C:\Users\Admin\AppData\Local\Temp\956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
  "{path}"
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\ProgramData\700240\tcent.exe.exe
    "C:\ProgramData\700240\tcent.exe.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\ProgramData\700240\tcent.exe.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\700240\tcent.exe.exe

Filesize
454KB

MD5
29e6d27c57748d5d213aa77d707a2a05

SHA1
9cf15e6d65557297fe4223fbfd48d3c31ca54734

SHA256
956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6

SHA512
80dd38fc5fa39cd79b4e9eb83557608f92ac4a2a8423cf61eb1ec7c3d3bff15ea1217898faeae3e69682a42918974d08938804b11f56a24b95431d215a7fea9d

Download Submit
C:\ProgramData\700240\tcent.exe.exe

Filesize
454KB

MD5
29e6d27c57748d5d213aa77d707a2a05

SHA1
9cf15e6d65557297fe4223fbfd48d3c31ca54734

SHA256
956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6

SHA512
80dd38fc5fa39cd79b4e9eb83557608f92ac4a2a8423cf61eb1ec7c3d3bff15ea1217898faeae3e69682a42918974d08938804b11f56a24b95431d215a7fea9d

Download Submit
C:\ProgramData\700240\tcent.exe.exe

Filesize
454KB

MD5
29e6d27c57748d5d213aa77d707a2a05

SHA1
9cf15e6d65557297fe4223fbfd48d3c31ca54734

SHA256
956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6

SHA512
80dd38fc5fa39cd79b4e9eb83557608f92ac4a2a8423cf61eb1ec7c3d3bff15ea1217898faeae3e69682a42918974d08938804b11f56a24b95431d215a7fea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp80B5.tmp

Filesize
1KB

MD5
eb088272204e3e65b18b65cd93271438

SHA1
a7e1da50812dd57ef1b3da62b064243cf9c5623e

SHA256
07851e86f75187d635486c56627afa1c3948fd39eda0bd1d2f51edc4426f9301

SHA512
9113befb05d10ca385c382f55e64b67796cc81678d5d13c4a104b647eefb91d8d180d135581ed82f1439f3a78e71d6d665d2f291af01a77ab617db7cf3ffdc33

Download Submit
\ProgramData\700240\tcent.exe.exe

Filesize
454KB

MD5
29e6d27c57748d5d213aa77d707a2a05

SHA1
9cf15e6d65557297fe4223fbfd48d3c31ca54734

SHA256
956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6

SHA512
80dd38fc5fa39cd79b4e9eb83557608f92ac4a2a8423cf61eb1ec7c3d3bff15ea1217898faeae3e69682a42918974d08938804b11f56a24b95431d215a7fea9d

Download Submit
\ProgramData\700240\tcent.exe.exe

Filesize
454KB

MD5
29e6d27c57748d5d213aa77d707a2a05

SHA1
9cf15e6d65557297fe4223fbfd48d3c31ca54734

SHA256
956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6

SHA512
80dd38fc5fa39cd79b4e9eb83557608f92ac4a2a8423cf61eb1ec7c3d3bff15ea1217898faeae3e69682a42918974d08938804b11f56a24b95431d215a7fea9d

Download Submit
memory/560-55-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/560-54-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/1652-77-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1876-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1876-70-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1876-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1876-66-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1876-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1876-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1876-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1968-91-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads