luminosity | 956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6

General

Target

956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
Size

454KB
MD5

29e6d27c57748d5d213aa77d707a2a05
SHA1

9cf15e6d65557297fe4223fbfd48d3c31ca54734
SHA256

956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6
SHA512

80dd38fc5fa39cd79b4e9eb83557608f92ac4a2a8423cf61eb1ec7c3d3bff15ea1217898faeae3e69682a42918974d08938804b11f56a24b95431d215a7fea9d

Score

10^/10

luminosity evasion persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe\""	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 3 IoCs

pid	Process
4720	tcent.exe.exe
2848	tcent.exe.exe
1328	tcent.exe.exe

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tcent.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tcent.exe.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\HWKLADMIN = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe\""	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	tcent.exe.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	tcent.exe.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\clientsvr.exe	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 2524	4028	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	90
PID 4720 set thread context of 1328	4720	tcent.exe.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4028	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
4720	tcent.exe.exe
4720	tcent.exe.exe
4720	tcent.exe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4028	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
Token: SeDebugPrivilege	4720	tcent.exe.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2524	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1472	4028	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	88
PID 4028 wrote to memory of 1472	4028	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	88
PID 4028 wrote to memory of 1472	4028	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	88
PID 4028 wrote to memory of 2524	4028	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	90
PID 4028 wrote to memory of 2524	4028	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	90
PID 4028 wrote to memory of 2524	4028	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	90
PID 4028 wrote to memory of 2524	4028	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	90
PID 4028 wrote to memory of 2524	4028	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	90
PID 4028 wrote to memory of 2524	4028	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	90
PID 4028 wrote to memory of 2524	4028	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	90
PID 4028 wrote to memory of 2524	4028	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	90
PID 2524 wrote to memory of 4720	2524	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	91
PID 2524 wrote to memory of 4720	2524	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	91
PID 2524 wrote to memory of 4720	2524	956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe	91
PID 4720 wrote to memory of 2848	4720	tcent.exe.exe	92
PID 4720 wrote to memory of 2848	4720	tcent.exe.exe	92
PID 4720 wrote to memory of 2848	4720	tcent.exe.exe	92
PID 4720 wrote to memory of 1328	4720	tcent.exe.exe	93
PID 4720 wrote to memory of 1328	4720	tcent.exe.exe	93
PID 4720 wrote to memory of 1328	4720	tcent.exe.exe	93
PID 4720 wrote to memory of 1328	4720	tcent.exe.exe	93
PID 4720 wrote to memory of 1328	4720	tcent.exe.exe	93
PID 4720 wrote to memory of 1328	4720	tcent.exe.exe	93
PID 4720 wrote to memory of 1328	4720	tcent.exe.exe	93
PID 4720 wrote to memory of 1328	4720	tcent.exe.exe	93

C:\Users\Admin\AppData\Local\Temp\956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
"C:\Users\Admin\AppData\Local\Temp\956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QJBGtQhm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1472
- C:\Users\Admin\AppData\Local\Temp\956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe
  "{path}"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\ProgramData\635303\tcent.exe.exe
    "C:\ProgramData\635303\tcent.exe.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\ProgramData\635303\tcent.exe.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:2848
  - - C:\ProgramData\635303\tcent.exe.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\635303\tcent.exe.exe

Filesize
454KB

MD5
29e6d27c57748d5d213aa77d707a2a05

SHA1
9cf15e6d65557297fe4223fbfd48d3c31ca54734

SHA256
956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6

SHA512
80dd38fc5fa39cd79b4e9eb83557608f92ac4a2a8423cf61eb1ec7c3d3bff15ea1217898faeae3e69682a42918974d08938804b11f56a24b95431d215a7fea9d

Download Submit
C:\ProgramData\635303\tcent.exe.exe

Filesize
454KB

MD5
29e6d27c57748d5d213aa77d707a2a05

SHA1
9cf15e6d65557297fe4223fbfd48d3c31ca54734

SHA256
956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6

SHA512
80dd38fc5fa39cd79b4e9eb83557608f92ac4a2a8423cf61eb1ec7c3d3bff15ea1217898faeae3e69682a42918974d08938804b11f56a24b95431d215a7fea9d

Download Submit
C:\ProgramData\635303\tcent.exe.exe

Filesize
454KB

MD5
29e6d27c57748d5d213aa77d707a2a05

SHA1
9cf15e6d65557297fe4223fbfd48d3c31ca54734

SHA256
956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6

SHA512
80dd38fc5fa39cd79b4e9eb83557608f92ac4a2a8423cf61eb1ec7c3d3bff15ea1217898faeae3e69682a42918974d08938804b11f56a24b95431d215a7fea9d

Download Submit
C:\ProgramData\635303\tcent.exe.exe

Filesize
454KB

MD5
29e6d27c57748d5d213aa77d707a2a05

SHA1
9cf15e6d65557297fe4223fbfd48d3c31ca54734

SHA256
956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6

SHA512
80dd38fc5fa39cd79b4e9eb83557608f92ac4a2a8423cf61eb1ec7c3d3bff15ea1217898faeae3e69682a42918974d08938804b11f56a24b95431d215a7fea9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6.exe.log

Filesize
588B

MD5
49461f799113a05a28d6b992090c22ce

SHA1
4049a26ca32ff9ed84fd748b75b36b73e17510ce

SHA256
efa0ab0bd196baf69522d0e11a8bb384a1f0e1806590db7b6ed34abcf6faf5c3

SHA512
dffd0fc9f13c5821f9a55bbfb0e1cb980b29903228805fda0331de68ef1ecfa7e716ebcb50c1a2429e5373f6c9e31977472e04769adf9feac8c7fe10f1814bc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\tcent.exe.exe.log

Filesize
588B

MD5
49461f799113a05a28d6b992090c22ce

SHA1
4049a26ca32ff9ed84fd748b75b36b73e17510ce

SHA256
efa0ab0bd196baf69522d0e11a8bb384a1f0e1806590db7b6ed34abcf6faf5c3

SHA512
dffd0fc9f13c5821f9a55bbfb0e1cb980b29903228805fda0331de68ef1ecfa7e716ebcb50c1a2429e5373f6c9e31977472e04769adf9feac8c7fe10f1814bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp

Filesize
1KB

MD5
a2f5aab7af5c92e514f46ddba9643340

SHA1
6c5fc91dd244c8d0e00a23c7064389f4724189fa

SHA256
010320a1eda2e1487b630203d1405dca18bc8d12c0b30e8cb8de5f74d1ba2342

SHA512
2da11cfc815e829caac39065413c2c3bdd65f0fff07bdcd4e0b4f8544e00184e28d6b73b185b1905e9ae82407ed6a67ef3924f8534001e3453dfeb50e769bf85

Download Submit
memory/1328-147-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/2524-136-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/2524-134-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4028-130-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4720-140-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads