luminosity | 044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0

General

Target

044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0.exe
Size

248KB
MD5

71c4f38df1f9e5fc232a1147eec23510
SHA1

b53d664a2213ff71a5eb1f896afd03d06277c2cb
SHA256

044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0
SHA512

aa659373944f47d46f87f7859337e49c1b853ab26c6423a63458522178faaf2c6117d2c33dc0e5e3a8d2e75f67d57ff4d211cec056c19a4b7aa463998f6c3bac
SSDEEP

3072:KU4f+fkjZt7fF0L2vMCDiu0Y8RxwLRMcR9aBeWvfxLWDw3eWJ2NJucbPvJ1nlYZC:K1i+f3uBmLbR9JWJW2JYJuEvPr

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\504659\\svchost.exe\""	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1204	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1184	044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0.exe
1184	044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Service Hoster = "\"C:\\ProgramData\\504659\\svchost.exe\""	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\clientsvr.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1204	svchost.exe
1204	svchost.exe
1204	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1184	044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1204	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1204	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1204	1184	044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0.exe	27
PID 1184 wrote to memory of 1204	1184	044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0.exe	27
PID 1184 wrote to memory of 1204	1184	044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0.exe	27
PID 1184 wrote to memory of 1204	1184	044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0.exe	27

C:\Users\Admin\AppData\Local\Temp\044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0.exe
"C:\Users\Admin\AppData\Local\Temp\044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1184
- C:\ProgramData\504659\svchost.exe
  "C:\ProgramData\504659\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\504659\svchost.exe

Filesize
248KB

MD5
71c4f38df1f9e5fc232a1147eec23510

SHA1
b53d664a2213ff71a5eb1f896afd03d06277c2cb

SHA256
044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0

SHA512
aa659373944f47d46f87f7859337e49c1b853ab26c6423a63458522178faaf2c6117d2c33dc0e5e3a8d2e75f67d57ff4d211cec056c19a4b7aa463998f6c3bac

Download Submit
C:\ProgramData\504659\svchost.exe

Filesize
248KB

MD5
71c4f38df1f9e5fc232a1147eec23510

SHA1
b53d664a2213ff71a5eb1f896afd03d06277c2cb

SHA256
044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0

SHA512
aa659373944f47d46f87f7859337e49c1b853ab26c6423a63458522178faaf2c6117d2c33dc0e5e3a8d2e75f67d57ff4d211cec056c19a4b7aa463998f6c3bac

Download Submit
\ProgramData\504659\svchost.exe

Filesize
248KB

MD5
71c4f38df1f9e5fc232a1147eec23510

SHA1
b53d664a2213ff71a5eb1f896afd03d06277c2cb

SHA256
044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0

SHA512
aa659373944f47d46f87f7859337e49c1b853ab26c6423a63458522178faaf2c6117d2c33dc0e5e3a8d2e75f67d57ff4d211cec056c19a4b7aa463998f6c3bac

Download Submit
\ProgramData\504659\svchost.exe

Filesize
248KB

MD5
71c4f38df1f9e5fc232a1147eec23510

SHA1
b53d664a2213ff71a5eb1f896afd03d06277c2cb

SHA256
044575c1d5d98c4d1d63c1e6d1ce0f5d1fdfc2700bc37818de25a9b9e60087c0

SHA512
aa659373944f47d46f87f7859337e49c1b853ab26c6423a63458522178faaf2c6117d2c33dc0e5e3a8d2e75f67d57ff4d211cec056c19a4b7aa463998f6c3bac

Download Submit
memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1184-55-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-63-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-65-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1204-62-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1204-64-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads