luminosity | c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe
Size

169KB
MD5

418d0256f14d3f9b015ec27212ce3780
SHA1

8fcc57804cfef696487ed168aeb1aaae979642b4
SHA256

c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289
SHA512

dec392c2a931258389f41b8f9d76256ef56a196f86491a6713360442dfa5f66118d8861066738849445e83c22e51944608ea5aaad0ef433bbc97b23ebd6ba97a
SSDEEP

3072:2mpoVuPJRNCcCn2W5Y/8hFJm9SMQ1Fdl1SVExPedn4TZJg8dbSjjyxbkjM9:oP7zE974FdEWwC3xbGM

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\800110\\repair.exe\""	repair.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	repair.exe

Executes dropped EXE 2 IoCs

pid	Process
4764	repair.exe
4112	repair.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Mechanic = "\"C:\\ProgramData\\800110\\repair.exe\""	repair.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	repair.exe
File created	C:\Windows\SysWOW64\clientsvr.exe	repair.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5072 set thread context of 4524	5072	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe	90
PID 4764 set thread context of 4112	4764	repair.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5072	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe
4764	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4524	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe
4524	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4764	repair.exe
4764	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe
4112	repair.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4524	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5072	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe
Token: SeDebugPrivilege	4764	repair.exe
Token: SeDebugPrivilege	4112	repair.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4112	repair.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4524	5072	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe	90
PID 5072 wrote to memory of 4524	5072	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe	90
PID 5072 wrote to memory of 4524	5072	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe	90
PID 5072 wrote to memory of 4524	5072	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe	90
PID 5072 wrote to memory of 4524	5072	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe	90
PID 5072 wrote to memory of 4524	5072	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe	90
PID 5072 wrote to memory of 4524	5072	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe	90
PID 5072 wrote to memory of 4524	5072	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe	90
PID 4524 wrote to memory of 4764	4524	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe	91
PID 4524 wrote to memory of 4764	4524	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe	91
PID 4524 wrote to memory of 4764	4524	c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe	91
PID 4764 wrote to memory of 4112	4764	repair.exe	93
PID 4764 wrote to memory of 4112	4764	repair.exe	93
PID 4764 wrote to memory of 4112	4764	repair.exe	93
PID 4764 wrote to memory of 4112	4764	repair.exe	93
PID 4764 wrote to memory of 4112	4764	repair.exe	93
PID 4764 wrote to memory of 4112	4764	repair.exe	93
PID 4764 wrote to memory of 4112	4764	repair.exe	93
PID 4764 wrote to memory of 4112	4764	repair.exe	93
PID 4112 wrote to memory of 4524	4112	repair.exe	90
PID 4112 wrote to memory of 4524	4112	repair.exe	90
PID 4112 wrote to memory of 4524	4112	repair.exe	90
PID 4112 wrote to memory of 4524	4112	repair.exe	90
PID 4112 wrote to memory of 4524	4112	repair.exe	90
PID 4112 wrote to memory of 4764	4112	repair.exe	91
PID 4112 wrote to memory of 4764	4112	repair.exe	91
PID 4112 wrote to memory of 4764	4112	repair.exe	91
PID 4112 wrote to memory of 4764	4112	repair.exe	91
PID 4112 wrote to memory of 4764	4112	repair.exe	91

C:\Users\Admin\AppData\Local\Temp\c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe
"C:\Users\Admin\AppData\Local\Temp\c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe
  "C:\Users\Admin\AppData\Local\Temp\c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\ProgramData\800110\repair.exe
    "C:\ProgramData\800110\repair.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\ProgramData\800110\repair.exe
      "C:\ProgramData\800110\repair.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\800110\repair.exe

Filesize
169KB

MD5
418d0256f14d3f9b015ec27212ce3780

SHA1
8fcc57804cfef696487ed168aeb1aaae979642b4

SHA256
c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289

SHA512
dec392c2a931258389f41b8f9d76256ef56a196f86491a6713360442dfa5f66118d8861066738849445e83c22e51944608ea5aaad0ef433bbc97b23ebd6ba97a

Download Submit
C:\ProgramData\800110\repair.exe

Filesize
169KB

MD5
418d0256f14d3f9b015ec27212ce3780

SHA1
8fcc57804cfef696487ed168aeb1aaae979642b4

SHA256
c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289

SHA512
dec392c2a931258389f41b8f9d76256ef56a196f86491a6713360442dfa5f66118d8861066738849445e83c22e51944608ea5aaad0ef433bbc97b23ebd6ba97a

Download Submit
C:\ProgramData\800110\repair.exe

Filesize
169KB

MD5
418d0256f14d3f9b015ec27212ce3780

SHA1
8fcc57804cfef696487ed168aeb1aaae979642b4

SHA256
c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289

SHA512
dec392c2a931258389f41b8f9d76256ef56a196f86491a6713360442dfa5f66118d8861066738849445e83c22e51944608ea5aaad0ef433bbc97b23ebd6ba97a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\c56e4b72ee5cc4f5a777c877ceb598b0a2305b3992b51ad6004550ad27ac4289.exe.log

Filesize
319B

MD5
91046f2e147049d3e53cd9bf9d4d95ed

SHA1
228e347d062840b2edcbd16904475aacad414c62

SHA256
ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc

SHA512
071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0

Download Submit
memory/4112-156-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4112-148-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4112-147-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4524-151-0x00000000072C0000-0x00000000072D7000-memory.dmp

Filesize
92KB

Download
memory/4524-149-0x00000000072C0000-0x00000000072D7000-memory.dmp

Filesize
92KB

Download
memory/4524-142-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4524-158-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4524-150-0x00000000072C0000-0x00000000072D7000-memory.dmp

Filesize
92KB

Download
memory/4524-136-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4524-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-154-0x0000000006090000-0x00000000060A7000-memory.dmp

Filesize
92KB

Download
memory/4764-152-0x0000000006090000-0x00000000060A7000-memory.dmp

Filesize
92KB

Download
memory/4764-153-0x0000000006090000-0x00000000060A7000-memory.dmp

Filesize
92KB

Download
memory/4764-141-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4764-155-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4764-143-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/5072-137-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/5072-132-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/5072-133-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download