luminosity | f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd

General

Target

f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
Size

253KB
MD5

20a3b4d6e70e3dbd30faae664ce04280
SHA1

21edc112e5891c1d7a15c5a48ed7e91660bd2922
SHA256

f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd
SHA512

d07602e1cf482e2c7d582c4c2d31c47e8bf52956175030bf88777f258680aee2ba25f0db9761897040dd5ee428a1180219ee02c74dbaccca46acc3e7827a47f0
SSDEEP

6144:kqvag7seJgTObmLbR9JWJWRJYJAqE7yQz:kqSeJgT3RvE+Yy+

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Mechanic = "\"C:\\ProgramData\\503313\\repair.exe\" -a /a"	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mechanic = "\"C:\\ProgramData\\503313\\repair.exe\" -a /a"	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe

pid	process
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe

pid process

4656 f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe

description pid process

Token: SeDebugPrivilege 4656 f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe

pid process

4656 f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe

description	pid	process
Token: SeDebugPrivilege	4656	f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe

C:\Users\Admin\AppData\Local\Temp\f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe
"C:\Users\Admin\AppData\Local\Temp\f252ce7f2f36976a2509d244e8be1bf6904ff7f65c0de890f05e4d5f728959dd.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4656-132-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4656-133-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing