luminosity | 03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db

General

Target

03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe
Size

225KB
MD5

7698bebc450e6133f1f4c11764651b10
SHA1

9927ab3e8c0ee56ccbcb1f93d5f0376966f26e15
SHA256

03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db
SHA512

0b8ded747b2eb249d686592b5b8ed162915ab3218c5d61096a1ac66b87a926f0ff9ed73ad382c81721e0b5a8bfea4fc0254e76449870c1d7c357ae67c0e63f0d
SSDEEP

3072:5U4f+fkjZt7fF0L2vMCDiu0Y8RxwLRMcR9aBeWvfxLWDwZeWJ2NJucbPvJ1nlYZU:51i+f3uBmLbR9JWJWYJYJuEvPrl6

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

repair.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	repair.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\304887\\repair.exe\""	repair.exe

Executes dropped EXE 1 IoCs

Processes:

repair.exe

pid process

1880 repair.exe

pid	process
1880	repair.exe

Loads dropped DLL 2 IoCs

Processes:

03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe

pid	process
1380	03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe
1380	03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

repair.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Mechanic = "\"C:\\ProgramData\\304887\\repair.exe\""	repair.exe

Drops file in System32 directory 2 IoCs

Processes:

repair.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\clientsvr.exe repair.exe
File created C:\Windows\SysWOW64\clientsvr.exe repair.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

repair.exe

pid process

1880 repair.exe
1880 repair.exe
1880 repair.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe

pid process

1380 03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

repair.exe

description pid process

Token: SeDebugPrivilege 1880 repair.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

repair.exe

pid process

1880 repair.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	repair.exe
File created	C:\Windows\SysWOW64\clientsvr.exe	repair.exe

pid	process
1880	repair.exe
1880	repair.exe
1880	repair.exe

description	pid	process
Token: SeDebugPrivilege	1880	repair.exe

pid	process
1880	repair.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe

description	pid	process	target process
PID 1380 wrote to memory of 1880	1380	03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe	repair.exe
PID 1380 wrote to memory of 1880	1380	03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe	repair.exe
PID 1380 wrote to memory of 1880	1380	03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe	repair.exe
PID 1380 wrote to memory of 1880	1380	03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe	repair.exe

C:\Users\Admin\AppData\Local\Temp\03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe
"C:\Users\Admin\AppData\Local\Temp\03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1380
- C:\ProgramData\304887\repair.exe
  "C:\ProgramData\304887\repair.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\304887\repair.exe

Filesize
225KB

MD5
7698bebc450e6133f1f4c11764651b10

SHA1
9927ab3e8c0ee56ccbcb1f93d5f0376966f26e15

SHA256
03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db

SHA512
0b8ded747b2eb249d686592b5b8ed162915ab3218c5d61096a1ac66b87a926f0ff9ed73ad382c81721e0b5a8bfea4fc0254e76449870c1d7c357ae67c0e63f0d

Download Submit
C:\ProgramData\304887\repair.exe

Filesize
225KB

MD5
7698bebc450e6133f1f4c11764651b10

SHA1
9927ab3e8c0ee56ccbcb1f93d5f0376966f26e15

SHA256
03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db

SHA512
0b8ded747b2eb249d686592b5b8ed162915ab3218c5d61096a1ac66b87a926f0ff9ed73ad382c81721e0b5a8bfea4fc0254e76449870c1d7c357ae67c0e63f0d

Download Submit
\ProgramData\304887\repair.exe

Filesize
225KB

MD5
7698bebc450e6133f1f4c11764651b10

SHA1
9927ab3e8c0ee56ccbcb1f93d5f0376966f26e15

SHA256
03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db

SHA512
0b8ded747b2eb249d686592b5b8ed162915ab3218c5d61096a1ac66b87a926f0ff9ed73ad382c81721e0b5a8bfea4fc0254e76449870c1d7c357ae67c0e63f0d

Download Submit
\ProgramData\304887\repair.exe

Filesize
225KB

MD5
7698bebc450e6133f1f4c11764651b10

SHA1
9927ab3e8c0ee56ccbcb1f93d5f0376966f26e15

SHA256
03ba35875299e23f8e69d8e009103593a6dcf068ea78212f550eeb9c1f2e85db

SHA512
0b8ded747b2eb249d686592b5b8ed162915ab3218c5d61096a1ac66b87a926f0ff9ed73ad382c81721e0b5a8bfea4fc0254e76449870c1d7c357ae67c0e63f0d

Download Submit
memory/1380-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1380-55-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/1380-63-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/1380-65-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/1880-58-0x0000000000000000-mapping.dmp

Download
memory/1880-62-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/1880-64-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads