luminosity | 2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd

General

Target

2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe
Size

195KB
MD5

21dd8986af501f9fc28baabd8e186870
SHA1

1eda9f8e2692e61fbff86edc148339ca94790aaf
SHA256

2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd
SHA512

c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a
SSDEEP

6144:0aBUduaP4zzzVooBIwf1Jd+X5RU6UPxhBIP:VfaSJH5IzU6UPXB

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	csrd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\346366\\csrd.exe\""	csrd.exe

Executes dropped EXE 2 IoCs

pid	Process
2288	csrd.exe
2640	csrd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\csrdLink = "\"C:\\ProgramData\\346366\\csrd.exe\""	csrd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\clientsvr.exe	csrd.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	csrd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 712 set thread context of 3996	712	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe	82
PID 2288 set thread context of 2640	2288	csrd.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
712	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe
712	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3996	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	712	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe
Token: SeDebugPrivilege	2288	csrd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2640	csrd.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 1860	712	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe	81
PID 712 wrote to memory of 1860	712	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe	81
PID 712 wrote to memory of 1860	712	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe	81
PID 712 wrote to memory of 3996	712	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe	82
PID 712 wrote to memory of 3996	712	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe	82
PID 712 wrote to memory of 3996	712	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe	82
PID 712 wrote to memory of 3996	712	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe	82
PID 712 wrote to memory of 3996	712	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe	82
PID 712 wrote to memory of 3996	712	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe	82
PID 712 wrote to memory of 3996	712	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe	82
PID 712 wrote to memory of 3996	712	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe	82
PID 3996 wrote to memory of 2288	3996	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe	87
PID 3996 wrote to memory of 2288	3996	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe	87
PID 3996 wrote to memory of 2288	3996	2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe	87
PID 2288 wrote to memory of 2640	2288	csrd.exe	89
PID 2288 wrote to memory of 2640	2288	csrd.exe	89
PID 2288 wrote to memory of 2640	2288	csrd.exe	89
PID 2288 wrote to memory of 2640	2288	csrd.exe	89
PID 2288 wrote to memory of 2640	2288	csrd.exe	89
PID 2288 wrote to memory of 2640	2288	csrd.exe	89
PID 2288 wrote to memory of 2640	2288	csrd.exe	89
PID 2288 wrote to memory of 2640	2288	csrd.exe	89

C:\Users\Admin\AppData\Local\Temp\2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe
"C:\Users\Admin\AppData\Local\Temp\2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:712
- C:\Users\Admin\AppData\Local\Temp\2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe
  "C:\Users\Admin\AppData\Local\Temp\2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe"
  2⤵
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe
  "C:\Users\Admin\AppData\Local\Temp\2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\ProgramData\346366\csrd.exe
    "C:\ProgramData\346366\csrd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\ProgramData\346366\csrd.exe
      "C:\ProgramData\346366\csrd.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:2640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\346366\csrd.exe

Filesize
195KB

MD5
21dd8986af501f9fc28baabd8e186870

SHA1
1eda9f8e2692e61fbff86edc148339ca94790aaf

SHA256
2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd

SHA512
c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a

Download Submit
C:\ProgramData\346366\csrd.exe

Filesize
195KB

MD5
21dd8986af501f9fc28baabd8e186870

SHA1
1eda9f8e2692e61fbff86edc148339ca94790aaf

SHA256
2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd

SHA512
c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a

Download Submit
C:\ProgramData\346366\csrd.exe

Filesize
195KB

MD5
21dd8986af501f9fc28baabd8e186870

SHA1
1eda9f8e2692e61fbff86edc148339ca94790aaf

SHA256
2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd

SHA512
c3e063be0ad9e06097f36c06e74c126c871828a463b46046265092afb176bcde8c9e90019dfdb157562918cf580c7c075cdac34a2bed8998e81ec449c410f29a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\2d3ca2dafa9c3bd482d4b185abe31c4012050defec36af091543f96303484abd.exe.log

Filesize
313B

MD5
00b72ea3d569eb0d4fb85691b642f47c

SHA1
f9134a33706eb76ddb00e5276639d660a071da9b

SHA256
cd62d4fbf8b135be5c0b8448a7d53db7784869761a10ec99473f58f44d8e686c

SHA512
62af7608834d84fa95470247cab4bfa5a382825f81e9918b762e62dfc6c467e7b50cfb5b2fd36eff1da320e22aa8c1427c02820e06d9f2f6483e64740a43e8df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\csrd.exe.log

Filesize
313B

MD5
00b72ea3d569eb0d4fb85691b642f47c

SHA1
f9134a33706eb76ddb00e5276639d660a071da9b

SHA256
cd62d4fbf8b135be5c0b8448a7d53db7784869761a10ec99473f58f44d8e686c

SHA512
62af7608834d84fa95470247cab4bfa5a382825f81e9918b762e62dfc6c467e7b50cfb5b2fd36eff1da320e22aa8c1427c02820e06d9f2f6483e64740a43e8df

Download Submit
memory/712-132-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/712-138-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/712-133-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2288-144-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2288-145-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2288-151-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2640-150-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2640-152-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/3996-136-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3996-140-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/3996-139-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/3996-153-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads