luminosity | c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593

Analysis

max time kernel
150s
max time network
187s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe
Size

275KB
MD5

7ab36258b2737c9c524ef86e4dac3fc1
SHA1

06d53f520f2bfa22d67b72c50f25a09d3e6f1c13
SHA256

c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593
SHA512

9ababe89f7ea2a61545d04c3166bf095e09067e679361bbe2c244e0df19b1c9badbbd2069c095beea0bf10601a4c3b41ca89329a7eea06b855e199de4a122dad
SSDEEP

6144:fCCDSlq4ubyCk/shcc4TmF41NKOU9d7Z3+Gsk4h1151Lzk:aCsq4OUc9D7+im1jX

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	LiveChat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\812612\\LiveChat.exe\""	LiveChat.exe

Executes dropped EXE 3 IoCs

pid	Process
1120	LiveChat.exe
1472	LiveChat.exe
324	LiveChat.exe

Loads dropped DLL 2 IoCs

pid	Process
1124	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe
1124	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows98 = "\"C:\\ProgramData\\812612\\LiveChat.exe\""	LiveChat.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\clientsvr.exe	LiveChat.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	LiveChat.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 1124	1620	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe	27
PID 1120 set thread context of 324	1120	LiveChat.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1120	LiveChat.exe
1120	LiveChat.exe
324	LiveChat.exe
324	LiveChat.exe
324	LiveChat.exe
324	LiveChat.exe
324	LiveChat.exe
1120	LiveChat.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1124	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe
Token: SeDebugPrivilege	1120	LiveChat.exe
Token: SeDebugPrivilege	324	LiveChat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
324	LiveChat.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1124	1620	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe	27
PID 1620 wrote to memory of 1124	1620	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe	27
PID 1620 wrote to memory of 1124	1620	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe	27
PID 1620 wrote to memory of 1124	1620	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe	27
PID 1620 wrote to memory of 1124	1620	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe	27
PID 1620 wrote to memory of 1124	1620	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe	27
PID 1620 wrote to memory of 1124	1620	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe	27
PID 1620 wrote to memory of 1124	1620	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe	27
PID 1620 wrote to memory of 1124	1620	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe	27
PID 1124 wrote to memory of 1120	1124	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe	29
PID 1124 wrote to memory of 1120	1124	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe	29
PID 1124 wrote to memory of 1120	1124	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe	29
PID 1124 wrote to memory of 1120	1124	c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe	29
PID 1120 wrote to memory of 1472	1120	LiveChat.exe	30
PID 1120 wrote to memory of 1472	1120	LiveChat.exe	30
PID 1120 wrote to memory of 1472	1120	LiveChat.exe	30
PID 1120 wrote to memory of 1472	1120	LiveChat.exe	30
PID 1120 wrote to memory of 324	1120	LiveChat.exe	31
PID 1120 wrote to memory of 324	1120	LiveChat.exe	31
PID 1120 wrote to memory of 324	1120	LiveChat.exe	31
PID 1120 wrote to memory of 324	1120	LiveChat.exe	31
PID 1120 wrote to memory of 324	1120	LiveChat.exe	31
PID 1120 wrote to memory of 324	1120	LiveChat.exe	31
PID 1120 wrote to memory of 324	1120	LiveChat.exe	31
PID 1120 wrote to memory of 324	1120	LiveChat.exe	31
PID 1120 wrote to memory of 324	1120	LiveChat.exe	31
PID 324 wrote to memory of 1120	324	LiveChat.exe	29
PID 324 wrote to memory of 1120	324	LiveChat.exe	29
PID 324 wrote to memory of 1120	324	LiveChat.exe	29
PID 324 wrote to memory of 1120	324	LiveChat.exe	29
PID 324 wrote to memory of 1120	324	LiveChat.exe	29

C:\Users\Admin\AppData\Local\Temp\c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe
"C:\Users\Admin\AppData\Local\Temp\c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe
  "C:\Users\Admin\AppData\Local\Temp\c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\ProgramData\812612\LiveChat.exe
    "C:\ProgramData\812612\LiveChat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\ProgramData\812612\LiveChat.exe
      "C:\ProgramData\812612\LiveChat.exe"
      4⤵
      Executes dropped EXE
      PID:1472
  - - C:\ProgramData\812612\LiveChat.exe
      "C:\ProgramData\812612\LiveChat.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\812612\LiveChat.exe

Filesize
275KB

MD5
7ab36258b2737c9c524ef86e4dac3fc1

SHA1
06d53f520f2bfa22d67b72c50f25a09d3e6f1c13

SHA256
c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593

SHA512
9ababe89f7ea2a61545d04c3166bf095e09067e679361bbe2c244e0df19b1c9badbbd2069c095beea0bf10601a4c3b41ca89329a7eea06b855e199de4a122dad

Download Submit
C:\ProgramData\812612\LiveChat.exe

Filesize
275KB

MD5
7ab36258b2737c9c524ef86e4dac3fc1

SHA1
06d53f520f2bfa22d67b72c50f25a09d3e6f1c13

SHA256
c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593

SHA512
9ababe89f7ea2a61545d04c3166bf095e09067e679361bbe2c244e0df19b1c9badbbd2069c095beea0bf10601a4c3b41ca89329a7eea06b855e199de4a122dad

Download Submit
C:\ProgramData\812612\LiveChat.exe

Filesize
275KB

MD5
7ab36258b2737c9c524ef86e4dac3fc1

SHA1
06d53f520f2bfa22d67b72c50f25a09d3e6f1c13

SHA256
c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593

SHA512
9ababe89f7ea2a61545d04c3166bf095e09067e679361bbe2c244e0df19b1c9badbbd2069c095beea0bf10601a4c3b41ca89329a7eea06b855e199de4a122dad

Download Submit
C:\ProgramData\812612\LiveChat.exe

Filesize
275KB

MD5
7ab36258b2737c9c524ef86e4dac3fc1

SHA1
06d53f520f2bfa22d67b72c50f25a09d3e6f1c13

SHA256
c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593

SHA512
9ababe89f7ea2a61545d04c3166bf095e09067e679361bbe2c244e0df19b1c9badbbd2069c095beea0bf10601a4c3b41ca89329a7eea06b855e199de4a122dad

Download Submit
\ProgramData\812612\LiveChat.exe

Filesize
275KB

MD5
7ab36258b2737c9c524ef86e4dac3fc1

SHA1
06d53f520f2bfa22d67b72c50f25a09d3e6f1c13

SHA256
c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593

SHA512
9ababe89f7ea2a61545d04c3166bf095e09067e679361bbe2c244e0df19b1c9badbbd2069c095beea0bf10601a4c3b41ca89329a7eea06b855e199de4a122dad

Download Submit
\ProgramData\812612\LiveChat.exe

Filesize
275KB

MD5
7ab36258b2737c9c524ef86e4dac3fc1

SHA1
06d53f520f2bfa22d67b72c50f25a09d3e6f1c13

SHA256
c1e3a631270b1ed51d96082a2de11c61c7a3910f48334e4e12b8b4e916cdd593

SHA512
9ababe89f7ea2a61545d04c3166bf095e09067e679361bbe2c244e0df19b1c9badbbd2069c095beea0bf10601a4c3b41ca89329a7eea06b855e199de4a122dad

Download Submit
memory/324-95-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/324-93-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1120-78-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1120-105-0x0000000000810000-0x0000000000827000-memory.dmp

Filesize
92KB

Download
memory/1120-102-0x0000000000810000-0x0000000000827000-memory.dmp

Filesize
92KB

Download
memory/1120-99-0x0000000000810000-0x0000000000827000-memory.dmp

Filesize
92KB

Download
memory/1120-97-0x0000000000810000-0x0000000000827000-memory.dmp

Filesize
92KB

Download
memory/1120-96-0x0000000000810000-0x0000000000827000-memory.dmp

Filesize
92KB

Download
memory/1120-76-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1124-77-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1124-61-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1124-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1124-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1124-94-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1124-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1124-69-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1124-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1124-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1620-55-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1620-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1620-68-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download