luminosity | f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7

Analysis

max time kernel
149s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
Size

823KB
MD5

12e6771c261c522bc702ab413ce3f7f6
SHA1

19e299d59236739b3f826c5d37723d39aa28489d
SHA256

f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7
SHA512

9ae5ce4484a0cb3d2681aee3ee6a1d22e78858341d182c091c66d7a5128e8f730a1e70660366a27767bdeb5305ee311e85a00865fdc750d8ea844026053f82ab
SSDEEP

12288:y6Wq4aaE6KwyF5L0Y2D1PqLX7okJixkya90M7iNgtsgnEemtGqBgkUhBF/eLzkw:wthEVaPqLbmkR9Bu+sremtngPXFGL1

Score

10^/10

luminosity persistence rat upx

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

scvhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\336577\\scvhost.exe\""	scvhost.exe

Executes dropped EXE 2 IoCs

Processes:

se.exescvhost.exe

pid process

1636 se.exe
832 scvhost.exe

pid	process
1636	se.exe
832	scvhost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1060-57-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral1/memory/1788-68-0x0000000000400000-0x00000000004BC000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

svchost.exese.exe

pid process

112 svchost.exe
112 svchost.exe
1636 se.exe
1636 se.exe

pid	process
112	svchost.exe
112	svchost.exe
1636	se.exe
1636	se.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

scvhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Audio Manger = "\"C:\\ProgramData\\336577\\scvhost.exe\""	scvhost.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1060-57-0x0000000000400000-0x00000000004BC000-memory.dmp	autoit_exe
behavioral1/memory/1788-68-0x0000000000400000-0x00000000004BC000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

Processes:

scvhost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	scvhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe

description	pid	process	target process
PID 1788 set thread context of 112	1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exescvhost.exe

pid process

1788 f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
832 scvhost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

scvhost.exe

description pid process

Token: SeDebugPrivilege 832 scvhost.exe

pid	process
1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
832	scvhost.exe

description	pid	process
Token: SeDebugPrivilege	832	scvhost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exef71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe

pid	process
1060	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1060	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1060	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exef71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe

pid	process
1060	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1060	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1060	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchost.exescvhost.exe

pid process

112 svchost.exe
832 scvhost.exe

pid	process
112	svchost.exe
832	scvhost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exef71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exesvchost.exese.exe

description	pid	process	target process
PID 1060 wrote to memory of 1788	1060	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
PID 1060 wrote to memory of 1788	1060	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
PID 1060 wrote to memory of 1788	1060	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
PID 1060 wrote to memory of 1788	1060	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
PID 1788 wrote to memory of 112	1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 1788 wrote to memory of 112	1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 1788 wrote to memory of 112	1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 1788 wrote to memory of 112	1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 1788 wrote to memory of 112	1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 1788 wrote to memory of 112	1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 1788 wrote to memory of 112	1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 1788 wrote to memory of 112	1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 1788 wrote to memory of 112	1788	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 112 wrote to memory of 1636	112	svchost.exe	se.exe
PID 112 wrote to memory of 1636	112	svchost.exe	se.exe
PID 112 wrote to memory of 1636	112	svchost.exe	se.exe
PID 112 wrote to memory of 1636	112	svchost.exe	se.exe
PID 1636 wrote to memory of 832	1636	se.exe	scvhost.exe
PID 1636 wrote to memory of 832	1636	se.exe	scvhost.exe
PID 1636 wrote to memory of 832	1636	se.exe	scvhost.exe
PID 1636 wrote to memory of 832	1636	se.exe	scvhost.exe

C:\Users\Admin\AppData\Local\Temp\f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
"C:\Users\Admin\AppData\Local\Temp\f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
  "C:\Users\Admin\AppData\Local\Temp\f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\data.bin"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1788
- - \??\c:\windows\SysWOW64\svchost.exe
    "c:\windows\system32\svchost.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Users\Admin\AppData\Local\Temp\se.exe
      "C:\Users\Admin\AppData\Local\Temp\se.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\ProgramData\336577\scvhost.exe
        
        "C:\ProgramData\336577\scvhost.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\336577\scvhost.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
C:\ProgramData\336577\scvhost.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.bin

Filesize
538KB

MD5
8bf53729c64b8d2ebfbafeee2b73e919

SHA1
0fcac6b03eaac3cacb46ba2617563a6860a9f100

SHA256
f210a2ff555d39aa3753cc3f4a2555787822d60e162b85603ac112d5b6e572d9

SHA512
46ab625b43549822ee02cb4f933d9e52cfd8ebbdc307f5e91055f30ec5c06f99f7a9986698da79b1e9031dea921a9a64752d520e612066bf8ca16ff4b830db66

Download Submit
C:\Users\Admin\AppData\Local\Temp\se.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
C:\Users\Admin\AppData\Local\Temp\se.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
\ProgramData\336577\scvhost.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
\ProgramData\336577\scvhost.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
\Users\Admin\AppData\Local\Temp\se.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
\Users\Admin\AppData\Local\Temp\se.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
memory/112-62-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/112-60-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/112-66-0x000000000040183C-mapping.dmp

Download
memory/112-59-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/112-72-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/112-65-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/112-79-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/832-84-0x0000000000000000-mapping.dmp

Download
memory/832-88-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/832-90-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/1060-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1060-57-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1636-81-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/1636-76-0x0000000000000000-mapping.dmp

Download
memory/1636-89-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/1636-91-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-68-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1788-55-0x0000000000000000-mapping.dmp

Download