luminosity | f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7

General

Target

f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
Size

823KB
MD5

12e6771c261c522bc702ab413ce3f7f6
SHA1

19e299d59236739b3f826c5d37723d39aa28489d
SHA256

f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7
SHA512

9ae5ce4484a0cb3d2681aee3ee6a1d22e78858341d182c091c66d7a5128e8f730a1e70660366a27767bdeb5305ee311e85a00865fdc750d8ea844026053f82ab
SSDEEP

12288:y6Wq4aaE6KwyF5L0Y2D1PqLX7okJixkya90M7iNgtsgnEemtGqBgkUhBF/eLzkw:wthEVaPqLbmkR9Bu+sremtngPXFGL1

Score

10^/10

luminosity persistence rat upx

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

scvhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\217108\\scvhost.exe\""	scvhost.exe

Executes dropped EXE 2 IoCs

Processes:

se.exescvhost.exe

pid process

3592 se.exe
4480 scvhost.exe

pid	process
3592	se.exe
4480	scvhost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1268-132-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral2/memory/1268-134-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral2/memory/3812-136-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral2/memory/3812-140-0x0000000000400000-0x00000000004BC000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exese.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	se.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

scvhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Audio Manger = "\"C:\\ProgramData\\217108\\scvhost.exe\""	scvhost.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/1268-132-0x0000000000400000-0x00000000004BC000-memory.dmp	autoit_exe
behavioral2/memory/1268-134-0x0000000000400000-0x00000000004BC000-memory.dmp	autoit_exe
behavioral2/memory/3812-136-0x0000000000400000-0x00000000004BC000-memory.dmp	autoit_exe
behavioral2/memory/3812-140-0x0000000000400000-0x00000000004BC000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

Processes:

scvhost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	scvhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe

description	pid	process	target process
PID 3812 set thread context of 1972	3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exescvhost.exese.exe

pid	process
3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
3592	se.exe
3592	se.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe
4480	scvhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

scvhost.exe

description pid process

Token: SeDebugPrivilege 4480 scvhost.exe

description	pid	process
Token: SeDebugPrivilege	4480	scvhost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exef71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe

pid	process
1268	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1268	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1268	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1268	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exef71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe

pid	process
1268	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1268	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1268	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
1268	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchost.exescvhost.exe

pid process

1972 svchost.exe
4480 scvhost.exe

pid	process
1972	svchost.exe
4480	scvhost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exef71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exesvchost.exese.exescvhost.exe

description	pid	process	target process
PID 1268 wrote to memory of 3812	1268	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
PID 1268 wrote to memory of 3812	1268	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
PID 1268 wrote to memory of 3812	1268	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
PID 3812 wrote to memory of 1972	3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 3812 wrote to memory of 1972	3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 3812 wrote to memory of 1972	3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 3812 wrote to memory of 1972	3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 3812 wrote to memory of 1972	3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 3812 wrote to memory of 1972	3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 3812 wrote to memory of 1972	3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 3812 wrote to memory of 1972	3812	f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe	svchost.exe
PID 1972 wrote to memory of 3592	1972	svchost.exe	se.exe
PID 1972 wrote to memory of 3592	1972	svchost.exe	se.exe
PID 1972 wrote to memory of 3592	1972	svchost.exe	se.exe
PID 3592 wrote to memory of 4480	3592	se.exe	scvhost.exe
PID 3592 wrote to memory of 4480	3592	se.exe	scvhost.exe
PID 3592 wrote to memory of 4480	3592	se.exe	scvhost.exe
PID 4480 wrote to memory of 3592	4480	scvhost.exe	se.exe
PID 4480 wrote to memory of 3592	4480	scvhost.exe	se.exe
PID 4480 wrote to memory of 3592	4480	scvhost.exe	se.exe
PID 4480 wrote to memory of 3592	4480	scvhost.exe	se.exe
PID 4480 wrote to memory of 3592	4480	scvhost.exe	se.exe

C:\Users\Admin\AppData\Local\Temp\f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
"C:\Users\Admin\AppData\Local\Temp\f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe
  "C:\Users\Admin\AppData\Local\Temp\f71019c44cdb9c7f429a775d23406b5262f010ea465f75e35660a79f788e90f7.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\data.bin"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3812
- - \??\c:\windows\SysWOW64\svchost.exe
    "c:\windows\system32\svchost.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\se.exe
      "C:\Users\Admin\AppData\Local\Temp\se.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\ProgramData\217108\scvhost.exe
        
        "C:\ProgramData\217108\scvhost.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\217108\scvhost.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
C:\ProgramData\217108\scvhost.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.bin

Filesize
64KB

MD5
79edc50660701c02bef048aa07e9aefa

SHA1
f11a26beb1e0b95250f372f72ad3269362eb9845

SHA256
8221bc5a9b64b844b9118044895e84ebcc5152436a00ac2aaa5df51bf8a3de99

SHA512
53328fd1681543d7434f369743c47c4987e02f086a98a4f603b6439fe246f7c3e55f9cf731992b9e6fcbae70dd2f8b744955facca8026722d6adc961733cd09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\se.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
C:\Users\Admin\AppData\Local\Temp\se.exe

Filesize
365KB

MD5
257ba86a2263c16001d06f77e346ef86

SHA1
1068158a1d06ac36983fb1586680224dc16a57bc

SHA256
3dcf071645ab0543774575cf43ba0bf2207d2257c190be11609ddd30b3d5e4a9

SHA512
a00c26236b71e61fd2b13710f8a64763b1bdf6199bc8a40ea9fe98a1c8fc8496fb83a5f0e04e029a049eb82dcd2c162ab782d27b9d4f8ad8db730f4f0d97d464

Download Submit
memory/1268-134-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1268-132-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1972-147-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1972-144-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1972-138-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1972-137-0x0000000000000000-mapping.dmp

Download
memory/1972-141-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3592-154-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3592-145-0x0000000000000000-mapping.dmp

Download
memory/3592-159-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3592-149-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3592-158-0x0000000007220000-0x0000000007237000-memory.dmp

Filesize
92KB

Download
memory/3592-157-0x0000000007220000-0x0000000007237000-memory.dmp

Filesize
92KB

Download
memory/3592-156-0x0000000007220000-0x0000000007237000-memory.dmp

Filesize
92KB

Download
memory/3812-136-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3812-133-0x0000000000000000-mapping.dmp

Download
memory/3812-140-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4480-155-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/4480-153-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/4480-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads