luminosity | 31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296

General

Target

31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
Size

1.3MB
MD5

d0b1208b584dc4b730f5ec52902a7540
SHA1

7cbb8bbf7c97537bc3ac91e127b5882fb30e4340
SHA256

31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296
SHA512

4de3d73be6770307cc99336054a3edae7ae9356109ceb48440721f6fc7caa77ec7bcbdf6d5cffcffd5f3d96beab7b55ce284fc0869eb09812e1d3d4d124797ca
SSDEEP

24576:rtti5aupx0ivxg7SqnOhieQPl3HEeXji8w4acV6dd:rkaupx0ivg5OUeQt1XW9dd

Score

10^/10

luminosity persistence rat

Malware Config

Signatures

Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
rat luminosity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

scvhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\578621\\scvhost.exe\""	scvhost.exe

Executes dropped EXE 2 IoCs

Processes:

scvhost.exescvhost.exe

pid process

584 scvhost.exe
1224 scvhost.exe

pid	process
584	scvhost.exe
1224	scvhost.exe

Loads dropped DLL 2 IoCs

Processes:

31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe

pid	process
1000	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
1000	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

scvhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Audio Manger = "\"C:\\ProgramData\\578621\\scvhost.exe\""	scvhost.exe

Drops file in System32 directory 2 IoCs

Processes:

scvhost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\clientsvr.exe	scvhost.exe
File created	C:\Windows\SysWOW64\clientsvr.exe	scvhost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exescvhost.exe

description	pid	process	target process
PID 1792 set thread context of 1000	1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
PID 584 set thread context of 1224	584	scvhost.exe	scvhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exescvhost.exescvhost.exe

pid	process
1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
584	scvhost.exe
584	scvhost.exe
584	scvhost.exe
584	scvhost.exe
1224	scvhost.exe
1224	scvhost.exe
1224	scvhost.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe

pid process

1000 31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exescvhost.exescvhost.exe

description	pid	process
Token: SeDebugPrivilege	1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
Token: 33	1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
Token: SeIncBasePriorityPrivilege	1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
Token: SeDebugPrivilege	584	scvhost.exe
Token: 33	584	scvhost.exe
Token: SeIncBasePriorityPrivilege	584	scvhost.exe
Token: SeDebugPrivilege	1224	scvhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

scvhost.exe

pid process

1224 scvhost.exe

pid	process
1224	scvhost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exescvhost.exe

description	pid	process	target process
PID 1792 wrote to memory of 1000	1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
PID 1792 wrote to memory of 1000	1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
PID 1792 wrote to memory of 1000	1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
PID 1792 wrote to memory of 1000	1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
PID 1792 wrote to memory of 1000	1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
PID 1792 wrote to memory of 1000	1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
PID 1792 wrote to memory of 1000	1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
PID 1792 wrote to memory of 1000	1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
PID 1792 wrote to memory of 1000	1792	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
PID 1000 wrote to memory of 584	1000	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe	scvhost.exe
PID 1000 wrote to memory of 584	1000	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe	scvhost.exe
PID 1000 wrote to memory of 584	1000	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe	scvhost.exe
PID 1000 wrote to memory of 584	1000	31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe	scvhost.exe
PID 584 wrote to memory of 1224	584	scvhost.exe	scvhost.exe
PID 584 wrote to memory of 1224	584	scvhost.exe	scvhost.exe
PID 584 wrote to memory of 1224	584	scvhost.exe	scvhost.exe
PID 584 wrote to memory of 1224	584	scvhost.exe	scvhost.exe
PID 584 wrote to memory of 1224	584	scvhost.exe	scvhost.exe
PID 584 wrote to memory of 1224	584	scvhost.exe	scvhost.exe
PID 584 wrote to memory of 1224	584	scvhost.exe	scvhost.exe
PID 584 wrote to memory of 1224	584	scvhost.exe	scvhost.exe
PID 584 wrote to memory of 1224	584	scvhost.exe	scvhost.exe

C:\Users\Admin\AppData\Local\Temp\31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
"C:\Users\Admin\AppData\Local\Temp\31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
  C:\Users\Admin\AppData\Local\Temp\31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\ProgramData\578621\scvhost.exe
    "C:\ProgramData\578621\scvhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\ProgramData\578621\scvhost.exe
      C:\ProgramData\578621\scvhost.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\578621\scvhost.exe

Filesize
1.3MB

MD5
d0b1208b584dc4b730f5ec52902a7540

SHA1
7cbb8bbf7c97537bc3ac91e127b5882fb30e4340

SHA256
31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296

SHA512
4de3d73be6770307cc99336054a3edae7ae9356109ceb48440721f6fc7caa77ec7bcbdf6d5cffcffd5f3d96beab7b55ce284fc0869eb09812e1d3d4d124797ca

Download Submit
C:\ProgramData\578621\scvhost.exe

Filesize
1.3MB

MD5
d0b1208b584dc4b730f5ec52902a7540

SHA1
7cbb8bbf7c97537bc3ac91e127b5882fb30e4340

SHA256
31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296

SHA512
4de3d73be6770307cc99336054a3edae7ae9356109ceb48440721f6fc7caa77ec7bcbdf6d5cffcffd5f3d96beab7b55ce284fc0869eb09812e1d3d4d124797ca

Download Submit
C:\ProgramData\578621\scvhost.exe

Filesize
1.3MB

MD5
d0b1208b584dc4b730f5ec52902a7540

SHA1
7cbb8bbf7c97537bc3ac91e127b5882fb30e4340

SHA256
31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296

SHA512
4de3d73be6770307cc99336054a3edae7ae9356109ceb48440721f6fc7caa77ec7bcbdf6d5cffcffd5f3d96beab7b55ce284fc0869eb09812e1d3d4d124797ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\ProgramData\578621\scvhost.exe

Filesize
1.3MB

MD5
d0b1208b584dc4b730f5ec52902a7540

SHA1
7cbb8bbf7c97537bc3ac91e127b5882fb30e4340

SHA256
31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296

SHA512
4de3d73be6770307cc99336054a3edae7ae9356109ceb48440721f6fc7caa77ec7bcbdf6d5cffcffd5f3d96beab7b55ce284fc0869eb09812e1d3d4d124797ca

Download Submit
\ProgramData\578621\scvhost.exe

Filesize
1.3MB

MD5
d0b1208b584dc4b730f5ec52902a7540

SHA1
7cbb8bbf7c97537bc3ac91e127b5882fb30e4340

SHA256
31816434571f0b2b01960f92770b57ac70cf6a0eb87bf58213877b14bd350296

SHA512
4de3d73be6770307cc99336054a3edae7ae9356109ceb48440721f6fc7caa77ec7bcbdf6d5cffcffd5f3d96beab7b55ce284fc0869eb09812e1d3d4d124797ca

Download Submit
memory/584-72-0x0000000000000000-mapping.dmp

Download
memory/584-92-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/584-90-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1000-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1000-93-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1000-61-0x000000000045CF0E-mapping.dmp

Download
memory/1000-95-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1000-68-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1000-63-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1000-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1000-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1000-55-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1000-65-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1224-83-0x000000000045CF0E-mapping.dmp

Download
memory/1224-94-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1224-91-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-70-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-67-0x0000000074830000-0x0000000074DDB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads